2022 Icas TC Ar V Imp

Test of Competence
Assurance and
Reporting:
Notes
2022/23
Getting the most out of this document
The document can be accessed and read in any PDF reader software or in the browser. However,
to make full use of the in-built indexing and note-taking features, we suggest the following.
Note that all of the programs and apps mentioned below are free, and you will never need to sign up
for a paid or ‘Pro’ version of any software to use the features in this document.
Device Type Recommendation
Laptop or desktop Download the PDF and save it. Open the saved document in a PDF reader program
- we recommend Adobe Acrobat Reader. To annotate in Reader, you may need to
select ‘Tools’ in the bar near the top of the page, then select ‘Comment’, and then the
pencil ‘Use drawing tool’ icon.
If you want to revisit any notes or annotations you’ve made later, make sure you
open that saved document - don’t re-download the PDF from myCABLE.
Remember to save regularly if you are highlighting or annotating the document.
iPhone or iPad We recommend that you download the free app PDF Expert by Readdle Inc. from the
App Store. This app is also compatible with the Apple Pencil.
Your phone may also have a default PDF reader app which provides similar
functionality.
Android phone Your phone may already have a PDF reader installed. If not, you can download a
reader such as Acrobat PDF Reader from the Google Play store or from your phone’s
default app store.
Other devices You should be able to open the document in any PDF reader, or in your browser.
However, in the browser you will not be able to save any notes, and some devices or
environments may limit the interactive features available. If you do wish to view the
document in the browser, Microsoft Edge is recommended.
Assurance and Reporting
Index
Module 1. Introduction Page 4
Module 2. Corporate Governance Page 12
Module 3. Internal Control Systems Page 35
Module 4. Accounting Information Systems and Controls: Part One Page 59
Module 5. Accounting Information Systems and Controls: Part Two Page 88
Module 6. Internal Audit Page 108
Module 7. Introduction to Assurance Page 124
Module 8. The Requirement for Audit Page 143
Module 9. Auditor Responsibilities: Legislation Page 163
Module 10. Auditor Responsibilities: Common Law Page 181
Module 11. Auditor Independence and Ethics Page 200
Module 12. Regulatory Framework Page 238
Module 13. Audit Process: Fundamental Concepts Page 256
Module 14. Audit Process: Engagement and Client Management Page 274
Module 15. Audit Process: Planning Page 289
Module 16. Audit Process: Systems and Controls Page 328
Module 17. Audit Process: Evidence Page 356
Module 18. Audit Process: The Use of Statistics Page 399
Module 19. Audit Process: Substantive Testing – Part One Page 414
Module 20. Audit Process: Substantive Testing – Part Two Page 474
Module 21. Audit Process: Completion Page 490
Module 22. Audit Process: Reporting Page 505
TC – Assurance and Reporting 2022/23 – Index 3

Module 1. Introduction
Contents
1.1 Introduction 5
1.2 Course Outline 5
1.2.1 Syllabus Learning Outcomes 5
1.2.2 Course Structure 6
1.3 Studying AR 7
1.3.1 Materials 7
1.3.2 Style of Teaching 7
1.3.3 Test Coverage 7
1.3.4 Study Technique 9
1.3.5 Question Practice 10
1.4 Summary 11
TC – Assurance and Reporting 2022/23 – Module 1 4

1 . Introduction
1.1 Introduction
This module will introduce the learning outcomes for the course, how the course is structured and how to study for
Assurance and Reporting (‘AR’).
The content of this module is not examinable.
1.2 Course Outline
1.2.1 Syllabus Learning Outcomes
On completion of this course students will be able to:
1. explain the role and nature of corporate governance in an organisation, including the roles and responsibilities of
the officers of the entity;
2. explain internal control systems and business processes;
3. explain the need for, nature of and requirements surrounding assurance and other related engagements
provided by practitioners;
4. explain the role and responsibilities of the external auditor;
5. describe the regulatory framework of auditing and financial reporting in the UK;
6. apply the Financial Reporting Council Ethical Standard and other relevant ethical guidance to audit and other
assurance engagements;
7. explain the requirements of the external audit process in reference to the International Standards on Auditing
(UK) and other relevant guidance; and
8. apply the requirements of the International Standards on Auditing (UK) and other relevant guidance to the stages
of the external audit process.
The above outcomes require a level of knowledge that allows you to demonstrate that you understand the
fundamental concepts behind assurance and reporting.
The focus of the course is on developing a knowledge base that will provide you with the foundation to move on to
the application level of the CA qualification – Test of Professional Skills.
Notes

1.2.2 Course Structure
The course can be split into two sections:
1. Corporate governance, including risk management and internal controls; and

2. Assurance and the statutory audit.
Corporate governance
The first section is structured as follows:
Module Name
2 Corporate Governance
3 Internal Control Systems
4 Accounting Information Systems and Controls: Part One
5 Accounting Information Systems and Controls: Part Two
6 Internal Audit
These modules start with a consideration of how an entity ensures that it is run in an efficient and effective manner
and that the financial statements are generated in a controlled and accurate way.
Assurance and the statutory audit
The second section is structured as follows:
Module Name
7 Introduction to Assurance
8 The Requirement for Audit
9 Auditor Responsibilities: Legislation
10 Auditor Responsibilities: Common Law
11 Auditor Independence and Ethics
12 Regulatory Framework
Notes

Module Name
13 Audit Process: Fundamental Concepts
14 Audit Process: Engagement and Client Management
15 Audit Process: Planning
16 Audit Process: Systems and Controls
17 Audit Process: Evidence
18 Audit Process: The Use of Statistics
19 Audit Process: Substantive Testing – Part One
20 Audit Process: Substantive Testing – Part Two
21 Audit Process: Completion
22 Audit Process: Reporting
The requirements of auditing standards, ethical standards and other relevant guidance will be introduced throughout
the course to demonstrate how an audit engagement should be performed.
1.3 Studying AR
1.3.1 Materials
The AR course material will be provided to you in the course folder – there are no supporting texts. You will need to
have a thorough understanding of the full contents of the AR course, as the examination will be based around the
material it contains.
1.3.2 Style of Teaching
The teaching is through a blended learning approach which involves a mixture of live lecturing, which may be online
or face to face, and your own self-study, making use of resources such as myCable. We encourage you to actively
complete activities/ selected workshop exercises/ quiz questions in class and at home rather than just reading the
solutions. You are more likely to understand the principles you are being taught if you can complete the questions
and it will also give you an opportunity to practise your exam technique.
1.3.3 Test Coverage
Progress tests and mocks will be sat throughout the course and the modules that are covered in each are included
in the table overleaf. The objective of these exercises is not merely to assess performance, but principally is to
practise answering questions and applying knowledge to meet learning outcomes.
You should ensure you have covered the relevant modules before sitting each of the progress tests (‘PT’) and the
mock exam (‘MEX’).

The following list shows the modules which are examinable at each stage of the TC AR course.
Module Topic PT1 PT2 MEX
2 Corporate Governance   
3 Internal Control Systems   
4 Accounting Information Systems and Controls: Part One   
5 Accounting Information Systems and Controls: Part Two   
6 Internal Audit   
7 Introduction to Assurance   
8 The Requirement for Audit   
9 Auditor Responsibilities: Legislation   
10 Auditor Responsibilities: Common Law   
11 Auditor Independence and Ethics   
12 Regulatory Framework   
13 Audit Process: Fundamental Concepts  
14 Audit Process: Engagement and Client Management  
15 Audit Process: Planning  
16 Audit Process: Systems and Controls  
17 Audit Process: Evidence  
18 Audit Process: The Use of Statistics  
19 Audit Process: Substantive Testing – Part One  
20 Audit Process: Substantive Testing – Part Two  
21 Audit Process: Completion 
22 Audit Process: Reporting 
Note: Module 1 is not examinable – it is included as a reference tool. All other materials within the course material,
unless clearly stated otherwise, are examinable.
You should also note that just because a topic has come up in a PT or MEX, it does not exempt it from being tested
in a later PT/ MEX or, ultimately, in the final examination.

1.3.4 Study Technique
There is a lot of material to learn on this course and students are often concerned with the volume. Your study
approach during the course will be unique to you – some of you may write notes or produce mind maps, some
may focus on question practice. If you are going to create your own notes, then you may find the summary pages
contained at the end of each module a useful starting point.
Whatever your approach, we strongly recommend that you keep up with your studies throughout the course,
rather than doing all your revision at the end. Remember, your aim is not just to memorise the material, it is to
understand the material.
To assist with understanding the material, you will find that at the end of some modules there are additional
workshop exercise questions which are not in exam format. These questions are designed to help with your
understanding of the material and should be completed as part of your revision. You will also find these questions
helpful in preparing for the step up to TPS Assurance and Data.
The results of your PTs and MEX should give you a good indication of how you are faring with your understanding of
the course. Given the volume of the material in the course, you may find that the study approaches that you adopted
at university and school may need to be adapted to consolidate all the course material in the time available.
When going through each of the AR modules, keep considering the big picture and ask, “Why is this?” and “How
does this fit in to the big picture?” This should help you to develop a more comprehensive understanding of the topic,
which in turn will make it more memorable.
Revision timetable
Use this study information in conjunction with your course timetable to prepare a realistic revision plan based on the
time available. There is often a short time between the teaching phase and the exams, so good planning and sticking
to that plan is crucial. Do not put off the areas you are struggling with – tackle them first, so you have more time if
you need to seek help.
Mnemonics
MNEMONIC
Throughout the course several mnemonics have been included. EXAMPLE
They are included in a speech bubble as shown below.
These mnemonics have been included as a study aid only and can be useful as a helpful memory tool. The
mnemonics are not, themselves, examinable.
Notes

1.3.5 Question Practice
Your revision plan should include time to improve your exam technique by practising questions. Towards the end
of the course you will be given a revision paper and sample paper with additional questions to help you with your
revision between the end of classes and the exam.
After you have revised a topic, practise questions without looking at the solution. If it is an area you are unsure of
– go back and look at your notes and use them to help you answer the question before checking the solution.
In terms of technique, the following common errors arise:
1. Misunderstanding the question

• make sure that you read the question carefully, underlining or highlighting key words.
2. Lack of technical knowledge

• identify what areas of the notes are relevant so that you can go back through this section again.
Support
Your lecturers and subject controller should be your first point of call for support – whether it is a technical question
or study approach question. You can also post questions on the AR discussion boards on myCABLE. Remember
that there are no silly questions, if it is something that needs to be clarified in your mind then it is a completely valid
question and should be asked.
Notes

1.4 Summary
The AR course is split into two distinct sections: corporate governance and assurance and the statutory audit.
Throughout each module, the focus should be on developing an understanding of the concepts behind why
procedures are necessary and how they are applied. Developing a knowledge and understanding of these modules
will allow you to demonstrate competency across the eight syllabus learning outcomes for the AR course.
There is a large amount of material in the AR course. Therefore, it is vital that you undertake regular study of the
course topics in class and at home from the start of the course.
You will undertake regular tests throughout the course. This will help you assess your progress. Remember – if you
have any questions, ask them.
In answering questions ensure that you read the questions carefully. If you find yourself with time at the end of the
exam, review your solutions and answer any questions you have missed.
Notes

Module 2. Corporate Governance
Contents
2.1 Introduction 13
2.2 Learning Outcomes 13
2.3 Corporate Governance in the UK 13
2.3.1 What is Corporate Governance? 13
2.3.2 Why is Corporate Governance Important in Companies? 14
2.3.3 Eliminating Agency Risk 15
2.3.4 Overall Roles in Corporate Governance 17
2.4 Corporate Governance Guidance in the UK 18
2.4.1 The G20/ OECD Principles 19
2.5 The UK Corporate Governance Code 20
2.5.1 Structure of the Code 20
2.5.2 Key Principles and Provisions 21
2.5.3 Comply or Explain 25
2.5.4 Corporate Governance Reporting Requirements 26
2.6 Additional UK Corporate Governance Guidance 27
2.6.1 FRC Guidance to supplement the UK Corporate Governance Code 27
2.6.2 The Importance of Corporate Governance to Other Types of Entities 27
2.7 Corporate Governance in the US 29
2.7.1 Additional Requirements for Public Companies and Their Auditors 30
2.8 Summary 32
Solutions to Activities 33

2. Corporate Governance
A module guide is available on myCABLE
2.1 Introduction
In March 2021 there were more than 4.7 million registered companies in the UK. A characteristic of a UK-registered
company is that the owners of the company, the shareholders, are not required to manage the company on a day
to day basis. Instead the shareholders can appoint agents, known as directors, to manage the company on their
behalf. Where this separation of ownership and management exists, the shareholders must be confident that the
company is being managed in an effective and efficient manner. Effective management should enable achievement
of company objectives, which will include the maximisation of shareholder wealth, the safeguarding of the company’s
assets and the continuation of the business without the threat of liquidation for the foreseeable future.
This module focuses on the need for, and nature of, frameworks of good corporate governance in the management
of a company.
2.2 Learning Outcomes
On completing this module, you should be able to:
1. describe the requirement for, and overall roles in, corporate governance including current guidance in the UK;
2. explain the key principles and provisions of the UK Corporate Governance Code; and
3. describe the US Sarbanes-Oxley Act requirements in relation to listed company reporting and corporate
governance.
Achieving these outcomes will help you to meet the first learning outcome of the course as per the syllabus.
2.3 Corporate Governance in the UK
2.3.1 What is Corporate Governance?
Corporate governance: the system by which companies are directed and controlled.
The board of directors of a company direct and control the business by setting corporate objectives and monitoring
performance against these objectives. Therefore, corporate governance is concerned primarily with the behaviour
and actions of the board.
Notes

2.3.2 Why is Corporate Governance Important in Companies?
Corporate governance allows companies to mitigate the agency risk that arises as a result of the directors
running a company on behalf of the shareholders.
Companies have stakeholders all of whom have different business needs. A key group of stakeholders are the
shareholders. Shareholders own and provide capital to the company, which contributes to the financing of the
company. There is a risk that the directors may not use these resources or run the company in the interests of the
shareholders as a collective group; rather that they act according to their own interests.
Agency risk: the risk that the agents’ (the directors) self-interest deviates from that of the principal (the
shareholders).
Example
Actions of directors that can constitute agency risks:
• Directors awarding themselves large bonuses; or

• Directors using a more expensive supplier because of personal ‘perks’ promised by that supplier.
Corporate governance introduces a mechanism whereby assurance can be obtained that:
1. a company’s dealings with shareholders are fair and transparent;

2. the board of directors is held accountable;
3. the company deals responsibly with stakeholders; and
4. the company’s focus is on the sustainable success of the company over the longer term.
Consequently, shareholders can be more confident that agency risk is being reduced.
Corporate governance is also a key element of a company’s internal control framework.
Notes

Activity 1
Identify some further examples of agency risk and how these would impact upon a company’s activities.
Solution to Activity
Solution
2.3.3 Eliminating Agency Risk
Shareholders can implement three procedures to reduce agency risk:
1. Using the directors’ remuneration packages as incentives;

2. Monitoring the directors’ performance; and
3. Appointing an external auditor.
1. Directors’ Remuneration Packages
Directors can be incentivised to align their interests with those of the shareholders, for example by offering
profit-related pay schemes or share options. Unfortunately, this method alone is not sufficient as it may encourage
fraudulent financial reporting by the directors to meet targets (e.g., inflating profits or revenue).
2. Monitoring the Directors’ Performance
Remuneration packages must be supplemented by a system of monitoring the directors’ performance. The
primary way of monitoring this is through the requirement of directors to prepare financial statements, for example
ensuring that a certain profit level is met before bonuses are paid. However, there is a risk that directors may
prepare financial statements which do not give a true and fair view of the company’s financial position to mask
instances where they have not acted in the shareholders’ best interests.
Notes

3. Appointing an External Auditor
Shareholders can obtain assurance over the accuracy of the financial statements by having the financial statements
audited by an independent third party, known as the external auditor. The auditor will assess and report to the
shareholders whether the financial statements have been prepared, in all material respects, in accordance with an
applicable financial reporting framework.
An audit: an examination of a company’s financial statements by an independent expert, which culminates

in the expert providing an opinion on whether the financial statements give a true and fair view to the
shareholders.
We can present this three-party relationship diagrammatically:
Financial (and other) resources

Shareholders and others Directors entrusted with
providing resources to the entity resources
Financial statements
Auditors provide an independent opinion on the truth

and fairness of the financial statements
Agency Costs
Agency Costs: The costs of reducing agency risk.
Agency costs include the costs of the audit and the costs incurred in aligning the directors’ and shareholders’
interests such as bonuses and pay rises.
Notes

Public Trust & Ethics
As a result of many business failures, such as Worldcom and Enron, in addition to more recent corporate
governance scandals such as Sports Direct and Carillion, it is essential that all businesses have sound
corporate governance systems in place. Ethics should be a fundamental aspect of all corporate governance
structures and the board within an organisation should always act with integrity in order to fulfil the interests
of all stakeholders. Demonstrating a lack of ethics or a poor corporate culture can result in reputational
damage for a business, and a lack of public trust, particularly in the current climate of heightened
accountability for businesses.
2.3.4 Overall Roles in Corporate Governance
In a company there are a number of parties that play a role in the corporate governance framework: the
shareholders, directors, external auditor and internal auditor. In this section each of these roles will be discussed
with reference to Corporate Governance.
Group Role in governance
Shareholders • appointing directors and the external auditor; and

• satisfying themselves that an appropriate governance structure is in place.
Directors • setting the company’s strategic aims and providing leadership to achieve these aims;
• supervising management; and
• reporting to the shareholders on their stewardship.
External • providing an opinion on the directors’ financial statements that is both external and
Auditor objective;
• involvement in the financial aspects of corporate governance; and
• providing an objective view on aspects of governance, risk and control frameworks that
are encountered during the audit.
Internal Auditor • supporting the directors in their responsibilities for ensuring good governance is in place;
• providing a check on the financial aspects and controls of a company; and
• reviewing the company’s general governance frameworks and operational controls.
Notes

Where there is a significant separation of shareholders from the directors and management, the corporate
governance structure should be more developed. The purpose of this structure is to assure the shareholders that
their interests are represented in the appointment of the directors and auditors and that the board are reporting
effectively.
2.4 Corporate Governance Guidance in the UK
The development of corporate governance in the UK has its roots in a series of corporate collapses and scandals
in the late 1980s and early 1990s, including the collapse of the BCCI bank and the Robert Maxwell pension funds
scandal, both in 1991. You may be aware of many other recent scandals covered regularly in the press.
The main source of Corporate Governance guidance in the UK today is the UK Corporate Governance Code issued
by the Financial Reporting Council (‘FRC’) and covered in Section 2.5 below. This is accompanied by three further
supporting documents (covered in Section 2.6.1 below):
• The FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting;
• The FRC Guidance on Board Effectiveness; and
• The FRC Guidance on Audit Committees.
While the UK is seen as a front runner in terms of Corporate Governance guidance there is also work at the
international level to provide a framework to offer guidance to Governments in improving corporate governance
frameworks in their own countries.
Notes

2.4.1 The G20/ OECD Principles
The G20 and the Organisation for Economic Co-operation and Development (‘OECD’) issued their Principles
of Corporate Governance (‘The Principles’) to provide an indispensable and globally recognised benchmark for
assessing and improving corporate governance. The most recent version was issued in 2015 and contains six
chapters, each containing one key and various supporting principles.
Chapter Explanation
Ensuring the basis for an effective A framework should support transparent, fair and efficient
corporate governance framework markets, be consistent with the rule of law and support effective
supervision and enforcement.
The rights and equitable treatment of A framework should help protect the rights of shareholders and
shareholders and key ownership functions ensure all shareholders are treated equally, including minority
shareholders.
Institutional investors, stock markets and A framework should encourage engagement from all
other intermediaries shareholders, including where institutional investors hold interests
on behalf of individuals (such as pension funds).
The role of stakeholders in corporate Active engagement of all stakeholders should be encouraged.
governance
Disclosure and transparency Timely and accurate disclosure should be made on all material
matters.
The responsibilities of the board The board should be responsible for the effective running of the
company, whilst being accountable to the shareholders.
Notes

2.5 The UK Corporate Governance Code
2.5.1 Structure of the Code
The UK Corporate Governance Code (‘the Code’) requires the board to maintain a sound system of internal control
to safeguard shareholders’ investment and the company’s assets.
The current version of the Code was published in July 2018. It continues to be a principles-based document,
meaning that it is not prescribed but details principles that companies can interpret how to follow, allowing them
some flexibility. Corporate governance covers a broad spectrum of areas in the management of a business.
The Code is organised under the following headings:
1. Board leadership and company purpose

2. Division of responsibilities
Bob
3. Composition, succession and evaluation
Drives a
4. Audit, risk and internal control
CAR
5. Remuneration
The Code is structured as follows:
Level Explanation Example
18 Main High level guidance that the FRC The board should include an appropriate
Principles wishes companies to implement in their combination of executive and non-executive
organisation. (and, in particular, independent non-
executive) directors, such that no one
individual or small group of individuals
dominates the board’s decision-making.
41 Provisions An explanation of the actions the At least half the board, excluding the chair,
organisation should take in order to should be non-executive directors whom the
implement the principles. board considers to be independent.
Notes

2.5.2 Key Principles and Provisions
For the purpose of this course only some of the key principles and provisions of the Code will be discussed.
In order to understand these principles and provisions, we must first understand some of the key roles under
Corporate Governance.
Executive Responsible for the day to day operational management of the company and driving and
director (‘ED’) overseeing the strategic direction of the entity.
Example: Sales, Finance or Managing Director.
Non-executive Sits on the board of directors, but is not involved in any of the day to day operational
director (‘NED’) decisions of the business. NEDs should constructively challenge and contribute to the
strategic decisions of the business and should scrutinise the performance of the executive
directors and management. It is important that NEDs are independent so they can take an
objective view on the board’s actions and decisions.
Chair Head of the board and has responsibility for chairing the board meetings, ensuring
decisions are reached. The chair should be independent on appointment.
Chief executive The CEO is responsible for the executive director team and consequently is ultimately
officer (‘CEO’) responsible for the day to day running of the company and implementing the board’s
strategies.
Some of the key principles and provisions from the Code are detailed below.
Board leadership and company purpose
• A successful company is led by an effective and entrepreneurial board, whose role is to promote the long-
term sustainable success of the company, generating value for shareholders and contributing to wider
society;
• The board should ensure that the necessary resources are in place for the company to meet its objectives
and measure performance against them. The board should also establish a framework of prudent and
effective controls, which enable risk to be assessed and managed; and
• In order for the company to meet its responsibilities to shareholders and stakeholders, the board should ensure
effective engagement with, and encourage participation from, these parties.
Notes

Division of responsibilities
• The chair should be independent on appointment1. The roles of chair and chief executive should not be
exercised by the same individual. A chief executive should not become chair of the same company;
• Non-executive directors should have sufficient time to meet their board responsibilities. They should provide
constructive challenge, strategic guidance, offer specialist advice and hold management to account; and
• At least half the board, excluding the chair, should be non-executive directors whom the board considers to
be independent.
Composition, succession and evaluation
• Appointments to the board should be subject to a formal, rigorous and transparent procedure, and an
effective succession plan should be maintained for board and senior management. Both appointments and
succession plans should be based on merit and objective criteria and, within this context, should promote
diversity of gender, social and ethnic backgrounds, cognitive and personal strengths;
• The board and its committees should have a combination of skills, experience and knowledge;
• The board should establish a nomination committee to lead the process for appointments and to ensure
plans are in place for orderly succession. A majority of members of the committee should be independent non-
executive directors; and
• There should be a formal and rigorous annual evaluation of the performance of the board, its committees, the
chair and individual directors. The chair should consider having a regular externally facilitated board evaluation.
In FTSE 350 companies this should happen at least every three years.
Audit, risk and internal control
• The board should establish an audit committee of independent non-executive directors, with a minimum
membership of three (two for smaller companies2). The board should satisfy itself that at least one member
has recent and relevant financial experience. The committee as a whole shall have competence relevant to the
sector in which the company operates;
• The directors should explain in the annual report their responsibility for preparing the annual report and
accounts, and state that they consider the annual report and accounts, taken as a whole, is fair, balanced and
understandable;
• The board should carry out a robust assessment of the company’s emerging and principal risks;
• The board should monitor the company’s risk management and internal control systems;
• The board should state, in the financial statements, whether it considers it appropriate to adopt the going
concern basis of accounting in preparing them, and identify any material uncertainties3 to the company’s
ability to continue to do so; and
• Taking account of the company’s current position and principal risks, the board should explain in the annual
report how it has assessed the prospects of the company, over what period it has done so and why it
considers that period to be appropriate.
1 A member of the board may not be considered independent if, for example, they are an employee of the company, have a material business
relationship with the company or represent a significant shareholder.
2 The Code defines ‘smaller companies’ as ones below the FTSE 350.
3 A Material uncertainty is a material matter whose outcome depends on future actions or events not under the direct control of the entity that
may affect, or cast significant doubt over, the going concern status of the entity. Material uncertainties in relation to going concern will be
covered in more detail in Module 21.

Remuneration
• Remuneration policies and practices should be designed to support strategy and promote long-term
sustainable success;
• The board should establish a remuneration committee of independent non-executive directors, with a
minimum membership of three (two for smaller companies); and
• Remuneration for all non-executive directors should not include share options or other performance-
related elements.
Each of the principles and provisions included in the Code is designed to help the company meet the correct level of
corporate governance by providing guidance on board practice to help protect the interests of the stakeholders.
Committees
As noted above, the Code requires a number of committees to be established. A summary of these and their
responsibilities are detailed below.
Committee Membership Responsibilities
Audit Independent NEDs only (minimum of 3, or 2 Relating to financial reporting process,

for smaller companies) internal control review, internal audit and
relations with the external auditor
Nomination Majority of independent NEDs Relating to the nomination of new members

to the board
Remuneration Independent NEDs only (minimum of 3, or 2 Relating to the setting of the executive
for smaller companies) directors’ and the chair’s remuneration
Note: The audit committee and remuneration committee should be composed of independent NEDs only. Therefore,
no EDs should sit on either of these committees.
Environmental, Social and Governance (‘ESG’) challenges
Environmental issues such as climate change are increasingly at the forefront of the minds of many investors
and other stakeholders. The UK Corporate Governance Code does not currently include specific provisions on
environmental issues. However, in 2019 the FRC issued a statement noting that: ‘the boards of UK companies have
a responsibility to consider their impact on the environment and the likely consequences of any business decisions
in the long-term. They should therefore address, and where relevant report on, the effects of climate change.’
Notes

Additionally, in its thematic review on Climate Change in November 2020, the FRC noted: ‘a number of the
Code’s principles cover matters relating to the environment, including the requirements to assess and manage the
company’s risks and the board’s responsibility for narrative reporting and for engagement with wider stakeholders.
Climate change cannot be excluded from these principles of good governance.’
The FRC will continue to consider the role of the UK Corporate Governance Code in ensuring boards are taking
appropriate account of ESG issues, and will amend the Code as and when necessary.
Activity 2
Discuss why each of the following provisions are in the Code and how they provide assurance to shareholders
over the management of their investment:
1. At least half of the board should consist of independent NEDs.

2. The roles of the chief executive and chair should be held by different people.
3. New directors should be chosen by a nomination committee consisting of a majority of independent NEDs.
4. NED remuneration should not include performance-related elements.
5. The effectiveness of the internal control system should be monitored by the board.
1.
2.
3.
4.
5.
Solution
Notes

2.5.3 Comply or Explain
The Code adopts a ‘comply or explain’ approach, so deviation is permitted.
Although compliance is expected by certain companies (see below), it does permit these companies to adopt a different
approach if that is more appropriate to their circumstances. Where this occurs, they are required to explain the reason to
their shareholders who must then decide whether they are content with the approach that has been taken.
The Code provides a benchmark for companies’ shareholders to assess the effectiveness of their company’s
corporate governance arrangements.
Example
In its 2018 Annual Report, Card Factory plc did not comply with some of the principles and provisions of the
Code including:
• For a five-month period, less than half the board were independent NEDs to allow for an orderly handover
when the CFO retired and his replacement appointed; and
• Arrangements for the Chair to exercise options to invest in ordinary shares of the company.
Who must ‘comply or explain’ with the UK Corporate Governance Code?
Only those entities with a premium listing on the London Stock Exchange (‘LSE’) main market are required to
‘comply or explain’ with the Code.
These entities are required as they are those exposed to the largest agency risk due to the separation of the
shareholders and those charged with governance.
The LSE is a market for stocks and shares. A company whose shares are traded on the LSE main market is known
as being ‘quoted’ or a ‘listed’ company. In order to receive a listing for its securities, a company must comply with the
LSE’s regulations.
The LSE regulations that will be discussed in this course are:
• the Listing Rules; and

• the Disclosure Guidance and Transparency Rules.
Notes

The LSE Listing Rules require companies with a premium listing on the LSE main market to ‘comply or explain’ and
to report on how they have applied the principles of the Code.
For unlisted companies, there is no requirement to comply or explain, however, many of its principles are adopted
as the Code is ‘best practice’ in the UK.
2.5.4 Corporate Governance Reporting Requirements
We have noted that certain companies must comply with the Code. In this section we will consider the reporting
requirements for these companies.
In the UK, the key report used by companies to communicate with their shareholders is the annual report. A
company must send an annual report to its shareholders every year. This document includes information on the
financial performance and position of the company (including the financial statements) and often includes a variety of
non-financial information. This will enable the shareholders to gain an understanding of the quality of the company’s
management team and the financial status of the company in which they have invested.
Companies with a premium listing on the main market of the LSE must include a corporate governance section
in their annual report. This is a two-part statement in relation to the company’s compliance with the UK Corporate
Governance Code.
1. Narrative Statement
The annual report should include a description of how the company has applied the principles of the Code in a
manner that a shareholder can clearly understand.
2. Compliance Statement
The company must state whether or not it has complied with all of the relevant provisions throughout the accounting
period. If it has not complied with one or more provisions, the statement must include details of the relevant
provisions and the reasons for non-compliance.
Notes

2.6 Additional UK Corporate Governance Guidance
2.6.1 FRC Guidance to supplement the UK Corporate Governance Code
The FRC issues guidance and other publications to assist boards and board committees in considering how to apply
the UK Corporate Governance Code to their particular circumstances.
Risk Management, Aims to bring together elements of best practice for risk management, prompt
Internal Control and boards to consider how to discharge their responsibilities in relation to the existing
Related Financial and emerging principal risks faced by the company, reflect sound business practice,
and Business whereby risk management and internal control are embedded in the business
Reporting process by which a company pursues its objectives, and highlight related reporting
responsibilities.
Guidance on Board Aims to stimulate boards’ thinking on how they can carry out their role and encourage
Effectiveness them to focus on continually improving their effectiveness.
Guidance on Audit Aims to assist company boards in making suitable arrangements for their audit
Committees committees, and to assist directors serving on audit committees in carrying out their
role.
2.6.2 The Importance of Corporate Governance to Other Types of Entities
Whilst the UK Code is aimed at those entities with a premium listing on the LSE, Corporate Governance is important
for all businesses, from small companies to charitable organisations to large listed companies, regardless of whether
they have shareholders or other stakeholders.
As a result there is some additional guidance available for smaller listed and non-listed entities including:
• Guidance for Directors of Private Companies (published by ICAS);

• Audit Firm Governance Code (issued by the FRC); and
• The Quoted Companies Alliance (‘QCA’) Corporate Governance Code (issued by the QCA and aimed small and
mid-size quoted companies).
Notes

Activity 3
Consider why corporate governance is important to:
• government departments and agencies (public sector)

• charities such as the Cancer Research UK/ Age UK
• professional accountancy firms
Solution
Learning Outcomes 1 and 2: The requirement for, roles in and current guidance for corporate
goverance in the UK and the key principles and provisions of the Code
• Corporate governance is the process by which companies are directed and controlled and is primarily concerned
with the actions of the board.
• Agency Risk is where directors’ self-interest deviates from that of the shareholders and the costs associated with
this are agency costs.
• The main guidance in the UK is the UK Corporate Governance Code which is accompanied by supporting
documents issued by the FRC. Other guidance is available for non-premium listed and non-listed entities.
• The Code contains 18 main principles, alongside 41 supporting provisions providing guidance on board practice.
Companies listed on the LSE main market must ‘comply or explain’ with the Code in their annual report.
You should now be able to meet the first and second learning outcomes for this module.
Notes

2.7 Corporate Governance in the US
There is not a single accepted Corporate Governance Code in the US as there is in the UK. However, the large
corporate failures of 2001 (e.g., Enron and Worldcom) had a global impact, and the US addressed the issues behind
these failures by introducing legislation, the Sarbanes-Oxley Act 2002 (‘SOX’). This piece of legislation affects the
work of companies across the world that are:
• registered with the Securities and Exchange Commission4 (‘SEC’) in the US;
• included in the consolidated accounts of a company which is registered with the SEC, even if they are not
domiciled in the US (e.g., a UK registered subsidiary of a SEC registrant); or
• non-US publicly traded companies operating in the US.
Examples
Some examples of companies which are SEC registered (and have a premium listing on the LSE) include
Lloyds Banking Group and Vodafone.
4 SEC is a US Congress Commission created to regulate the securities markets and to protect investors. The closest UK equivalent is the
Financial Conduct Authority which regulates the London Stock Exchange.
Notes

2.7.1 Additional Requirements for Public Companies and Their Auditors
SOX contains standards and requirements for corporate governance, financial reporting and ethics, and made some
changes to the regulation of professional bodies (including auditors). It follows a more prescribed approach than
in the UK, with relevant companies being legally required to comply. It is also believed to be more stringent and
onerous than UK requirements, although less far ranging in terms of Corporate Governance.
Area Requirement UK Comparison
Annual Reports must be certified by the chief Under UK law, only one director is required to
Report executive officer (‘CEO’) and the chief sign on behalf of the board.
Certification financial officer (‘CFO’).
Internal A report on internal controls known as a Auditors give an opinion on the financial
Controls section 404 report is required as part of the statements as a whole, not specifically to
annual report. internal controls.
This requires: Directors are required only to report that

they have evaluated the effectiveness
• management to state in the report
of the internal control system and that
their responsibility for establishing and
weaknesses are being addressed, not what
maintaining an adequate internal control
the weaknesses are.
structure and procedures for financial
reporting;
• management to make an assessment
of and representations about the
effectiveness of the internal control
structure and procedures for financial
reporting; and
• every audit report to attest to the
assessment made by management on the
company’s internal control structures.
Notes

Area Requirement UK Comparison
Audit • External auditors will report to, and SOX largely brought the US in line with the
Committees be overseen by, a company’s audit UK. Whilst in the UK there is no formal pre-
committee; approval requirement, the audit committee is
• Audit committees must pre-approve all required to monitor the levels of non-audit and
services, audit and non-audit, provided by audit work provided by the external auditor
its external auditor ; and
5
• Audit information must be reported to

the audit committee, including critical
accounting policies and practices to be
used, alternative treatments of financial
information within GAAP (Generally
Accepted Accounting Principles) that have
been discussed with management, and
other relevant communications between
the auditor and management.
Learning Outcome 3: Describe the US Sarbanes-Oxley Act requirements in relation to listed

company reporting and corporate governance
• The Sarbanes-Oxley Act (‘SOX’) introduced some additional regulations for US listed companies and their
subsidiaries.
• These regulations impact on companies and their auditors in the areas of corporate governance (internal
controls and audit committees).
You should now be able to meet the third learning outcome for this module.
5 Note: The pre-approval requirement is subject to de minimis amounts.
Notes

2.8 Summary
Corporate Governance
Bob
Drives a
CAR UK Overview US
The UK Corporate Roles Agency Risk SOX

Additional Guidance
Governance Code
System by which
companies are • Certification
18 Main principles, directed and • Internal Controls
Comply or Explain OECD Principles
41 provisions controlled • Audit Committees
Key principles and 1. Risk Management, • Shareholders Mitigated by:

Provisions Internal Control and • Directors • Directors’
Related Financial • External Auditor Remuneration
and Business • Internal Auditor • Monitoring
Reporting Performance
2. Guidance on Board • External Audit
Effectiveness
3. Guidance on Audit
Committees
Roles: Committees:
• EDs • Audit
• NEDS • Remuneration
• Chair • Nomination
• CEO

Solutions to Activities
Solution to Activity 1
Additional examples of agency risk can include directors pursuing short term objectives in order to meet
targets to ensure large bonuses are paid at the expense of the long-term viability of the company, or
employing people as they are family or friends of directors rather than necessarily the best for the job.
Back to Activity
1. The UK Corporate Governance Code requires at least half of the board to consist of independent non-
executive directors (‘NEDs’). This should ensure that board decisions are balanced and that the executive
directors are held accountable. Board decisions are usually passed by a simple majority vote (i.e., over
half of the board in agreement). Therefore, where half the board are independent NEDs, the executive
team must gain the support of the independent NEDs before a motion can be passed.
2. The role of the chief executive and chair should be held by different people to stop any one person having
excessive control over the company and to ensure actions and decisions are appropriately discussed and
challenged by the board.
3. New directors should be chosen by a nomination committee consisting of a majority of independent NEDs
to ensure that individuals with the appropriate skills, knowledge and experience are brought onto the
board.
4. Non-executive directors’ remuneration should not be linked to company performance to ensure NEDs
remain independent and can provide objective challenge on board decisions.
5. The board is responsible for implementing and maintaining a sound system of internal control. The
effectiveness of the internal control system should be monitored to provide shareholders with assurance
that procedures are effective for safeguarding their assets.
Back to Activity
Notes

Public sector (e.g., NHS, Local Councils) – these entities are spending public money. The public and
government want to know decisions are being made regarding good stewardship of that money.
Charities – large charities such as Age UK receive grants from government agencies and donations from
companies and the public. Again, contributors want to know that their money is being spent wisely and to meet
the purpose of the charity. Good governance will encourage individuals to contribute to the charity.
Professional accountancy firms – accountancy firms’ reputations are their biggest assets reflecting their
independence and the quality of their accountancy work and their audit opinions. Good governance practices
ensure that controls over independence and quality are followed and judgements from technical partners or on
high-risk clients are not overruled.
Back to Activity
Notes

Module 3. Internal Control Systems
Contents
3.1 Introduction 36
3.3 Internal Control Systems 36
3.4 Information systems 38
3.4.1 Accounting information systems 39
3.5 Control Activities 40
3.5.1 Authorisation Controls 40
3.5.2 Performance Reviews 41
3.5.3 Information Processing Controls 41
3.5.4 Physical Controls 44
3.5.5 Segregation of Duties 44
3.5.6 Entity-level controls 46
3.5.7 Limitations of Internal Control Systems 47
3.6 IT General Controls 48
3.6.1 IT Risks 49
3.6.2 Access to Programs and Data 50
3.6.3 Program Changes and Development 51
3.6.4 Computer Operations 53
3.6.5 Continuity of Operations 54
3.7 Summary 55

3. Internal Control Systems
3.1 Introduction
Module 2 described how it is the directors of a company who are charged with the responsibility of managing the
company in the best interests of its shareholders. However, in practice, they are unlikely to be able to oversee the
whole business and so will delegate responsibility. As the number of staff increases, the risk of fraud and error also
increases. To manage these business risks and to ensure that their directives are carried out, the directors should
implement a sound system of internal control. This is recommended by the UK Corporate Governance Code and the
accompanying Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (‘the
Guidance’).
1. explain internal control systems and the limitations of an internal control system; and
2. explain the key areas of IT general controls.
Achieving these outcomes will help you to meet the second learning outcome of the course as per the syllabus.
3.3 Internal Control Systems
Directors implement a sound system of internal control to provide them with reasonable assurance over:
• the reliability of financial reporting;

• the effectiveness and efficiency of operations; and
• compliance with applicable laws and regulations.
It is ultimately the responsibility of the directors to implement the internal control system that they consider necessary
for their business.
To help bring structure to the internal control system, directors can refer to the Guidance.
Notes

A sound system of internal controls should include the following
CRIME
five components of internal control:
Component Description Example
1 Control The overall attitude, awareness and Management provide a staff manual to
environment actions of directors and management all employees that is updated regularly
regarding control activities and their and contains information on the key
importance in the company. This processes and procedures, as well
includes the high-level structures across as the importance of controls to the
the organisation to provide a basis for organisation.
carrying out internal controls. It can be
thought of as the ‘tone at the top’.
2 Risk The process by which business risks Management may organise a quarterly
assessment are identified and managed by the meeting with senior management to
process company. Risk assessments should discuss key risks within each area of the
be carried out on a regular basis. By business.
identifying and evaluating business risks,
the company can assess the need for
control activities.
3 Information Companies use information systems A payroll system is put in place to help
systems (manual or computerised) to record payroll staff compute and organise
financial transactions and non-financial monthly payroll runs, as well as providing
data and to maintain accountability for employees with payslips.
the related assets, liabilities and equity.
Communication helps to monitor
progress against company objectives.
4 Control The policies and procedures that Requiring significant payments made
activities management put in place to ensure that to suppliers to be authorised by a
their directives are carried out and responsible person before they can be
mitigate against risks to the achievement processed.
of these objectives.
Notes

Component Description Example
5 Monitoring This involves an ongoing assessment Production of monthly exception reports

by management of the performance of (to identify any control deficiencies)
of controls
the internal control systems. that are reviewed by the board at their
monthly board meeting.
Information systems and control activities will be discussed in Sections 3.4 and 3.5 below.
3.4 Information systems
In any organisation there will be several business processes.
Business process: a series of activities that enable a company to meet one or more of its objectives.
They cover every conversion of business transactions to financial statements as well as non-financial
information flows.
Examples include a company’s order fulfilment process, marketing process, budgeting process and human
resources process.
A company will have several objectives that have been set out by the board of directors (‘the board’). These will be
specific for each company and can be both financial and non-financial.
Example
Objectives of a company may include:
• To increase revenue from the previous year;

• To reduce costs by avoiding raw material wastage;
• To be the market leader for customer service; or
• To improve health and safety procedures in the warehouse.
To meet these objectives, a company will put in place business processes. To design a business process,
management must consider the objectives of that process (i.e., what the process will do). For example, a system to
provide a high level of customer service may include online and telephone services.
Notes

Once the objectives for the business process have been set, management must consider the risks that may stop
these objectives being achieved, (i.e., what could go wrong). These are also known as business risks.
Business risk: the threat that an action or event will adversely affect the organisation’s ability to achieve its
objectives.
To mitigate risk, the company will introduce control activities to the process. Control activities are covered in more
detail in Section 3.5 below.
3.4.1 Accounting information systems
Amongst the many objectives an organisation will have, there will be objectives over financial reporting. These
objectives will broadly fall into two categories:
• Preparing accurate financial statements to meet reporting requirements and to share information with
stakeholders; and
• Preparing internal management information for the purpose of informing the board and to aid in making strategic
decisions.
In order to achieve these objectives an organisation will put in place accounting information systems (that is,
business processes that relate to financial reporting).
Accounting information systems: structures used by organisations to collect, store and process financial
and accounting data.
In practice, you will commonly be required to evaluate accounting information systems. As such, this course will
focus on some of the common individual accounting information systems, including:
• Revenue/ Sales cycle

• Purchases cycle
• Inventories/ Stock cycle
• Payroll cycle
• Property, plant and equipment/ Fixed assets cycle
• Monthly financial reporting process
The specific information systems for each of the above areas are considered in Modules 4 and 5 of the course.
Notes

3.5 Control Activities
Control activities help ensure management’s directives are carried out. There are two elements to control activities:
• The policies which establish what should be done; and

• The procedures required to implement the policies.
Control activities provide management with assurance over the validity, completeness and accuracy of data and will
be either preventative or detective.
Preventative controls: these stop errors happening in the first place.
Detective controls: these pick errors up after they have happened and allow them to be corrected timeously.
Control activities can be classified into five categories:
• Authorisation controls
• Performance reviews APIPS
• Information processing controls
• Physical controls
• Segregation of duties
3.5.1 Authorisation Controls
Proper authorisation controls ensure that transactions are authorised by personnel acting within the scope of
their authority. Different levels of authorisation will be required for different levels of transactions (e.g., higher value
transactions will likely have a higher level of authority required). This can be enforced through authorisation limits.
Examples
• The purchasing manager evidences authorisation of a purchase requisition through signature; and
• The finance director reviews and signs off the payroll before payment is made to employees.
Notes

3.5.2 Performance Reviews
Performance review controls allow management to review information to highlight any exceptions or controls
that have not operated effectively.
Management performance review controls may include review and analysis of:
• reports that summarise details of balances and transactions (e.g., details of debtors’ listings and sales by area);
or
• actual performance compared with expectation (e.g., actual results compared with budget).
This type of control is useful to identify where something differs from the normal expectation. For example, directors
or managers might review total sales by branch and investigate further if sales were higher or lower than expected.
It is important that any review role is undertaken by management with proper training, appropriate experience and
knowledge of the area under review (but not directly involved in the activity under review). This will mitigate the risk
of fraud or error by employees as they know their work will be checked by a more senior individual.
3.5.3 Information Processing Controls
Information processing controls can be broken down into sub-categories:
IT General Controls
(‘ITGCs’)
Information IT Application
Processing Controls Controls
Application Controls
Manual Application
Controls
IT general controls
ITGCs are policies and procedures relating to all applications. ITGCs support the effective functioning of application
controls by ensuring the continued operation of information systems. It can help to think of ITGCs being a bubble
around the IT systems and controls, which allows them to function effectively. ITGCs are covered in more detail at
Section 3.6.
Notes

Application controls
Application controls typically operate at the transaction level and apply to the processing of specific types of
transactions (e.g., invoicing customers or paying suppliers). They are put in place to ensure that the transactions
recorded within an application are genuine, accurate and complete (i.e., application controls are at the individual
transaction level). This can involve both manual and automated processes.
Examples
Control Explanation
Identifying a purchase invoice as paid in the This will ensure that the recording of puchase
system to show that the payment has been invoices is complete and that no invoice is
processed. recorded twice, that is, purchases are genuine and
accurate.
Signing a document to show that it has been This will ensure that all required actions are taken
actioned or noted. (i.e., the document is complete).
Performing regular, timely bank reconciliations. This will ensure that cash transactions recorded
are genuine, accurate and complete.
Sequentially pre-numbering documents and then This will ensure that the recording of the numbered
undertaking regular sequence checks. documentation is complete.
Note: Documents such as goods received or despatch notes, invoices, etc., can be sequentially pre-numbered (e.g.,
1 to 100). This means each is given a unique number when raised and a sequence check can later be performed to
identify if any of the documents have gone missing by ensuring that all numbers (e.g., 1 to 100) have been recorded.
Notes

There are some specific examples of IT application controls that are commonly used within entities to manage risks:
Control Name Explanation Example
Audit log An automatic log is kept of activity that can Log of changes made to the personnel
then be manually reviewed for unexpected file can be produced and reviewed by the
or unusual activity. human resources manager to ensure no
unauthorised changes are made.
Batch controls Batch controls operate where a manual Payroll staff will often calculate the total on
count or total is made of the inputs prior to the payroll listing before processing. This
being input onto the system. Once input, total will then be compared to the bank
but before processing, the manual count is payment total once processed to ensure it
agreed to the computer-generated totals has been processed correctly.
to ensure completeness, occurrence and
accuracy of inputs.
Programmed Tests on transactions or data entry are When creating electronic sales invoices,
editing incorporated into the system programs so staff can only enter quantities within an
the computer ‘edits’ the transactions to expected window (e.g., 1 to 100). If staff
identify certain types of errors. Essentially, enter a quantity above this limit, the amount
the computer is programmed to anticipate will be rejected and a new amount required
types of entries in particular fields. to be entered.
Calculation Automatic calculations can be embedded VAT is automatically applied to invoices

within applications based on inputted based on the VAT category selected by the
information. member of staff creating the invoice.
Check digits A decimal (or alphanumeric) digit added to The last digit of a bar code number is a
a number for detecting the sorts of errors computer check digit which makes sure the
humans typically make on data entry. bar code is correctly composed.
The ‘check digit’ is driven by a formula,
based on the digits included in the number
and therefore the system can perform an
automatic check using this digit.
Exception A report generated that identifies any A payroll exception report that highlights any
reports transactions that are outside the normal staff paid unusual amounts (e.g., more than
expected range. The report should be 10% than the previous month’s salary or
reviewed and investigated. over a specified limit).
In practice the choice between manual or IT application controls will be tailored to the level of automation of the
process to which the controls relate. Therefore, if an organisation has a highly-automated sales process, it is likely to
have more IT application controls than an organisation with a paper-based system.

3.5.4 Physical Controls
Physical controls limit access to assets and important records (e.g., through securing assets or documents in a
safe or locked room). Physical controls are only effective if they include periodic counts of assets and comparison
with the accounting records and so should be coupled with appropriate record-keeping systems.
Examples
• Restricting physical access to the organisation (e.g., key card access);

• Implementing warehouse facilities appropriate to stock, including maintaining the right conditions (e.g.,
refrigeration), security (e.g., alarms) and access (e.g., key/ pin-code access to the warehouse); and
• Restricting access to paper documents by keeping them in a locked filing cabinet/ room.
3.5.5 Segregation of Duties
Segregation of duties is a type of control activity that is implemented to mitigate the risk that individuals are put in a
position that they would be able to carry out a fraud or error and then conceal it.
Example
Where an individual responsible for processing payments to a supplier is also able to set up new supplier
accounts, they could (in theory) set up a false supplier using personal bank details and make a payment to
their own account. Therefore, the task of setting up new suppliers should be performed by one member of the
team and the verification and input of supplier bank details by a different member.
By segregating duties, the work of one individual is automatically checked by another person performing
the next stage in the transaction process and avoids giving too much influence over a single process to one
member of staff.
Notes

Activity 1
The following are examples of common control activities. Identify which category each control fits in to:
a) Independent check of stock prior to despatch to ensure correct goods included.

b) Cash placed in safe overnight.
c) Review of the aged debt listing to identify overdue customers to chase.
d) Purchase orders are reviewed and authorised in accordance with formal authorisation limits.
e) Reconciliation of the debtors ledger with trade debtors figure in the nominal ledger.
f) Sequentially pre-numbered sales invoices, including sequence checks of invoices processed.
g) Perform a credit check prior to accepting customer (if goods on credit).
h) The cashier has access to only the cash elements of the accounting system. Only the debtors ledger clerk
has access to the debtors ledger.
i) Check on quality of goods before despatch.
a)
b)
c)
d)
e)
f)
g)
h)
i)
Solution
Notes

3.5.6 Entity-level controls
Entity-level controls: controls that help establish the tone and culture of the organisation and can be
relevant to a number of the components of internal control including the control environment, risk assessment,
information systems and monitoring.
Entity-level controls are sometimes referred to as ‘soft’ controls as they are less defined than specific control
activities such as those covered above.
They are the overarching controls that allow management to take comfort that the overall control environment, and
the specific control activities within that system, operate effectively. If the entity-level controls are weak, then this can
impact an organisation’s ability to mitigate risks and the overall effectiveness of its control activities.
Examples of entity-level controls include:
• A Code of Ethics or Values Statement;

• An employee handbook;
• Performance review policies;
• Employee induction policies;
• Training of staff;
• Approved risk management and internal control policies and procedures; and
• A whistleblowing hotline.
Notes

3.5.7 Limitations of Internal Control Systems
Internal control systems are not infallible, and it is important to recognise RC CHUM
that even in a well-controlled business process there are several limitations:
Limitation Explanation
Relevancy/ Any control related activities or processes can become irrelevant over time as technologies
Obsolescence and business needs change. Changes in key personnel can also cause controls to become
irrelevant or obsolete.
Cost Beyond a certain point the cost of installing or improving controls is likely to outweigh any
benefits that are likely to be gained through this control.
Collusion This involves two or more employees working together to circumvent existing control
activities for their own purposes. If two employees get together to perpetrate a fraud, it can
be very difficult for management to detect it. This often involves an override of segregation of
duties controls.
Human error Due to human nature, there is always a risk of mistakes occurring, including in the
operation of control activities themselves. This risk can be exacerbated by several factors
(e.g., lack of adequate motivation or training, time pressure, adverse working environment or
excessive workloads).
Unusual/ Control activities are designed to prevent and detect errors/ irregularities in normal, frequently
Infrequent recurring transactions. Unusual and/ or infrequent transactions are inherently risky as
transactions controls are less likely to be suitable.
Management As many processes have a facility to permit a management override function, there is a
override risk that this facility will be abused. This may result in management overriding controls (e.g.,
inflating reported sales to increase their bonus).
Notes

Learning Outcome 1: Internal control systems
CRIME
• A good system of internal control should contain five components;
• There are five categories of control activities that an organisation
can use to mitigate any business risks; and APIPS
• There are also several limitations of internal control.
You should now be able to meet the first learning outcome in this module.
RC CHUM
3.6 IT General Controls
ITGCs are policies and procedures that relate to many applications and support the effective functioning of
application controls by helping to ensure the continued proper operation of information systems. It can help to think
of ITGCs being a bubble around the IT systems and controls.
ITGCs don’t operate at the transaction level but instead help the whole IT system to work effectively and properly.
ITGCs are necessary in any business that has IT systems regardless of the different business activities and
processes at that organisation.
Examples
Examples of ITGCs include:
• restricting computer access via the use of unique usernames and passwords;
• ensuring that any sensitive data held in electronic format can only be accessed by properly authorised
personnel;
• ensuring any hardware or software purchased is of the necessary quality and standard;
• maintaining IT systems; and
• backup and recovery procedures.
Notes

ITGCs may be procedures that can be manual, automated or a combination of both. The controls commonly cover
four key areas:
• access to programs and data;

APOC
• program changes and development;
• computer operations; and
• continuity of operations.
Like the control environment, ITGCs provide the foundation for rest of the IT systems. Where ITGCs are effective,
the underlying systems and associated controls are more likely to be effective.
3.6.1 IT Risks
The four key areas above are in response to key risks that exist in any IT system.
Risk Control area
Loss, destruction or unauthorised use and Access to programs and data

alteration of data.
Access must be restricted to authorised persons only.
Changes made may be unsuitable and cause the Program changes and development
system to fail, leading to business disruption.
Any changes to programs, or development of
New programs developed may not be fit for new systems, must incorporate controls, including
purpose or contain bugs. Errors may occur when appropriate authorisation and testing.
information is migrated to new systems.
Problems with the system fail to be resolved in Computer operations

a timely manner preventing the business from
Procedures are required to ensure the recording,
continuing with its operations.
analysis and timely resolution of problems.
Unexpected disasters may have a significant Continuity of operations

negative effect on the accounting and other business
The business must take precautions against potential
applications and cause going concern issues.
hazard and implement suitable backup procedures.
Each of the control areas will be covered in more detail in turn.
Notes

3.6.2 Access to Programs and Data
Because it may influence the effectiveness of all other controls, security over programs and data is part of the control
environment. The components of this include:
• awareness of information security policies by all staff;

• appropriate restriction of access to IT computing resources; and
• segregation of duties within key processes.
Awareness of security policies
All staff should receive the organisation’s policy on access to programs and data. This should be updated regularly
and staff should receive training on the policy (for example, as part of new joiner inductions).
Restriction of access
Controls over access to data files ensure that:
• data files are restricted to authorised users; and

• data is not changed without proper authorisation.
Notes

Common controls that should be applied across the various levels include:
Physical • Access to the business premises is controlled via access cards

access • Physical security of any separate computer room, storing the servers containing the
computer systems and data files, should be restricted to authorised personnel (e.g., by
using key cards or key pads for access)
User access • Procedures are in place to ensure that only appropriate staff have access to required IT
systems
• Unique user ID and passwords issued to all users to identify and authenticate all users
and ensure a sufficient audit trail of who has processed transactions
• User access supports appropriate segregation of duties
Administrator • Access to powerful system level user IDs (typically called ‘superusers’ or ‘administrators’)
access that could override all other application controls are restricted to appropriate staff (e.g., IT
manager)
• System audit logs of changes made to the data or programs should be independently
monitored on a regular basis for any unauthorised changes
Segregation of duties
Segregation of duties is an important control in reducing the opportunity for staff to conduct fraudulent transactions.
Staff are typically given a user ID along with specific access rights (or privileges) to enforce segregation of duties.
Companies should base these specific rights to information systems on job functions.
It is important that access rights, supporting segregation of duties, are kept up-to-date and respond to changes in
staff such as changes in roles or staff leaving the organisation.
3.6.3 Program Changes and Development
Program changes are common in many businesses in the form of bug fixes (i.e., program codes installed in the live
environment to fix a system weakness) and version upgrades. Program developments refer to programs developed
internally or newly acquired from an external vendor.
Notes

It is important to ensure that the changes and developments made are appropriate and do not negatively affect the
operation of the business. It is necessary to consider the following to do this:
• authorisation;
• development;
DATA
• testing; and
• approval.
These measures ensure that only necessary changes are processed, user acceptance testing is performed, and that
there is approval by the business and IT to ensure that user requirements are met. Changes should be made in a
separate test environment to avoid any negative impact on information processing and application controls.
The Systems Development Life Cycle
Systems Development Life Cycle (‘SDLC’): A process to introduce, develop, maintain and enhance software.
The stages of the SDLC are effectively the individual controls that guard against potential risks involved in systems
development. A badly designed system will result in errors and inefficiencies which can in turn result in inaccurate or
incomplete information being included in the financial records.
Business The goal of business analysis is to obtain a clear understanding and analysis of the
analysis business needs of the existing system. This is to identify its shortcomings, determine
opportunities for improvement, and develop the requirements of the new system.
Feasibility study This is conducted to analyse different approaches in achieving the objectives concluded
from the business analysis. Once the preferred approach is chosen, a formal business
case is produced. At this stage consideration will also be given to the nature of the new
applications.
Systems analysis The systems analysis process looks at the data flowing in and out of the system, and
whether the system will meet the requirements of the business.
Design In this stage of the SDLC, the functional requirements document determines how the
system will perform the various functions required by users.
Development The feasibility study phase will have identified whether the application is to be developed
in-house, by an external team or purchased from third-party software suppliers.
Notes

Testing The developer must test each program in a test environment (separate from the live
environment) before it can be released to the users. This testing must look at each
program in isolation and at all the programs as a whole.
In addition to the program testing, user acceptance testing should be performed to

ensure the system performs as expected.
Implementation Once the users have accepted that the systems work correctly and in the way originally
specified, it’s time for implementation. This will involve preparing for the implementation
including installing appropriate hardware and software, training staff and preparing data
and documentation. Secondly, a method of implementation must be selected.
Maintenance This stage provides support, upgrades and bug fixes during the life of the system.
Post- This stage is carried out after all of the different parts of the application are fully
implementation implemented to identify whether the implementation was successful and to identify any
review lessons to take forward for further program development projects.
Enhancements/ On an ongoing basis, upgrades will comprise a collection of bug fixes and minor
wish list improvements. Where users have requested additional functionality or significant changes
(enhancements) to screen layouts or reports, these will be held in a pending project file
until there is sufficient work to justify the allocation of development staff.
3.6.4 Computer Operations
Companies should be concerned with computer operations (the day-to-day processing of information) as
inefficiencies, delays or issues with the scheduled processing are likely to cause operational problems within the
business. Controls over computer operations ensure that the processes in an organisation are as efficient as
possible and achieve the objectives of the organisation.
Notes

Therefore, organisations should consider the following computer operations components and example controls to
mitigate operational problems:
Component Example
Job processing Documented procedures to check the completeness of the processing;

schedules detailing the various processing of the system; and checklists used
by the IT team to complete the procedures
Backup and recovery Backup all data on a regular basis; store backup copies offsite; and have a
procedures checklist to ensure backup procedures are performed
Incident and problem Documented procedures on how to deal with problems raised from the
management procedures business and the process to ensure they are dealt with timeously (e.g., a
ticketing system)
3.6.5 Continuity of Operations
The ability to carry on trading after a disaster is a key objective of any company and, therefore, the IT department.
For most organisations, this involves formulating a disaster recovery plan (‘DRP’) as well as having procedures in
place to avoid disaster occurring.
More information on DRPs is included in the TC Management Information and Technology course.
Learning Outcome 2: Explain the key areas of IT general controls
There are four key areas that ITGCs commonly cover.

APOC
You should now be able to meet the second learning outcome in this module.
Notes

3.7 Summary
The five components of a sound system of internal control are:

CRIME
• Control environment;
• Risk assessment process;
• Information systems;
• Control activities; and
• Monitoring of controls.
A business process: a series of activities that enable a company to meet one or more of its objectives.
Business risk: the threat that an action or event will adversely affect the organisation’s ability to achieve its
objectives.
Accounting information systems: structures used by organisations to collect, store and process financial and
accounting data.
The five categories of control activities:
• Authorisation; APIPS
• Physical;
• Information processing (ITGCs and IT and manual application controls);
• Performance reviews; and
• Segregation of duties.
Some common IT application controls include:
• audit log;
• batch controls;
• programmed editing;
• calculation;
• check digits; and
• exception reports.
Entity-level controls: controls that help establish the tone and culture of the organisation and can be relevant to
a number of the components of internal control including the control environment, risk assessment, information
systems and monitoring.
Notes

The limitations of internal control systems are:
RC CHUM
• Relevancy/ Obsolescence;
• Cost;
• Collusion;
• Human error;
• Unusual/ infrequent transactions
• Management override.
There are four key areas that ITGCs commonly cover:

APOC
• access to programs and data;
• program changes and development;
• computer operations; and
• continuity of operations.
Access to programs and data
The components of this include:
• awareness of information security policies by all staff;

• appropriate restriction of access to IT computing resources; and
• segregation of duties within key processes.
Program changes and development
It is important to ensure that the changes and developments made are appropriate and do not affect the operation of
the business. Consideration should be made of:
• authorisation; DATA
• development;
• testing; and
• approval.
Notes

System Development Life Cycle (‘SDLC’): A process to introduce, develop, maintain and enhance software.
The stages of the systems development cycle include:
• Business analysis
• Feasibility study
• Systems analysis
• Design
• Development
• Testing
• Implementation
• Maintenance
• Post-implementation review; and
• Enhancements/ wish list.
Computer operations
Organisations should consider the following computer operations components and the example controls to mitigate
operational problems:
• job processing;
• backup and recovery procedures; and
• incident and problem management.
Continuity of operations
The ability to carry on trading after a disaster is a key objective of any company and, therefore, the IT department.
You should now be able to achieve all the learning outcomes for this module. If you are not able to do so, go back
and re-read the relevant section.
Notes

a) Information Processing Control (Application)

b) Physical Control
c) Performance Review
d) Authorisation Control
e) Information Processing Control (Application)
f) Information Processing Control (Application)
g) Information Processing Control (Application)
h) Segregation of Duties
i) Information Processing Control (Application)
Back to activity
Notes

Module 4. Accounting Information
Systems and Controls: Part One
Contents
4.1 Introduction 60
4.2 Learning outcomes 60
4.3 Designing accounting information systems 60
4.4 Sales Cycle 64
4.5 Purchases Cycle 70
4.6 Summary 73
Appendix 1 – Sales Cycle Documentation 78
Appendix 2 – Sales Cycle Phases 3 and 4 85
Appendix 3 – Purchases Cycle Phases 1 to 3 86

4. Accounting Information Systems and Controls: Part One
4.1 Introduction
Accounting information systems were introduced in Module 3 and are the structures used by organisations to collect,
store and process financial and accounting data. For example, an organisation will have a system in place to capture
and record sales made to customers.
This module will focus on two of the most common accounting information systems:
• Revenue/ Sales cycle

• Purchases cycle
In TC Financial Accounting we reviewed the required content of the financial statements, including how these are
prepared from source documents recorded in the nominal ledger. This knowledge will be useful when considering
the various accounting information systems.
4.2 Learning outcomes
1. explain the main elements of the sales and purchases accounting information systems; and
2. explain different types of control activities in the sales and purchases accounting information systems.
Achieving these outcomes will help you to meet the second learning outcome of the course as per the syllabus.
4.3 Designing accounting information systems
To understand how a company would start to design an accounting information system (including the objectives,
risks and controls) we can establish an approach that is relevant for any accounting information system.
• Step 1: Break the process down into phases;

• Step 2: Consider the objectives for that phase;
• Step 3: Decide on the relevant documentation for the phase;
• Step 4: Consider the ‘what can go wrongs’ (the risks); and
• Step 5: Design controls to address these ‘what can go wrongs’.
Notes

Step 1: Break the process down into phases
Each process will involve several phases. While each process will be tailored to meet the demands of the individual
business, the basic phases will be the same, as in many companies the processes will be designed to achieve
similar objectives.
Step 2: Consider the objectives for that phase
By considering what the objectives are for each phase of the process (i.e., what it is trying to achieve), the company
can further break down the process to assess what needs to happen and to help consider the ‘what can go wrongs’
(‘WCGW’) at step 4.
Step 3: Decide on the relevant documentation for the phase
Deciding on the relevant documentation in each phase of the process will help to understand the different inputs and
outputs of the process and identify areas that could go wrong, and therefore help to design appropriate controls.
Below are several of the key pieces of documentation found in accounting information systems. Appendix 1 includes
examples of some of these documents. Note that in many organisations these will not be paper documents but
screens within the IT accounting system. However, the detail required within and purpose of each document will be
the same regardless of whether it is in paper form or within a system.
Document Explanation Department
Purchase A purchase requisition is an internal This document will be raised by the user and
requisition document raised by the user department to forwarded to the budget-holder for approval.
request the financing to purchase goods/ After approval, a copy will be passed to the
services. It contains a description of the purchases department in order for a purchase
goods/ services required, the quantity, the order to be raised.
product code, the required date of delivery,
the expected purchase price, budget-holder
and justification for purchase.
Notes

Purchase A purchase order is raised by the purchaser The purchase order is prepared by the
order to send to the seller of goods to request purchasing department with a copy sent to
purchase of goods or services. the supplier.
It contains a description of the goods/

services, the quantity, the product code,
the required date of delivery, the expected
purchase price, discounts requested and such
administrative details as the account number.
Sales order An internal document raised by the seller Prepared by the sales team.
of ordered goods to record the receipt of a
purchase order from a customer.
It contains a description of the goods, the

quantity, the product code, the required
date of delivery, the sales price, discounts
permitted and administrative details such as
the account number and credit terms.
Goods An internal form completed by the despatcher The GDN is prepared by the warehouse with
despatch of ordered goods confirming the goods sent a copy sent to the finance department to
note out to the customer. It includes a description initiate invoice preparation.
(‘GDN’) of the goods, the quantity, the product code,
the date of despatch and the sales order
number.
Goods This is a form completed by the warehouse GRNs are raised by the warehouse upon
received as an internal document confirming the receipt of goods.
note specification of the goods received. It includes
(‘GRN’) a description of the goods, the quantity, the
product code, the date received and the
purchase order number.
Notes

Invoice A document sent by the seller of goods or The invoice is prepared by the finance
services to the buyer, detailing the amounts department with a copy sent to the buyer as a
due, discounts available, payment dates and demand for payment.
administrative details such as the account
number and credit terms.
Remittance A remittance advice is submitted by the The remittance is sent to the seller to allow
advice buyer to the seller in association with a them to match the payment against the
payment that details the nature and purpose relevant invoice.
of the payment. It details the amounts paid
and the related invoice number. This may a
‘tear-off’ slip at the bottom of the invoice or a
unique reference code for an electronic bank
transfer.
Credit note A credit note is sent by a seller to a Credit notes are raised by the finance
customer to cancel (or partly cancel) an department and sent to the buyer.
invoiced charge.
In addition, other documents that may be produced include: correspondence files, evidence of customer credit
checks, picking lists (to select goods for an order in the warehouse), customer discount listings and payment
reminder notices.
Step 4: Consider the WCGWs
At this step, the company will reflect on the objectives assessed at Step 2, the different documentation at Step 3 and
consider ‘What can go wrong’? That is, the company should consider what actions or events may happen that would
mean the objectives of the process are not going to be achieved. Understanding the WCGWs (or the risks) of a
phase is a key part of being able to design appropriate controls to mitigate the risks and stop anything ‘going wrong’.
Notes

Example
Say you are going to a shop to buy a new pair of jeans (this would be your objective). Examples of WCGWs
could be:
• The jeans are out of stock;

• The shop is closed;
• The jeans don’t fit; or
• You forget to take your debit card and therefore are unable to pay at the till.
Step 5: Design controls to assess these WCGWs
The final step is to design controls to mitigate the risks identified in Step 4. To help with this, the categories of
control activities (APIPS) can help to consider the different types of controls available. It is important that the control
designed mitigates the risk identified, that is, the control either prevents the risk arising or will detect the risk after it
has occurred and therefore allow it to be corrected.
It is important when designing controls that it is clear how the control will mitigate the risk. The control should be
specific and identify the actual activity that must be undertaken to ensure the WCGW is prevented or detected.
We will now review the steps in the context of the sales cycle.
4.4 Sales Cycle
The sales cycle is one of the main accounting information systems within an organisation. Companies can normally
make sales/ generate revenue via two main routes – credit sales or cash sales. The sales cycle will cover everything
from the initiation of a sale to the final settlement of the invoice, therefore, it will impact several financial statement
accounts including: sales/ revenue, bank and trade debtors/ trade receivables.
Notes

The phases of a typical sales cycle and the department responsible for each phase for the sale of goods on credit
are as follows:
Phase Details Department
1 Customer places order Sales
2 Order fulfilled and despatched Warehouse
3 Customer invoiced for goods Finance
4 Customer pays for goods Finance
The sales system may also contain the returns system when customers return unwanted/ damaged goods:
5 Goods returned (may replace phase 4) Warehouse
6 Credit note issued/ refund given to customer Finance
Step 2: Consider the objectives for that phase
Included below are several objectives for Phases 1 and 2 of the sales cycle.
Phase 1 – Customer places order
• Orders are only accepted from credit-worthy customers;

• All orders are recorded;
• Orders are recorded accurately;
• Orders accepted can be fulfilled; and
• Orders are accepted for the best price.
Phase 2 – Order fulfilled and despatched
• Goods are only despatched for genuine orders;

• All goods despatched are recorded;
• Goods despatched are accurate in quantity and quality;
• All orders are despatched; and
• All goods despatched are received by the customer.
Notes

Activity 1
For Phases 3 and 4 of the sales cycle, consider what objectives a company is likely to want to achieve.
Phase 3 – Customer invoiced for goods
Phase 4 – Customer pays for goods
Solution
Step 3: Decide on relevant documentation for the phase
To help us consider the WCGWs and the relevant controls, it is helpful to consider the documentation relevant to
each phase of the process.
Notes

Activity 2
Match the relevant document to the first four phases of the sales cycle.
Phase 1 a) Sales Invoice
Phase 2 b) GDN
Phase 3 c) Sales Order
Phase 4 d) Remittance Advice
Solution
Step 4: Consider the WCGWs
Commonly, the WCGWs will be closely linked to the objectives of the phase. For example, where the objective
is ‘Orders are only accepted from credit worthy customers’ the WCGW would be that ‘Orders are accepted from
customers who are not credit worthy and therefore are unable to pay for the goods’.
Activity 3
For the first phase of the sales cycle, identify what the other WCGWs could be.
•
•
•
•
Solution
Notes

We now have the phases, objectives, documents and WCGWs for the sales cycle. Thus, we can now design the
controls to mitigate the WCGWs that we identified at Step 4. To help with this, we can use the documents that we
identified at Step 3 as well as the control activity categories from Module 3.
Phase Objective WCGW Control
1 Orders are only accepted from Orders are accepted from All new customers are subject
credit-worthy customers customers who are not credit- to a credit check before being
worthy and, therefore, are accepted
unable to pay for the goods
All orders are recorded Orders are not recorded and, Sales orders should be
therefore, will not be fulfilled sequentially pre-numbered
with regular sequence checks
Orders are recorded Orders are recorded Pro-forma order forms should
accurately incorrectly (e.g., wrong be completed by trained
quantity, wrong customer individuals
details)
Orders accepted can be Orders are accepted that can’t All special orders (e.g., large
fulfilled be fulfilled, such as a large or quantities/ bespoke) must be
bespoke order authorised by the warehouse
manager in the accounting
system before they are
processed
Orders are accepted for the Orders are accepted for a Orders are automatically
best price discount despite customer not completed using authorised
qualifying up-to-date standard prices.
Any discounts must be
approved by the sales
manager in the accounting
system before processing
Notes

Activity 4
For the second phase of the sales cycle, match the controls that a company could put in place to the relevant
objective and WCGW.
2 Goods are only Goods are a) Goods can only be despatched by

despatched for despatched where no trained staff. A regular exception
genuine orders order exists, in error report of goods despatched against
or fraudulently sales orders fulfilled is reviewed by
the warehouse manager.
All goods despatched Goods despatched b) Once fulfilled and GDNs raised, sales
are recorded fail to be recorded orders are marked in the system
and are despatched as fulfilled, with regular follow up of
twice unmatched sales orders
Goods despatched The incorrect c) Customer signs for delivery upon

are accurate in quantity of goods is receipt
quantity and quality despatched to the
customer
All orders are Goods fail to be d) All goods for despatch are agreed to
despatched despatched to sales order details before despatch
customers
All goods despatched Goods fail to reach e) Goods are inspected by an

are received by the end customer despite independent member of staff before
customer being despatched despatch, agreeing details to the
sales order
Solution
The remaining phases of the sales cycle, including the objectives, WCGWs and controls can be found in Appendix 2.
Notes

4.5 Purchases Cycle
The purchases cycle (or system) encompasses all the procedures relating to the purchase of goods and services –
whether on credit or in cash – including authorisation, accounting for and settlement of related liabilities. Purchases
of fixed assets and the management of stock are also covered in this business process, but the additional
considerations for these processes will be discussed in Module 5. As with the sales cycle, the purchases cycle also
processes returns.
Activity 5
Using the sales cycle as a guide, consider what the phases of a typical purchases cycle would be and the
department responsible for each phase for the purchase of goods on credit.
The purchase system may also contain the returns system when returning unwanted/ damaged goods:
Solution

Activity 6
We have established the phases of the Documents:

purchases system, and so must now follow
• Purchase requisition
Steps 2 to 5 to complete the full system.
• Purchase order
Noted alongside are documents that are relevant to
• GRN
each stage. For Phase 4 of the cycle,
• Invoice
identify the objectives, WCGWs and controls.
• Remittance Advice
Solution
The remaining phases of the purchases cycle, including the objectives, WCGWs and controls can be found in Appendix 3.
Learning Outcomes 1 and 2: Elements of sales and purchases accounting information
systems and related control activities
We can establish an approach to design and control any accounting information system by breaking it down into
manageable steps.
You should now be able to meet the first and second learning outcomes in this module.
Notes

4.6 Summary
Accounting information systems: the structures used by organisations to collect, store and process financial and
accounting data.
We can establish an approach to design and control any accounting information system.

The phases of the sales and purchases cycles are:
Phase Sales Purchases
1 Customer places order Place order
2 Order fulfilled and despatched Receive goods
3 Customer invoiced for goods Invoice received
4 Customer pays for goods Payment for goods
5 Goods returned (may replace phase 4) Return goods (may replace phase 4)
6 Credit note issued/ refund given to customer Credit note/ refund received
Notes

Phase 3 – Customer invoiced for goods Phase 4 – Customer pays for goods
• All goods despatched are invoiced • All payments received are recorded
• Invoices are accurate • Theft/ loss of cash is prevented
• All invoices are recorded in the • Payments are received for all invoices
accounting system
• Invoices are only raised once and
not duplicated
Back to activity
• Phase 1 – c) Sales Order

• Phase 2 – b) GDN
• Phase 3 – a) Sales Invoice
• Phase 4 – d) Remittance Advice
Back to activity
• Orders are not recorded and, therefore, will not be fulfilled

• Orders are recorded incorrectly (e.g., wrong quantity, wrong customer details)
• Orders are accepted that can’t be fulfilled, such as a large or bespoke order
• Orders are accepted for a discount despite customer not qualifying
Back to activity
Notes

2 Goods are only Goods are d) All goods for despatch are agreed to
despatched for despatched where no sales order details before despatch
genuine orders order exists, in error
or fraudulently
All goods despatched Goods despatched a) Goods can only be despatched by

are recorded fail to be recorded trained staff. A regular exception report
and are despatched of goods despatched against sales
twice orders fulfilled is reviewed by the
warehouse manager.
Goods despatched The incorrect e) Goods are inspected by an

are accurate in quantity of goods is independent member of staff before
quantity and quality despatched to the despatch, agreeing details to the sales
customer order
All orders are Goods fail to be b) Once fulfilled and GDNs raised,
despatched despatched to sales orders are marked in the system
customers as fulfilled, with regular follow up of
unmatched sales orders
All goods despatched Goods fail to reach c) Customer signs for delivery upon
are received by the end customer despite receipt
customer being despatched
Back to activity
Notes

1 Place Order Purchasing
2 Receive Goods Warehouse
3 Invoice Received Finance
4 Payment for goods Finance
The purchase system may also contain the returns system when returning unwanted/ damaged goods:
5 Return Goods (may replace phase 4) Warehouse
6 Credit note/ refund received Finance
Back to activity
Notes

4 Payments are only Staff can make Payments can only be authorised by
made for genuine payments into their management who agree payments to
invoices own accounts or to invoices before processing
accounts of friends
Payments are made Payments are Invoices marked as ‘paid’ once paid, after
only once accidentally made which the system will not allow payment
twice for the same to be processed again
invoice
No cash is stolen Cash can be stolen Cash kept in a locked safe

by staff
All payments are Payments fail to Bank reconciliations are performed

recorded be recorded in the monthly by trained staff. Reconciling
general/ nominal items are followed up and investigated
ledger
Payments are made Payments are A regular exception report is produced

on time made after credit identifying payments due for payment
terms damaging which is reviewed and actioned by the
relationships with finance team
suppliers
Back to activity
Notes

Appendix 1 – Sales Cycle Documentation
In this appendix, you will find examples of the following documents:
1. Sales order; 4. Remittance advice;

2. Goods despatch note; 5. Goods received note; and
3. Sales invoice; 6. Credit note.
Note: a VAT rate of 20% will be used on all example documentation throughout the Assurance and Reporting course.
Notes

Example 1 – Sales order
SALES ORDER
ABC PLC
North City’s leading supplier of widgets Date: 21 July 20X3

SO #: 2451
Customer ID: XYZ12345
To: Mr J Bloggs Ship to: Mr J Bloggs

Company XYZ Company XYZ
456 South Street 456 South Street
South City, SO3 4UT South City, SO3 4UT
Phone 01987 654 XXX Phone 01987 654 XXX
Salesperson Job Shipping Shipping Delivery Payment Due Date

Method Terms Date Terms
A Salesperson 678 Despatch 24 hour 15/08/20X3 30 days 15/09/20X3

RUS express from receipt
Qty Item # Description Unit price Discount Line Total
24.00 1234 Widget model 1 £ 11.99 £ - £ 287.76
16.00 5678 Widget model 26 £ 2.99 £ - £ 47.84
Total discount
Subtotal £ 335.60
VAT rate 20%
VAT Tax £ 67.12
Shipping & Handling £ 31.99
Total £ 434.71
123 North Street, North City, NO1 2RT Phone 01234 567 XXX Fax 01234 567 XXX sales@companyabc.co.uk

Example 2 – Goods Despatch Note
GOODS DESPATCH NOTE
ABC PLC
North City’s leading supplier of widgets
Delivery Note No: 879236541

To contact us call customer service line: 01234 567 XXX
page 1 of 1
DELIVER TO SUPPLIED BY DATE:
Company XYZ ABC PLC 14/08/20X3 11:43

456 South Street 123 North Street
South City North City
SO3 4UT NO1 2RT
ORDER NO NO. PARCELS ROUTE NO:
2451 3 BOXES 69230XP
YOUR PURCHASE ORDER NO. DELIVERY INSTRUCTIONS
Your Order Ref: P/O A693 Warehouse 1
XYZ12345 please quote this number in all correspondence
PRODUCT CODE DESCRIPTION UNITS QUANTITY QUANTITY TO

DESPATCHED FOLLOW
1234 Widget model 1 RM 24 0
5678 Widget model 26 DC 16 0
This order has been checked and packed by: PASCOW (copy of weblogin)
We will replace missing goods if notified within 7 working days of delivery. We will collect goods for any reason
if notified within 30 calendar days of delivery.

Example 3 – Sales invoice
INVOICE
ABC PLC North City’s leading supplier of widgets
123 North Street DATE: 14 Aug 20X3

North City, NO1 2RT INVOICE # 2345
Phone 01234 567 XXX Fax 01234 567 XXX
Bill To: Goods shipped to:

Mr J Bloggs Mr J Bloggs
456 South Street, South City, SO3 4UT 456 South Street, South City, SO3 4UT
Comments or Special Instructions: 24 hour delivery
SALESPERSON S.O. NUMBER SHIP DATE SHIP VIA F.O.B. POINT TERMS
A Salesperson 2451 14/08/20X3 Despatch RUS N/A 30 days

from receipt
QUANTITY DESCRIPTION UNIT PRICE AMOUNT
24 Product ref: 1234 – Widget model 1 £ 11.99 £ 287.76
SUBTOTAL £ 335.60
VAT RATE 20%
VAT TAX £ 67.12
SHIPPING & HANDLING £ 31.99
TOTAL £ 434.71
Make all cheques payable to Company ABC. If you have any questions concerning this invoice, contact: A
Salesmanager, 01234 567 XXX, asalesmanager@companyabc.co.uk THANK YOU FOR YOUR BUSINESS!

Example 4 – Remittance Advice
Remittance No. 2680
Payee Name: ABC PLC Payer Name: Company XYZ

Address: 123 North Street Address: 456 South Street
Town, Postal Code: North City, NO1 2RT Town, Postal Code: South City, SO3 4UT
Date Description Amount
15/08/20X3 Invoice # 2345

24 x Product ref: 1234 – Widget model 1 £ 287.76
16 x Product ref: 5678 – Widget model 26 £ 47.84
Subtotal £ 335.60
VAT £ 67.12
Shipping & handling £ 31.99
Total £ 434.71
Notes

Example 5 – Goods Received Note
GOODS RECEIVED NOTE
ABC PLC
GRN No. 7496732

To contact us call customer service line: 01234 567 XXX
page 1 of 1
DELIVERED TO SUPPLIED BY DATE:
ABC PLC Company XYZ 27/08/20X3 09:43

123 North Street 456 South Street
North City South City
NO1 2RT SO3 4UT
ORDER NO NO. PARCELS ROUTE NO:
2451 1 BOX (S) 69230XP
YOUR PURCHASE ORDER NO. RECEIPT INFORMATION
PO Ref: N/A – return Received at Warehouse 1
Delivery note details: Return – goods faulty

Related Invoice: 2345
Related SO 2451
PRODUCT CODE DESCRIPTION UNITS QUANTITY QUANTITY TO

RECEIVED FOLLOW
5678 Widget model 26 DC 16 0
This receipt has been checked by: ACHECK (copy of weblogin)

Example 6 – Credit Note
CREDIT NOTE
ABC PLC

123 North Street, North City, NO1 2RT DATE: 27 August 20X3
Phone 01234 567 XXX Fax 01234 567 XXX CN # 167
Bill To: Goods shipped to:

Mr J Bloggs Mr J Bloggs
456 South Street, South City, SO3 4UT 456 South Street, South City, SO3 4UT
Comments: Return due to faulty goods
SALESPERSON S.O. SHIP DATE SHIP VIA INVOICE INVOICE

NUMBER NUMBER TERMS
A Salesperson 2451 14/08/20X3 Despatch RUS 2345 30 days from

receipt
QUANTITY DESCRIPTION UNIT PRICE AMOUNT
SUBTOTAL £ 47.84
VAT RATE 20%
VAT TAX £ 9.57
SHIPPING & HANDLING £ -
AMOUNT CREDITED TO YOUR ACCOUNT £ 57.41
If you have any questions concerning this credit note, contact: A Salesmanager, 01234 678 XXX,
asalesmanager@companyabc.co.uk THANK YOU FOR YOUR BUSINESS!
Notes

Appendix 2 – Sales Cycle Phases 3 and 4
Below the objectives, WCGWs and controls are detailed for Phase 3 and 4 of the sales cycle.
3 All goods despatched No invoice is raised for goods that Once an invoice is raised, the
are invoiced have been despatched corresponding GDN is marked as
‘invoiced’ in the system. Perform a
regular review of unmarked GDNs
Invoices are accurate Invoices include incorrect prices, Invoices are agreed to the sales
quantities or customer details order and GDN before posting and
processing.
All invoices are Invoices raised fail to be recorded Sequentially pre-number invoices
recorded in the in the accounting system and perform a regular sequence
accounting system check of those recorded in the
accounting system
Invoices are only Duplicate invoices are raised GDNs are marked as ‘invoiced’
raised once and not once invoiced, and the system
duplicated will not allow two invoices to be
processed for the same GDN
4 All payments Payments received from Bank reconciliations are

received are customers are not recorded in the performed monthly by trained staff.
recorded accounting system Reconciling items are followed up
and investigated
Theft/ loss of cash is Cash can be stolen by staff Cash kept in a locked safe
prevented
Payments are Invoices remain unpaid from Credit controller should monitor all
received for all customers outstanding debts and chase the
invoices customer if payment is delayed
Notes

Appendix 3 – Purchases Cycle Phases 1 to 3
1 Only goods required Staff order unnecessary items or Purchase orders are matched to
are ordered items for personal use approved requisitions before being
sent to supplier
Goods are purchased Goods are bought from a Goods can only be purchased from
at the best price more expensive supplier than an approved list of suppliers with
necessary agreed price lists
Goods are purchased Goods are purchased from Goods may only be purchased from
only from reliable and suppliers who fail to deliver or suppliers on an approved supplier list
reputable suppliers who deliver poor quality
All orders are placed Goods required are not ordered Match purchase orders to purchase
in time resulting in low stock requisitions and follow up on any
levels unmatched purchase requisitions
2 Goods accepted are Excess goods are received or Staff perform a quantity and quality
of appropriate quality goods are received that are of check upon receipt of goods, with
and quantity poor quality and can’t be sold on agreement to the purchase order
Goods received are Goods fail to be recorded in the Trained staff only can receive
recorded accounting system goods, with a GRN being required
to be raised to accept goods into
warehouse
Goods are received Receipt of goods is subject to Once a GRN is received it is

on time delay matched to the purchase order on
the system. A regular exception
report is produced to highlight
unmatched purchase orders
Notes

3 Invoice processed Invoices are accepted and Invoices are matched to GRNs
only for goods recorded for goods not received before processing
received from supplier
All invoices received No invoice received for goods Invoices are matched to GRNs once
received received. A regular exception report
is produced identifying unmatched
GRNs to be followed up
All invoices recorded Invoices received are not Perform monthly supplier statement
recorded in the accounting reconciliations and follow up on any
system differences (see note)
Note: Supplier statement reconciliations are a good control for ensuring that all invoices have been recorded and
that they are recorded correctly. It is common that suppliers will send monthly statements to their customers to
remind them of amounts due. Therefore, the supplier statement received by the customer can be used by them as a
control. A reconciliation will be performed between what the supplier believes is due (i.e., the supplier statement) and
what has been recorded in the organisation’s accounting system. Any differences can be investigated and reconciled
and therefore any missing or incorrect information in the accounting system will be highlighted.
Notes

Module 5. Accounting Information
Systems and Controls: Part Two
Contents
5.1 Introduction 89
5.3 Key Accounting Cycles 89
5.3.1 Recap 89
5.4 Stock Cycle 89
5.5 Fixed Assets Cycle 93
5.6 Payroll Cycle 95
5.6.1 Human Resources Cycle 95
5.6.2 Payroll Phases 96
5.7 Monthly Financial Reporting 98
5.8 Summary 102

5. ACCOUNTING INFORMATION SYSTEMS AND CONTROLS: PART TWO
5.1 Introduction
In Module 4 we introduced the concepts of accounting information systems. We will now go on to consider some
additional accounting information systems that are found in many organisations; the payroll cycle, the stock/ inventories
cycle, the fixed asset/ property, plant and equipment (‘PPE’) cycle and the monthly financial reporting process.
1. explain the main elements of the key accounting information systems, other than sales and purchases; and
2. explain different types of control activities in the key accounting information systems, other than sales and
purchases.
Achieving these learning outcomes will help you to meet the second learning outcome of the course as per the
syllabus.
5.3 Key Accounting Cycles
5.3.1 Recap
As learnt in Module 4, we can establish a stepped approach that is relevant for any accounting process:

5.4 Stock Cycle
The sales and purchases cycles, covered in Module 4, may have an impact on the stock (or inventories) cycle. This
is due to the stock movements that occur because of the sales or purchase transactions. Therefore, we need to
consider the process between stock being received and despatched from the warehouse.
Notes

Note: The stock system in a retail company will be considered in this module. In a retail company, there will not be a
manufacturing process as finished goods are purchased, wholesale, for onward sale.
As with sales and purchases, we can follow the five steps to help design and control the stock cycle.
We have already encountered two of the phases of the stock cycle when discussing sales and purchases, that is;
Order fulfilled and despatched (sales) and Receive goods (purchases). Therefore, we already have the first and last
stage of the stock process – stock arriving at the warehouse and stock leaving the warehouse.
The phases that relate to the point between receiving and despatching stock are listed below:
1 Receive goods Warehouse
2 Stock movements Warehouse
3 Stock holding Warehouse
4 Stock valuation Finance
5 Order fulfilled and despatched Warehouse
Example
Stock Movements: Stock moving between locations in the warehouse
Stock Holding: Maintaining appropriate conditions (e.g., refrigeration)
Stock Valuation: Valuing stock at the lower of cost and net realisable value (‘NRV’) and in line with
accounting standards
Notes

Stock movements
As with receipts and despatches of goods in and out of the warehouse, goods received notes (‘GRNs’) and goods
despatch notes (‘GDNs’) can be used to indicate where stock is moved around the warehouse or from the
warehouse to the stock room. Whilst this documentation will not update the total amount of stock on the stock
listing, it will update the location of the items.
Stock holding
The company must ensure that stock is safeguarded against loss, theft or damage and that it is maintained in the
correct conditions to prevent damage/ deterioration. The company must also ensure that the stock records reflect
what is physically on hand at any point in time.
Stock valuation
Stock should be held at the lower of cost and NRV. Consequently, the company must put in place procedures that
ensure that the stock is costed correctly, that slow-moving, damaged or obsolete stock is identified and that
the impact on stock valuation is considered (e.g., if a write down is required). Write downs are covered as part of the
TC Financial Accounting course.
Steps 2 to 4: Objectives, documentation and WCGWs
Now that we have broken the process down into phases, we can continue with the remaining steps, as we did with
sales and purchases. This will be considered in Activity 1.
Stock counts
An important control that management has over the accuracy of the stock records (the objective) is a stock count.
The count procedures will depend on the nature of the stock held, but will generally involve a full count of all stock
items at the year-end date. This will mean that the company will know exactly how many of each item of stock
exists at the year-end date and, therefore, should be included in the financial statements.
Notes

Example
• A clothing shop, with a year-end date of 31 December, would aim to count all the stock (jeans, dresses,
tops, etc.) in its shops and warehouse on or around 31 December 20X1; or
• A scrap metal company may employ an expert to help estimate the total amount of metal held at its scrap
yard around its year-end date.
Note: Some companies will perform perpetual stock counts (i.e., counts throughout the year) instead of a full count
at the year end. This will be considered at TPS Assurance and Data.
For a stock count to be performed effectively and, therefore, to mitigate the risk that an error has arisen in the
quantity held at the year end (the WCGW), management should ensure several procedures are performed:
• management should produce clear instructions detailing how the count should be carried out and these should
be passed to all staff;
• the count should be carried out in line with the instructions provided and staff involved should be trained on
the process and nature of stock;
• stock movements should be ceased until the stock count is complete;
• stock count sheets (paper or electronic) should be provided to all counters, with the items to count included but
excluding the quantities expected;
• items should be counted by two members of staff who are not involved in the daily handling of the stock, one
to count the items and one to check and record;
• stock count sheets should be completed in pen1 and signed by both counters as a permanent record of work
performed;
• items should be marked once counted (e.g., with a sticker); and
• once the quantities per the count sheets are compared to the stock listing, any differences should be
investigated and the stock listing updated.
Whilst the instructions at each entity will be different, following the above procedures will help to ensure that the
stock count is an effective control.
1. Or if electronic, inputted in an un-editable format
Notes

Activity 1
For each of the three phases of the stock cycle not yet considered, design one objective, one WCGW and one
control for that phase. Documentation commonly found in the process includes: GDNs, GRNs, stock-count
sheets and the stock listing.
Solution
5.5 Fixed Assets Cycle
Fixed assets (or PPE) typically follow a similar process to the purchases cycle. However, there is a risk that due to
the higher value and less frequent nature of fixed asset purchases, additional risks may arise.
Therefore, some important additional controls that an entity may implement to ensure that fixed assets are correct in
the financial statements include:
• maintenance of a fixed asset register (‘FAR’), with details of all assets held including a unique asset number,
cost, accumulated depreciation and useful economic lives – reconciled monthly to the nominal ledger and
subject to review by the financial controller;
• accounting policies (for example, in relation to depreciation and revaluations) should be approved by the board
of directors;
Notes

• authorisation for significant fixed asset purchases should be completed by the board of directors at their
monthly board meeting;
• asset disposal forms to be completed for any disposal/ sale of a fixed asset and passed to the finance team for
recording; and
• fixed asset counts performed (like stock counts but for fixed assets and commonly performed less frequently,
perhaps annually or biennially).
Note: The above controls would be in addition to the controls identified in the purchases process.
Activity 2
Using your knowledge of the purchases cycle for goods on credit, produce phases for the fixed asset
purchases cycle, including:
• Process phases; and

• Documentation.
Tips: Consider the nature of fixed asset purchases (e.g., a property, a piece of machinery or a motor vehicle)
and whether this will introduce any new phases or alter existing ones from the purchase cycle for buying
goods on credit. Phase 5 has been completed for you as an example.
Phase Documents Involved
1.
2.
3.
4.
5. Receive invoice Invoice
6.
Solution
Notes

5.6 Payroll Cycle
The payroll cycle is a key accounting cycle as, for several organisations, the payroll expense will be a significant
expense in the profit and loss account.
An organisation’s payroll transactions can include (amongst others):
• salaries and hourly wages;

• commissions;
• bonuses;
• PAYE deductions;
• NI deductions;
• pension contributions; and
• employee benefits (e.g., health insurance and paid holidays).
The payroll cycle will encompass all procedures relating to:
• the recording of work done;

• the recognition of the payroll liabilities and preparation of the payroll listing; and
• the payment of payroll liabilities and the recording of payroll on the nominal ledger.
5.6.1 Human Resources Cycle
It is important not to confuse the payroll and human resource (‘HR’) cycles. The HR (or personnel) cycle is involved
in the engagement and termination of personnel and the creation and maintenance of master data (i.e., personnel
files). The payroll cycle involves the calculation, payment and recording of wages and salaries.
It is important to segregate the responsibilities of the payroll and HR functions to ensure that no one individual has
access rights to all data and procedures, as this can increase the risk of fraud.
Example
If there is not sufficient segregation of duties between the HR and payroll functions, it may be possible for a
member of staff to create a new fictional employee with their own bank details and then arrange to have a
monthly salary paid into their own account fraudulently.
Note: In this section, we will focus on the payroll cycle rather than the HR cycle as this has the direct impact on the
financial statements.
Notes

5.6.2 Payroll Phases
You are likely to be familiar with some aspects of the payroll cycle as an employee (e.g., the issuing of monthly
payslips).
The diagram below highlights the key phases of the payroll cycle in respect of wages and examples of common
documents involved:
PHASE DOCUMENT INVOLVED
1. Work done and

Timesheets
time recorded
2. Calculation of HR master file for

payroll liability hourly rate or salary
Payroll listing / summaries

3. Payment of
payroll liability
Payslips
Notes

Activity 3
For each of the three phases of the payroll cycle, match the control to the corresponding objective and
WCGW.
1 a) Only genuine a) Employees i. Payroll reconciliation between payroll

overtime is record additional listing and nominal ledger performed
recorded overtime monthly, with reconciling items followed
fraudulently up
b) All work performed b) Work performed ii. Timesheets must be authorised by line

is recorded by employees is manager before being processed by
omitted from the payroll
monthly payroll
run
c) Work done c) The hours worked iii. Payroll is calculated by trained staff

is recorded are recorded and is subject to review by the payroll
accurately inaccurately manager
2 d) The payroll run d) Payroll is iv. The payroll manager performs a

is calculated computed review of actual payroll expense and
correctly with incorrectly liabilities vs budget by department to
respect to highlight any unexpected differences
both employee
payments and tax
liabilities
e) The payroll e) The payroll v. Payroll calendar completed, including

expense and expense and all relevant deadlines, available to all
liabilities are liabilities are payroll staff
recorded correctly incorrectly
recorded in the
nominal ledger
3 f) No duplicate f) Payments are vi. Report run each month of employees

payments are processed twice not paid in consecutive months to
made identify any possible omissions

3 g) Payroll payment g) Payments to vii. Final payroll run is authorised by the

is accurate and employees finance director after agreeing to
authorised or HMRC are supporting documentation
inaccurate or
inappropriate
h) Payment to h) Payment to viii. Payroll listing marked as ‘paid’ once

HMRC and employees or payment made. The system will not
employees is HMRC is made allow payment to be processed twice.
made on time after the expected/
required deadline
Solution
5.7 Monthly Financial Reporting
At the end of each month and at the year end, organisations will carry out several activities to produce
information for financial reporting. This includes month-end procedures and control activities to close the various
nominal ledger accounts and subsidiary ledgers to prepare financial reports. This process is necessary to ensure
the accuracy of the figures in the monthly management accounts and financial statements, which are used by
management to gauge how the business has performed in the period.
The main elements (which are equivalent to the phases) of the monthly financial reporting process that you should
be aware of for this course are discussed below.
Month-end journals
Month-end journals are the transactions processed through the nominal ledger. Examples from TC Financial
Accounting include:
• depreciation expense and accumulated depreciation;

• cost of sales and stock;
• accrued and prepaid expenses;
• allowance for doubtful debts; and
• correction of errors.
Notes

The relevant objectives for month-end journals are:
• all necessary journals are processed;

• journal entries are accurate and agree to supporting documentation; and
• journal entries processed are genuine.
Therefore, the WCGWs are:
• required journal entries are omitted;

• journal entries are recorded inaccurately; and
• journal entries processed are not genuine or have no supporting evidence.
Activity 4
For each of the objectives and WCGWs identified above, design a control activity that could be implemented
to help meet the objective and mitigate the risk.
Solution
Notes

Month-end reconciliations
Reconciliations should be performed for all control accounts, as well as for some additional areas. Some key
reconciliations that you may be familiar with from TC Financial Accounting are:
• the trade debtors/ receivables in the nominal ledger to the aged debtors ledger;
• the trade creditors/ payables in the nominal ledger to the aged creditors ledger; and
• the bank reconciliation.
The payroll reconciliation is another common reconciliation performed.
The main reconciling items arise due to timing differences (as the subsidiary ledgers could be closed off earlier
than the nominal ledger) or manual entries (processed by staff in one or both systems). These reconciliations
ensure that amounts in the nominal ledger match the accumulated balances in the detailed subsidiary ledgers.
The relevant objectives for reconciliations are:
• all necessary reconciliations are completed;

• all reconciling items are investigated and corroborated; and
• reconciliations are completed accurately and consistently.
The WCGWs are:
• necessary reconciliations fail to be completed;

• reconciliations fail to be completed fully and fail to identify unreconciled differences; and
• reconciliations are not completed accurately and consistently month-to-month.
The relevant controls include:
• maintain a formal checklist and timetable of reconciliations to be performed and completed, with the checklist
regularly reviewed for completeness;
• staff completing reconciliations are fully trained and reconciliations are subject to review; and
• reconciliation pro forma used each month (with details being automatically populated from the accounting
system where available).
Stock counts
Stock counts were considered as part of the stock cycle in Section 5.4. Stock counts are one of the activities that will
be completed at month or year end to prepare accurate financial information.
Notes

Production of management accounts
The result of the monthly management accounting processes is the production of management accounts. This may
be done automatically by the system via a reporting software tool, through the export of ledger data to a spreadsheet
package, or by manual input to a spreadsheet package. In all cases, the management accounts themselves require
to be reconciled to the nominal ledger.
Production of financial statements
This element is only performed during one or two month ends a year (dependent on whether a company produces
financial statements only or also produces half-yearly financial statements). The general procedures in preparing the
final financial statements tend to be the same as the procedures to produce management accounts. However, the
production of statutory accounts tends to be a more manual process due to the disclosure notes that are required.
The financial statements should be subject to review by management (i.e., the finance director, board or audit
committee).
Learning Outcomes 1 and 2: Elements and controls of key accounting information systems,
other than sales and purchases
This module focused on the stock, fixed asset, payroll and monthly financial reporting processes.
You should now be able to meet the first and second learning outcomes in this module.
Notes

5.8 Summary
Accounting processes are business processes that relate to an area of the financial statements. Examples include
the sales and purchases cycles as well as payroll, stock, fixed assets and month-end processes. This module
focused on the stock, fixed asset, payroll and monthly financial reporting processes.
We can establish an approach to design and control any accounting process, as introduced in Module 4:

The phases of the stock cycle are:
Phase Stock
1 Receive goods
2 Stock movements
3 Stock holding
4 Stock valuation
5 Order fulfilled and despatched
The phases of the fixed asset cycle are:
Phase Fixed Assets
1 Identify the need for asset
2 Seek management or board approval
3 Order asset
4 Receive asset/ transfer ownership
5 Receive invoice
6 Make payment
Notes

The phases of the payroll cycle are:
Phase Payroll
1 Work done and time recorded
2 Calculation of payroll liability
3 Payment of payroll liability
The phases of monthly financial reporting are:
Phase Monthly Financial Reporting
1 Month-end journals
2 Month-end reconciliations
3 Stock counts
4 Production of management accounts
5 Production of financial statements
Notes

Note: the solution includes several different objectives, WCGWs and controls. Whilst you were only asked for one for
each phase in this activity, you must be familiar with each of the items in the table below for your exam.
2 All stock movements are Stock movements are not All stock movements are
recorded correctly reflected on the stock accompanied by an internal
listing, with stock not being GRN and GDN which are
able to be found within the sequentially numbered, and
company regular exception reports are
produced to identify gaps in
the sequence
Stock is moved safely without Stock is damaged when Staff are appropriately trained
any damage moved in the handling and moving of
stock items
3 Stock is safeguarded against Stock is stolen by staff, CCTV cameras installed in the
theft customers or others warehouse and stock rooms
Stock is safeguarded against Stock is damaged due to poor Stock conditions are
damage storage conditions appropriate for stock items,
including appropriate storage
environments
Stock is held at the correct Too much or too little stock is Minimum and maximum
level held stock levels, as approved
by management, should be
adhered to
Stock records reflect stock Stock records include more Performance of monthly stock
held stock than is held in the counts of all stock items
warehouse
Notes

4 Stock is costed correctly Stock is held at the incorrect Warehouse manager regularly
cost reviews the stock listing for
any unusual or unexpected
costings
Stock is held at the lower of Stock items where the NRV Performance of a comparison
cost and NRV is lower than cost fail to be between the cost and NRV
identified and are recorded of stock items, agreeing write
incorrectly downs and provisions where
appropriate
Damaged or obsolete stock is Stock value is overstated Damaged or obsolete stock

valued correctly as NRV falls below cost for should be identified during the
obsolete or damaged items stock count and reviewed by
the finance manager to ensure
the valuation is appropriate
Back to activity
Phase Documents Involved
1. Identify the need for asset Business plan
2. Seek management or board approval Purchase requisition, board minutes or manager authorisation
3. Order asset Purchase order
4. Receive asset/ transfer ownership Delivery advice, GRN or title deeds
5. Receive invoice Invoice
6. Make payment Remittance advice
Back to activity
Notes

1 a) Only genuine overtime is a) Employees record ii) Timesheets must be

recorded additional overtime authorised by line
fraudulently manager before being
processed by payroll
b) All work performed is b) Work performed by vi) Report run each month

recorded employees is omitted from of employees not paid
the monthly payroll run in consecutive months
to identify any possible
omissions
c) Work done is recorded c) The hours worked are iv) The payroll manager
accurately recorded inaccurately performs a review of
actual payroll expense
and liabilities vs budget
by department to highlight
any unexpected
differences
2 d) The payroll run is d) Payroll is computed iii) Payroll is calculated by

calculated correctly with incorrectly trained staff and is subject
respect to both employee to review by the payroll
payments and tax manager
liabilities
e) The payroll expense and e) The payroll expense and i) Payroll reconciliation
liabilities are recorded liabilities are incorrectly between payroll listing
correctly recorded in the nominal and nominal ledger
ledger performed monthly, with
reconciling items
followed up
Notes

3 f) No duplicate payments are f) Payments are processed viii) Payroll listing marked
made twice as ‘paid’ once payment
made. The system will
not allow payment to be
processed twice.
g) Payroll payment is g) Payments to employees vii) Final payroll run is

accurate and authorised or HMRC are inaccurate authorised by the
or inappropriate finance director after
agreeing to supporting
documentation
h) Payment to HMRC and h) Payment to employees v) Payroll calendar

employees is made on or HMRC is made after completed, including
time the expected/ required all relevant deadlines,
deadline available to all payroll staff
Back to activity
• Prepare a checklist of all journals that must be processed at the month end and assign responsibility to
specific members of the finance team. Once processed, the journal should be checked off the list and a
review should be performed to ensure all journals processed.
• Journal entries should be subject to manager review (including agreement to supporting documentation) and
approval before processing.
• The finance controller should perform a review of all month-end journals posted to identify any unusual
transactions. Any unexpected journals should be followed up and vouched to supporting evidence.
Back to activity
Notes

Module 6. Internal Audit
Contents
6.1 Introduction 109
6.3 What is Internal Audit? 110
6.4 Composition of the Internal Audit Function 110
6.5 The Need for Internal Audit 111
6.5.1 Why choose to have an internal audit function? 111
6.6 Responsibilities and Relationships of Internal Audit 111
6.7 Types of Internal Audit 113
6.8 Effectiveness of Internal Audit 116
6.8.1 Independence 117
6.9 Summary 120

6. INTERNAL AUDIT
6.1 Introduction
In this course, we will be concerned primarily with the statutory external audit of UK companies.
However, in some companies there is a team of employees who are specifically focused on looking at the internal
systems and processes of the entity, known as internal audit. Internal audit need not be provided by the company’s
employees; many accountancy firms offer internal audit services. The key distinguishing factors between internal
and external audit are:
• reporting lines are within the organisation, as opposed to the external auditor who reports publicly to
shareholders; and
• the matters subject to audit are normally internal, relating to the management of the organisation. This differs
from the external auditor who reports on the publicly published financial statements.
Internal audit is a management tool used by organisations to enhance internal control and governance structures.
The role of internal audit varies. It may involve straightforward internal checking, complex system review, intensive
forensic investigations, internal appraisals of operations and financial planning, or in some cases a financial
statements audit.
1. explain the scope and purpose of an internal audit function;

2. explain the types of work undertaken by internal audit; and
3. explain the characteristics of an effective internal audit function.
Achieving these learning outcomes will help you to meet the second learning outcome of the course as per the
syllabus.
Notes

6.3 What is Internal Audit?
Internal auditing: an independent, objective assurance and consulting activity designed to add value
and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and
governance processes. An effective internal audit function should provide assurance, advice and insight.
The key elements of an internal audit function are as follows:
• it is independent of the day to day operations of the business (segregation of duties);

• it objectively measures and evaluates;
• it takes place within the organisation; I’M WISE
• it is itself an integral part of the framework of business controls;
• it is a service to all levels of the organisation; and
• it looks at the effectiveness as well as the efficiency of operations, while looking also at value for money.
Internal audit is itself an integral part of the framework of risk management and internal control. It is also an
important part of an organisation’s corporate governance framework. Some of the internal audit function’s (‘IAF’)
main objectives are:
• to provide reasonable assurance to executive management and the board on the adequacy and effectiveness
of the risk management and control systems within the company; and
• to assist all members of an organisation, including managers and the board, to effectively discharge their
responsibilities.
6.4 Composition of the Internal Audit Function
Internal auditors are not required to have the same qualifications as external auditors. However, there are internal
audit qualifications available and it is possible to join an institute which specialises in internal audit, such as the
Chartered Institute of Internal Auditors.
The IAF should report to the audit committee if there is one, or the CEO if not. The audit committee should review
the scope of the work programme set out for the IAF. It is important that the IAF is independent of the various
operational parts of the company, to allow them to perform unbiased checks of the performance of the company.
Notes

6.5 The Need for Internal Audit
The general rule is that there is no statutory requirement for most companies to carry out internal audit, but some
entities are required to have an internal audit function, either under statute or due to regulatory arrangements. This is
a common requirement in the public sector with, for example, local authorities and central government bodies being
obliged to make arrangements for an internal audit function.
The UK Corporate Governance Code recommends that:
1. where a company has an internal audit function, the audit committee should monitor and review the
effectiveness of the company’s internal audit function; or
2. where an internal audit function does not exist, the audit committee should consider annually whether there
is a need for an internal audit function.
Therefore, any entities that are required to, or choose to, report on the Code will either need to comply with these
provisions or explain the reason for deviation in their Corporate Governance Statement.
6.5.1 Why choose to have an internal audit function?
Whilst internal audit may not be mandatory, many organisations choose to have an internal audit function. Module 2
described how it is the directors of a company who are charged with the responsibility of managing the company
in the best interests of its shareholders. In practice, however, they are unlikely to be able to oversee the whole
business. Particularly in a larger organisation it would be very difficult for the directors to individually manage and
review every area of the company. As the number of staff members, complexity and diversity of an organisation
increases, the risk of fraud and error also increases. In order to ensure that the directors are still able to meet
their obligations regarding managing the company, they will often have an internal audit function by choice to gain
assurance that the management and control of the organisation is robust.
6.6 Responsibilities and Relationships of Internal Audit
To Directors
The NEDs who sit on the audit committee have a duty to oversee the activities of their executive colleagues, who
operate the business on behalf of the shareholders.
By reporting to the audit committee, the IAF has a responsibility to provide the directors with objective assurance
over the quality of control exercised by management over the organisation’s assets and resources.
Notes

To Shareholders
The existence of an effective IAF should also, indirectly, provide shareholders with a degree of assurance regarding
the effective operation and control of the company.
To Management
Internal audit provides management with an independent view on the quality of internal control exercised by
them. Management gain assurance that the systems operating are efficient, control against fraud and error, provide
accurate information and achieve the company’s objectives.
To maintain independence, it is important to recognise that it is the responsibility of the directors to manage
overall risk management of the organisation and to identify risks. The role of internal audit should be:
• to challenge the processes and controls established by management to identify and respond to risks;
• monitor progress to resolve issues and action points raised; and
• to assist the organisation in facilitating risk workshops and other such activities designed to increase awareness
of risk and controls.
Learning Outcome 1: Scope and purpose of internal audit
Internal audit provides an independent, objective view on the effectiveness of risk management, control and
governance in an organisation.
There are a number of key elements in an internal audit function, which is, itself, an integral part of the framework
of risk management and internal control. The main objectives of an IAF are to provide reasonable assurance over
the adequacy and effectiveness of the risk management and control systems within a company and assist all staff to
effectively discharge their responsibilities.
Internal auditors are not required to have specific qualifications, although these are available. The IAF should report
to and be overseen by the audit committee. As a general rule, there is no statutory requirement for most companies
to carry out internal audit although there are exceptions to this rule.
The IAF has responsibilities to both directors and management. The existence of an effective IAF should also
provide shareholders with a degree of assurance regarding the effective operation and control of the company.
You should now be able to meet the first learning outcome in this module.
Notes

6.7 Types of Internal Audit
In fulfilling its responsibilities, the internal audit function will become involved in different types of reviews. This will
vary depending on the requirements of each individual organisation and the capabilities and resource of the IAF. A
brief outline of some of the main types is provided below.
Type of Internal Audit Explanation
Financial Audit Internal audit may conduct a financial audit prior to the statutory financial
statement audit or may conduct an audit of interim or other internal financial reports
used by management. The internal auditor will use similar techniques to the
external auditor.
Systems Audit Systems audit is the review and evaluation of the systems (both manual and
computer systems) by which an organisation regulates and controls its activities
(i.e., the business processes described in Modules 3, 4 and 5). The IAF would
evaluate the design of the controls to conclude on the effectiveness and efficiency
of the systems and also test the operation of controls to ensure users have been
carrying out procedures as intended.
Management Audit This type of audit evaluates and appraises the processes and policies
management of the organisation used to control the resources available for
achieving its business requirements. Such audits are generally carried out to
ensure the management team is functioning optimally.
Management audit, therefore, is an examination of the aspects of management

control such as:
• Organisation and structure;

• Planning, budgeting and resource allocation procedures;
• Performance monitoring and review processes;
• Communication methods effectiveness; and
• Action planning processes.
Notes

Value for Money Audit This type of work is more common in the public sector. VFM audits can take
(‘VFM’) various forms including:
• Audit reviews of key business systems necessary to achieve VFM (e.g.,

planning and budgeting systems);
• Investigations of specific incidents where VFM was not secured due to
inefficiency, ineffectiveness or weakness in control; and
• Reviews of businesses activities, to identify the scope for improved VFM and
cash savings.
Contract Audit Contract audit is also more common in the public sector. It can involve review of
any area of activity involving high value and potentially high risk contracts, but is
most commonly associated with major capital contracts (e.g., construction of a new
building).
Operational Audit In broad terms, this is the systematic review and evaluation of an organisation
(or part of an organisation) for the purpose of determining its effectiveness and
efficiency in pursuit of one or more of its operating objectives. An example of this
would include the review of a construction company’s compliance with health and
safety regulations.
Post-implementation This intends to provide an objective appraisal of the success or otherwise

Review of a business initiative by measuring achievement against the original stated
objectives. This is in order to improve the quality of future decisions so the
organisation can learn from its mistakes.
Investigations IAFs are often called upon to undertake investigation work into internal or
external fraud, operational losses, breaches of security, or where customers have
exhibited serious concerns to senior management. Other types of investigation
work include the examination of potential takeover targets (due diligence
assessments).
Inspection and Quality Inspection is the continuous, periodic examination of procedures applied
Control and transactions to ensure their operation complies with a laid down set of
instructions. This type of audit does not necessarily consider the appropriateness of
procedures, just that they are adhered to.
Notes

Compliance Audit Compliance audits review adherence to particular laws and regulations, policies and
procedures, governmental requirements and restrictions on particular types of activity.
Follow-up Audit These are audits conducted after an internal or external audit report has been
issued. They are designed to evaluate corrective action that has been taken on the
audit issues reported in the original report.
Culture Audit Organisational culture is reflected in the attitudes, norms and ‘tone’ of an
organisation. A dysfunctional culture presents a serious risk, affecting general
attitudes to internal control, and has often been found to be at the heart of high-
profile corporate failures or scandals. Cultural considerations could be integrated
into some of the audits described above or internal audit could conduct stand-
alone examinations of cultural values and attitudes.
Environmental, Social ESG (also known as sustainability reporting) focuses on how organisations interact
and Governance (‘ESG’) with the world around them.
Reviews
A key concept of corporate governance is the long-term sustainability of the entity
and fair dealings with stakeholders, which includes the general public that the
organisation operates within. The contents of an ESG report can therefore be wide
and vary significantly between different organisations, from gas emissions to social
enterprise schemes.
It is becoming more common, and an expectation, for organisations to report on

their ESG activities. Therefore, there is an increase in the involvement of internal
audit teams to perform various functions to assist an organisation in achieving its
goals. This may involve offering assurance support by providing an independent
and objective review of the effectiveness of ESG risk assessments, responses,
and controls or adding value in an advisory capacity by helping management to
establish an appropriate ESG control environment.
Some other work that can be performed in this area includes:
• Reviewing reporting metrics and ensuring that any data used in ESG reports is
accurate, relevant, complete and timely
• Reviewing ESG reporting for consistency with other formal financial disclosures
• Conducting materiality or risk assessments on ESG reporting
Notes

Learning Outcome 2: Types of internal audit
The role of the IAF depends on the requirements of the organisation and the capabilities of the IAF and can
be very varied.
You should now be able to meet the second learning outcome in this module.
6.8 Effectiveness of Internal Audit
The existence of internal audit is itself important. However, the existence of an IAF
PARISS
does not guarantee its effectiveness. Therefore, there are a number of aspects that
contribute to an effective internal audit function.
The Internal There should be an internal audit programme, or internal audit plan which is prepared by the
Audit Process internal audit manager and approved by the audit committee. The internal audit programme
is the detailed schedule of audits to be undertaken by the internal audit function over a future
period of time (usually the financial year).
Formal procedures should be established regarding supervision and review, reporting and
follow-up actions.
The Role The internal audit function should report to and be overseen, monitored and reviewed by the
of the Audit audit committee. In smaller organisations, this should be the role of the CEO.
Committee
Resource and There should be sufficient resources within the IAF to effectively carry out the reviews on the
Competence internal audit plan for the year.
The internal audit team should include sufficiently competent individuals, with suitable
qualifications or experience.
Independence Internal auditors must be independent of the activities that they examine to enable them to
provide the impartial and unbiased judgements that are essential to the proper conduct of
their work (see Section 6.8.1).
Position and Internal audit should have appropriate standing in the organisation so that they are respected
Status of by all staff and recommendations made are taken seriously.
Internal Audit
Notes

Internal Internal auditors must undertake their work with due professional care. To promote
Auditing consistency in the quality of internal audit work internationally, the Institute of Internal
Standards Auditors developed the International Standards for the Professional Practice of Internal
Auditing that can be used by internal auditors.
6.8.1 Independence
As with external auditors, it is essential that internal auditors are independent of the activities that they examine to
enable them to provide the impartial and unbiased judgements that are essential to the proper conduct of their work.
This is more difficult to achieve for internal audit than external due to their position within the organisation and the
relative lack of relevant standards and guidance.
An organisation can help to ensure the independence of the internal audit function by:
1. Having the internal audit function report directly to the audit committee;
2. Having the internal audit plan approved by the audit committee;
3. Having the audit committee appoint the internal audit manager;
4. Remunerating internal audit staff to support independence; and
5. Ensuring internal audit staff are not involved in operational areas.
Activity 1
For each of the points identified above, discuss why these would help ensure the independence of the internal
audit function.
Solution
Notes

Activity 2
You are a consultant for Parcels Parcels Parcels plc (‘Parcels’), a large listed company with branches
throughout the UK. As part of your remit you have been asked to assess the internal audit function (‘IAF’) by
identifying problems with the current internal setup. You have been given the following information about the
IAF at Parcels.
1. The head of the IAF, Mandy Crawford, spends about 65% of her time working in internal audit and the rest
in the IT department (where she is responsible for the development of new computer systems).
2. Mandy is assisted by one full time member of staff, Moray Burnett, who is a part qualified accountant.
Mandy originally worked in IT and was appointed as head of the IAF due to her in-depth knowledge of the
company’s IT systems.
3. Mandy decides each year what work will be carried out by herself and Moray after they conclude the
previous piece of work. Any reports created are provided to the finance director once complete for review.
4. The findings and recommendations of the IAF’s reviews are often ignored by Parcel’s staff as they don’t
think they are a priority and they claim they are too busy to deal with the findings.
5. When Moray joined the IAF he found there was no formal guidance on what he had to document or the
steps he should take when performing his work. He mentioned this to Mandy but she has been too busy to
do anything about it.
Hint: Use the six headings of an effective IAF to help you identify weaknesses at Parcels.
Solution
Notes

Learning Outcome 3: Effective Internal Audit
To be effective, the internal audit function should consider the following aspects:
1. The Internal Audit Process;

2. The Role of the Audit Committee; PARISS
3. Resource and Competence;
4. Independence;
5. Position and Status of Internal Audit; and
6. Internal Auditing Standards.
You should now be able to meet the third learning outcome in this module.
Notes

6.9 Summary
Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control and governance
processes.
The key elements of an internal audit function are as follows:

I’M WISE
• it is independent of the day to day operations of the business
(segregation of duties);
• it objectively measures and evaluates;
• it takes place within the organisation;
• it is itself an integral part of the framework of business controls;
• it is a service to all levels of the organisation; and
• it looks at the effectiveness as well as the efficiency of operations, while looking also at value for money.
The main objectives of an internal audit function (‘IAF’) are to provide reasonable assurance over the adequacy
and effectiveness of the risk management and control systems within a company and assist all staff to effectively
discharge their responsibilities.
Internal auditors are not required to have specific qualifications, although these are available. The IAF should report
to and be overseen by the audit committee.
As a general rule, there is no statutory requirement for most companies to carry out internal audit although there are
exceptions to this rule.
The IAF has responsibilities to both the directors and management. The existence of an effective IAF should also
provide shareholders with a degree of assurance regarding the effective operation and control of the company.
The role of the IAF depends on the requirements of the organisation and the capabilities of the IAF but can include:
• Financial Audit;
• Systems Audit;
• Management Audit;
• Value for Money Audit;
• Contract Audit;
• Operational Audit;
• Post-implementation Review;
• Investigations;
Notes

• Inspection and Quality Control;
• Follow-up Audit;
• Culture Audit; or
• Environmental, Social and Governance Reviews
To be effective the internal audit function should consider the following aspects:
1. The Internal Audit Process;

2. The Role of the Audit Committee; PARISS
3. Resource and Competence;
4. Independence;
5. Position and Status of Internal Audit; and
6. Internal Auditing Standards.
Notes

1. This is so the internal audit function has independence from the level of management who are ultimately
responsible for the operation of controls.
2. This needs to be approved by the audit committee to ensure there is no influence from the business over
the areas to be tested. Otherwise, management could avoid a review of an area that they are responsible
for and know to be performing poorly or to conceal fraud.
3. This again supports the independence of the internal audit function from management, with management
having less of a say in how the IAF is run.
4. The internal audit staff should be rewarded based on effective contribution to the internal audit role and
not be put in a situation where the remuneration or performance appraisal system could impact objectivity.
5. As with external audit, the internal auditor cannot provide an objective review of their own work.
Back to activity
Notes

The Internal Audit Mandy decides what work will be done after the previous work is finished suggesting
Process there is no formal internal audit work programme approved by the audit committee.
The Role of the Audit The IAF report to the finance director and not the audit committee.
Committee
Resource and The IAF department for this large organisation is made up of one full-time and one
Competence part-time member of staff. This suggests the IAF is not sufficiently resourced for the
size of Parcels, a large listed company.
Mandy had no previous internal audit or accounting experience before joining the IAF
and Moray is currently only a part qualified accountant. This suggested the internal
audit team may not be sufficiently competent due to a lack of relevant qualifications or
experience.
Independence The head of the IAF spends time working in an operational area of Parcels (IT) and is
therefore not independent.
Position and Status Parcels staff often ignore the IAF review findings which suggests they do not have an
of Internal Audit appropriate position and status within Parcels.
Internal Auditing There is no formal guidance within the IAF regarding required steps when performing
Standards work, or of the documentation required to be produced, indicating that Parcels do not
follow any Internal Auditing Standards.
Back to activity
Notes

Module 7. Introduction to Assurance
Contents
7.3 Key elements of an assurance engagement 126
7.4 Types of assurance 128
7.4.1 Reasonable assurance 128
7.4.2 Limited assurance 129
7.5 Client Acceptance/ Continuance 130
7.5.1 Acceptance/ continuance risks 130
7.5.2 Acceptance decision 132
7.5.3 Acceptance procedures 132
7.6 The Audit Process 134
7.6.1 The audit process diagram 134
7.6.2 Acceptance/ continuance of audit engagements 135
7.6.3 Other stages in the audit process 137
7.7 Terms of Engagements – The Engagement Letter 138
7.8 Summary 139

7. Introduction to Assurance
7.1 Introduction
An assurance engagement: an engagement in which a practitioner aims to obtain sufficient appropriate

evidence in order to express a conclusion designed to enhance the degree of confidence of the intended
users about the subject matter information.
The purpose of an assurance engagement is to have an objective expert give an opinion on whether the subject
matter is correct. This means the users of the information have more confidence that the information they are being
presented with is correct.
There are various different forms and types of assurance engagement, both financial and non-financial. As a result,
an assurance engagement may be completed by an accountant, auditor or a practitioner of another discipline. To be
classified as an assurance engagement, the engagement must include a number of elements. These elements will
be covered in this module.
Before we can consider how an assurance engagement is performed, we must consider whether a practitioner
should perform the engagement at all. Such a decision is called a client acceptance/ continuance decision.
Example
Examples of assurance engagements include:
• The statutory financial statement audit;

• Reviewing compliance with contractual agreements (such as compliance with the terms of a licensing
agreement);
• Compliance with a financial information forecasting process;
• Providing assurance on the proper use of sponsorship;
• Providing assurance on environmental information.
Notes

1. describe assurance engagements, including the key elements of an assurance engagement;

2. describe and explain the acceptance procedures for an assurance engagement, including explaining the risks
faced by an assurance firm when accepting or continuing an engagement; and
3. explain the stages of a standard audit engagement.
Achieving these outcomes will help you to meet the learning outcomes three and seven of the course as per the syllabus.
7.3 Key elements of an assurance engagement
The International Framework for Assurance Engagements (‘The framework’) issued by the International Federation
of Accountants (‘IFAC’) defines and describes the elements of an assurance engagement.
The framework states that an engagement is an assurance engagement when it has each of the following elements:
1. A three-party relationship
This involves a practitioner, a responsible party and intended users. The responsible party and intended users
may be from different entities or the same entity.
2. An appropriate underlying subject matter
This may be financial performance, non-financial data, physical characteristics (such as capacity of a facility),
systems and processes, or behaviour (e.g., corporate governance and human resource practices).
This may be presented at a particular point in time, or cover a period of time.
3. Suitable criteria
CUTER
Criteria are the benchmarks used to evaluate or measure the underlying subject
matter. These may be formal, such as International Financial Reporting Standards
(‘IFRS’) or less formal, such as a company’s internal code of conduct. Suitable criteria are required for consistent
evaluation of a subject matter otherwise there can be individual interpretation and misunderstanding.
4. Sufficient, appropriate evidence
The practitioner plans and performs the assurance engagement with an attitude of professional scepticism to
obtain sufficient, appropriate evidence to enable an assessment of the underlying subject matter against suitable
criteria. The practitioner considers materiality, engagement risk and the quantity and quality of available evidence
when determining the nature, timing and extent of evidence-gathering procedures to support their opinion.
5. An assurance report
The practitioner provides a written report containing a conclusion that conveys the assurance obtained about the
subject matter information.
Notes

If an engagement has all of the above elements, it can be defined as an assurance engagement.
The essential element that defines an assurance engagement is the expression of an opinion that provides a
level of assurance, rather than the reporting of factual findings, leaving the recipient to derive their own conclusion.
Other types of engagements may be performed by practitioners that do not involve expressing a level of assurance.
These will be considered as part of the TPS Assurance and Data course.
It is important that the practitioner is clear about whether or not they are performing an assurance engagement.
When the elements above have been confirmed and an assurance engagement is being performed, the practitioner
comes under an obligation to meet certain professional standards, including those relating to quality management
and professional ethics.
Example
The below table shows an example of the elements of an assurance engagement for external audit.
Element Example for external audit
Three-party relationship: Shareholders, External auditor, Directors

Users, Practitioner,
Responsible Party
Underlying subject matter Statutory financial statements
Suitable criteria Relevant accounting standards (IFRS, FRS), Companies Act disclosure
requirements and any other requirements such as Listing Rules
Sufficient, appropriate The auditor follows the International Standards on Auditing (UK) when
evidence planning and performing evidence collection procedures, which cover
audit risk, materiality, professional scepticism and the need to obtain
sufficient and appropriate evidence on which to base the audit opinion
A written assurance report The audit report
Notes

7.4 Types of assurance
There are two ‘levels’ of assurance that a practitioner can provide: reasonable assurance and limited assurance.
7.4.1 Reasonable assurance
This is an engagement in which the practitioner reduces engagement risk to an acceptably low level in order to give
an opinion on the subject matter against the relevant criteria. In a reasonable assurance engagement, the opinion
is expressed in the positive form. The practitioner concludes they are reasonably certain that the subject matter is
free from material misstatement (that is, the information is free from misrepresentations or errors significant enough
to have an impact on the decisions made by users of the subject matter).
Reasonable assurance is a high but not absolute level of assurance. It does not guarantee that the information
is 100% accurate, but rather the practitioner has gained sufficient, appropriate evidence that the information is free
from major issues.
A statutory financial statement audit provides reasonable assurance.
Example
When a car has an MOT test, the mechanic will check a number of key areas before issuing a passed MOT.
However, they do not check everything, so they are concluding that the car is legally road worthy based on
the checks they perform.
Example of a reasonable assurance opinion over financial statements
“In our opinion the financial statements give a true and fair view, in accordance with IFRS as adopted
by the United Kingdom, of the state of the company’s affairs as at 31 May 20X5 and of its profit for the
year then ended.”
Notes

7.4.2 Limited assurance
Reasonable assurance can be contrasted with limited assurance. In a limited assurance engagement, the level of
risk is higher than in a reasonable assurance engagement. The practitioner concludes there is no evidence that
the subject matter is materially misstated. The work undertaken in order to provide such assurance is less rigorous
than that performed in order to express reasonable assurance. Therefore, less reliance can be placed on the opinion
expressed, which is given in the negative form, as engagement risk is not reduced to as low a level as a reasonable
assurance engagement.
Example of Limited assurance
“Based on our work described in this report, nothing has come to our attention that causes us to believe
that the accompanying financial information is not prepared, in all material respects, in accordance with IFRS
as adopted by the United Kingdom.”
Learning Outcome 1: Key elements of an assurance engagement
To be defined as an assurance engagement the engagement must contain five key elements:
1. A three-party relationship
2. An appropriate underlying subject matter CUTER
4. Sufficient, appropriate evidence
If an engagement has all of the above elements, it can be defined as an assurance engagement.
You should now be able meet the first learning outcome of the module.
Notes

7.5 Client Acceptance/ Continuance
7.5.1 Acceptance/ continuance risks
Before an assurance engagement begins, the firm must first decide if they want to take on a client.
Practitioners are not required to undertake an assurance engagement for every entity that requests one. Common
sense may dictate that acceptance of all engagements would increase the firm’s revenue. However, engagements
can introduce risks to the practitioner firm that may outweigh the firm’s revenue.
The practitioner firm will make a decision on whether they wish to accept a new client (or continue with an existing
client) after consideration of the risks to the firm. These decisions will be based on:
• commercial considerations impacting the firm; and

• considerations of regulations and standards (i.e., professional requirements).
Engagements can bring a variety of commercial and professional risks to the practitioner firm. These may have
financial, reputational, ethical or legal implications depending on their nature. Practitioners must consider both
types of risk categories prior to agreeing to accept a new client or continuing with an existing client.
Commercial and professional risks can be split into four categories:
Commercial risks Professional risks
Financial: the risk of financial loss to the firm. Ethical: the risk that the firm fails (or is seen to fail) to
conduct the engagement in a way that is professional
and ethical.
Reputational: the risk of damage to the firm’s public Legal: the risk that the firm could face criminal or civil
perception and brand. legal proceedings.
Notes

Activity 1
Below are some examples of risks which could prevent a practitioner accepting an assurance engagement.
Decide whether each risk is a type of financial risk, a reputational risk, an ethical risk or a legal risk. Note that
the risk could fall into more than one category. The first one has been done for you as an example.
Commercial Professional
Acceptance risk Financial risk Reputational risk Ethical risk Legal risk
Unpaid fees 
Practitioner is not
independent of the client
Company has illegal

operations
Litigation related to the client
Company operates in an
unstable industry
Company operates in a
controversial industry
Suspicions of money
laundering
A duty of care could be owed

to a third party
Whether the practitioner has

necessary time, experience
and resources to complete
the engagement
Solution
Notes

7.5.2 Acceptance decision
A practitioner has to decide whether or not to take on a client, weighing up all the risks with the benefits that they will
get (i.e., revenue from the fees).
Acceptance decision: this relates to the situation where the practitioner is taking on a new client that it did
not provide the assurance service for in the prior year.
7.5.3 Acceptance procedures
To gather all the information that could result in risks to the firm, and therefore be able to make an acceptance
decision, acceptance procedures are undertaken. The procedures performed to assess the risks to the firm from
taking on a client are required by law, regulations and standards.
To allow the practitioner to identify the specific risk factors relating to a particular engagement and ensure
compliance with the requirements of relevant standards and legislation, the practitioner usually completes an
acceptance checklist.
The main acceptance procedures a practitioner should perform when gathering information are to:
1. identify the users and the nature of the engagement;

2. assess the prospective client’s legal and financial stability;
3. assess the integrity of those charged with governance, management and the principal owners (i.e., the
directors, managers and majority shareholders – so those controlling the company);
4. evaluate the firm’s ability to undertake the assurance engagement – practically and ethically;
5. perform client identification procedures; and
6. agree the basis for performance of the assurance engagement.
Notes

Example of basis for performance in an external audit
Basis for performance: a practitioner will accept an external audit engagement when the basis for
performance has been agreed. The basis for performance is agreed through:
• Establishing whether the preconditions for an audit are present (this includes determining whether
the financial reporting framework is acceptable and that the directors confirm and understand their
responsibilities for preparing the financial statements, putting in place appropriate internal controls and
providing the auditor with necessary information and explanations as are necessary to issue the audit
report); and
• Confirming a common understanding between the auditor and the directors about the terms of the
engagement.
Performing these procedures will assist the practitioner in assessing the relevant risk factors that could impact the
firm as a result of taking on the engagement and inform the overall acceptance decision.
Note that similar procedures will be performed when an auditor is choosing whether to continue with a current client.
However, the procedures will likely be more straightforward due to the auditor’s previous involvement with the client.
A practitioner’s acceptance or continuance decision should not just focus on whether the engagement is
profitable – ethical considerations are as fundamental to the decision as any other factor. This will include
assessing whether the practitioner wishes to be associated with an organisation with a questionable ethical
stance, whether there are any concerns over the ethical integrity of an entity’s management or whether the
firm can ethically undertake an engagement (for example, where it does not have the expertise or resource to
complete an engagement or where the firm or practitioner is not independent).
Increasingly, there is a focus on the appropriate decision making of assurance practitioners and
acknowledging the fact that demonstrating unethical behaviour may have significant consequences for a firm.
Notes

earning Outcome 2: Describe and explain the acceptance procedures for an assurance
L
engagement, including explaining the risks faced by an assurance firm when accepting or
continuing an engagement
Practitioners perform procedures regarding acceptance/ continuance at the start of each audit. This is to comply with
regulatory standard requirements and to identify any clients that may pose a risk to the practitioner firm.
You should now be able to meet the second learning outcome for this module.
7.6 The Audit Process
This section will introduce you to an overview of the audit process, the main form of assurance engagement. The
practitioner in this case is the audit team.
An audit: an examination of a company’s financial statements by an independent expert that results

in the expert providing an opinion on whether the financial statements give a true and fair view to the
shareholders.
7.6.1 The audit process diagram
An audit engagement can vary in length depending on the size and complexity of the company being audited.
However, the UK auditing standards, the International Standards on Auditing (UK) (‘ISAs (UK)’) prescribe a number
of steps and processes that must be completed in every audit engagement. The audit engagement can be split into
a number of elements and these will be covered in Modules 13 - 22 of this course. The stages can be summarised
by the audit process diagram below:
Risk Assessment
Systems
Substantive
Acceptance Planning and Controls Completion
Testing
Analysis
Engagement and Client Management
Notes

There are seven elements to the audit process:
1. Acceptance
2. Planning
Audit process stages
3. Systems and controls analysis
4. Substantive testing
5. Completion
6. Risk assessment
Ongoing elements
7. Engagement and client management
The risk assessment and engagement and client management elements must run throughout the whole of the audit
process. The other five elements represent the stages of the audit process.
7.6.2 Acceptance/ continuance of audit engagements
As with other assurance engagements, before the audit process begins, an auditor must decide whether or not
they want to take the client on in the first place. This is called acceptance and comes before the start of the audit
process. For example, if an auditor is considering taking on a new client and finds out that they have major financial
problems (going concern), have sued their last three auditors for negligence, and look unlikely to be able to pay their
fees, the auditor would probably decide not to take on the client.
An auditor may also be in the situation where they performed the audit in the prior year. In this situation an auditor
must evaluate whether to continue with the engagement in the current year. This is called a continuance decision.
In this situation the auditor would complete a continuance checklist considering the same procedures as if they were
accepting an engagement for the first time.
Acceptance/ continuance decisions impact on all types of assurance engagements that a firm may undertake and
not just audits. In all cases the practitioner must assess the potential commercial and professional risks that may
impact the firm’s ability to carry out the assurance engagement. This is carried out by completing the acceptance
procedures covered earlier in this module for both new and continuing engagements.
However, an audit has additional considerations imposed by standards and regulations that must also be
considered. For new audit engagements, the auditor is also required to communicate with the previous auditor
in relation to a new client acceptance decision.
Notes

Activity 2
Thinking about the acceptance procedures that would be used for a new audit engagement, match the client
acceptance procedure to the correct reason for performing the procedure.
Client acceptance procedure Reason for doing the procedure
1. Identify the users and nature a) If a client is not a going concern then they may not be able to pay the
auditor’s fees. The auditor needs to know if they are likely to be sued.
2. Assess the legal and b) There may be risks or factors that the auditor has not identified that
financial stability caused the previous auditor to resign which would need to be considered.
3. Assess the integrity of those c) Need to identify who is owed a duty of care, and what type of entity is
charged with governance being audited (e.g., a small partnership, a charity, or a listed company).
4. Ability to undertake the d) For money laundering purposes.

assurance engagement
5. C
lient identification e) If the financial statements were being prepared based on financial
procedures reporting standards not acceptable in the UK then there is no suitable
criteria by which to measure and evaluate the financial statements. Also,
management and the auditor need to agree on what is expected.
6. Basis of performance (f) If the auditor does not have the correct staff available or does not know
anything about that industry, then they may not be able to express an opinion
on the financial statements.
7. C
ommunicate with previous (g) Much of the information for an audit comes from management and the
auditor directors, so if their explanations cannot be relied upon, the auditor shouldn’t
take on the client.
Solution
Notes

7.6.3 Other stages in the audit process
So far, we have considered the acceptance/ continuance decision for audit engagements. The following is a
summary of the remaining stages of the audit process. We will consider these in more detail in subsequent modules.
Audit process stages:
Planning stage (Module 15)
The planning stage is the start of a process of understanding the entity, identifying areas of risk and making plans for
the audit procedures. Planning usually happens before the year end.
Systems and controls analysis (Module 16)
Controls were introduced in Modules 3, 4 and 5. The purpose of the systems and controls stage of the audit is
to understand what processes and controls a client has in place and test how well these work at preventing or
detecting an error/ fraud (or ‘misstatement’) in the accounts. Commonly on larger audits it occurs during an ‘interim
audit’ before the entity’s year end.
Substantive Testing (Modules 17, 18, 19, 20)
The ‘final audit’ occurs after the year end, when the draft financial statements have been prepared by the company.
It mainly involves testing the figures in the financial statements; this is known as substantive testing.
Completion (Modules 21 and 22)
Once all the evidence has been gathered, completion procedures are performed to allow the audit to be concluded.
Then the final audit report can be issued, stating whether or not in the auditor’s opinion the financial statements are
‘true and fair’.
Ongoing elements:
Risk assessment
Auditors follow what is known as a ‘risk-based approach’. We will discuss the application of the risk-based approach
in much greater detail in Modules 13 to 22. Basically, in areas where there is more risk of misstatement, more work
needs to be done by the auditor. Because risk must be considered at every point of the audit, this is an ongoing
element.
Engagement and client management (Module 14)
To ensure that the audit is undertaken in an effective and efficient way, it must be properly managed. This will involve
ensuring that appropriate staff join the audit team, that adequate review of the team’s work occurs and that the
client’s expectations are managed. Communication within the audit team and between the client and the audit team
is a key requirement to ensure that the engagement runs effectively and good working relations are maintained.

The common timings of the elements in the audit process can be visualised using the following timeline:
Acceptance and Planning

October
Year end: 31 December

Interim (systems &
controls review)
November
Final (substantive testing)
February
Output:
Completion audit report/
March opinion
It may be that for some smaller audits, the interim and final stages are combined.
Learning Outcome 3: Explain the stages of a standard audit engagement
An audit engagement consists of a number of stages which are determined by the auditing standards. The basic
stages are acceptance, planning, systems and controls analysis, substantive testing and completion, with the output
of the process being the audit report. Throughout the audit the auditor assesses risk and undertakes engagement
and client management procedures.
7.7 Terms of Engagements – The Engagement Letter
Once the practitioner has decided that an assurance/ audit engagement can, and will, be accepted, the terms of the
engagement must be agreed with the directors. These terms will be documented in an engagement letter which
acts as a contract between the practitioner and the client. This should be agreed with the client and signed by both
the practitioner and the client before commencing the audit process. The engagement letter will be considered
further in Module 14.
Notes

7.8 Summary
Assurance engagements
An assurance engagement is an engagement in which a practitioner aims to obtain sufficient appropriate evidence
in order to express a conclusion designed to enhance the degree of confidence of the intended users about the
subject matter information.
In order to be classified as an assurance engagement it must demonstrate the following 5 elements:
1. A three-party relationship (practitioner, responsible party and users);

CUTER
2. An appropriate underlying subject
4. Sufficient, appropriate evidence; and
Failure to demonstrate these 5 elements would result in the engagement not being classified as an assurance
engagement.
There are two levels of assurance: reasonable assurance and limited assurance.
Client acceptance/ continuance decisions
A practitioner has to decide whether or not to take on a client (or retain an existing client) weighing up all the risks
with the benefits that they will get. Risks can be categorised as:
1. Commercial (financial and reputational); and

2. Professional (ethical and legal).
The main acceptance procedures a practitioner should perform when gathering information are to:
1. identify the users and the nature of the engagement;

2. assess the prospective client’s legal and financial stability;
3. assess the integrity of those charged with governance, management and the principal owners;
4. evaluate the firm’s ability to undertake the assurance engagement – practically and ethically;
5. perform client identification procedures; and
6. agree the basis for performance of the assurance engagement.
Additionally, for external audit engagements only, the auditor must:
7. communicate with the previous auditor
Notes

The Audit Process
A statutory financial statement audit is an example of an assurance engagement. An audit is the examination of a
company’s financial statements by an independent expert that results in the expert providing an opinion on whether
the financial statements give a true and fair view to the shareholders.
The audit process is summarised as follows:
Risk Assessment
Systems
Substantive
Testing
Analysis
Notes

Commercial Professional
Acceptance risk FR RR ER LR Explanation
Unpaid fees The practitioner may not be able to recover costs


from the client resulting in financial losses.
Practitioner is not The practitioner would be in breach of relevant ethical


independent standards which require independence.
Company has illegal The practitioner could be implicated in such

operations   operations and face litigation and reputational
damage.
Litigation related to Any legal action against the practitioner is likely to

the client have financial and reputation implications. Clients
  
with history of litigation against practitioners are likely
to be deemed higher risk.
Company operates in The company may experience financial difficulties

an unstable industry resulting in inability to pay fees and financial loss to
 
the practitioner. By being associated with a failing
company this could also cause reputational damage.
Company operates By being associated with the client there could be

in a controversial  negative public perception and reputational damage
industry to the practitioner.
Suspicions of money The practitioner may not be able to fulfil their legal
laundering duties under money laundering regulations. Should
 
the practitioner fail to meet their legal duties, they
may face fines.
A duty of care could The practitioner may face litigation from third parties
be owed to a third if they fail to perform work to the required standard
 
party and a duty of care is then proven. This could result in
financial loss to the practitioner.
Whether the The practitioner would be in breach of ethical

practitioner has the standards if they took on an engagement that they
necessary time, did not have time, relevant experience or resources

experience and to complete to the required standard.
resources to complete
the engagement
Back to activity

Client acceptance procedure Reason for doing the procedure
1. Identify the users and nature c) Need to identify who is owed a duty of care, and what type of entity is
being audited (e.g., a small partnership, a charity, or a listed company).
2. Assess the legal and a) If a client is not a going concern then they may not be able to pay the
financial stability auditor’s fees. The auditor needs to know if they are likely to be sued.
3. Assess the integrity of those g) Much of the information for an audit comes from management and the
charged with governance directors, so if their explanations cannot be relied upon, the auditor
shouldn’t take on the client.
4. Ability to undertake the f) If the auditor does not have the correct staff available or does not know
assurance engagement anything about that industry, then they may not be able to express an
opinion on the financial statements.
5. C
lient identification d) For money laundering purposes.
procedures
6. Basis of performance e) If the financial statements were being prepared based on financial
reporting standards not acceptable in the UK then there is no suitable
criteria by which to measure and evaluate the financial statements. Also,
management and the auditor need to agree on what is expected.
7. C
ommunicate with previous b) There may be risks or factors that the auditor has not identified that
auditor caused the previous auditor to resign which would need to be considered.
Back to activity
Notes

Module 8. The Requirement for Audit
Contents
8.3 The Requirement for Audit 144
8.3.1 Shareholder Veto 147
8.3.2 Filing Requirements for Audit Exempt Companies 147
8.4 The Role of the Auditor 148
8.5 The Expectations Gap 149
8.5.1 Managing the Expectations Gap 150
8.6 Who can be an Auditor? 150
8.6.1 Credibility 150
8.6.2 Response of the Profession 151
8.6.3 Appropriately Qualified 152
8.6.4 Properly Supervised 153
8.6.5 Registration 153
8.6.6 Statutory Requirements of Each RSB 156
8.7 Summary 158

8 The Requirement for Audit
8.1 Introduction
In TC Financial Accounting it is established that companies have a requirement to produce financial statements to
fill the information gap between the shareholders and the directors. This module looks at the requirement for an
independent examination of the financial statements, known as an external audit.
We learnt in Module 2 that one purpose of a set of financial statements is to help reduce agency risk. This module
will consider which organisations are required to have their financial statements audited, in order to make them
more credible as well as who can carry out those audits.
1. identify which companies are exempt from the need to have a statutory audit;
2. describe who can perform an audit and why this is controlled; and
3. identify the Recognised Qualifying Bodies and Recognised Supervisory Bodies and explain their role in audit
supervision.
Achieving these outcomes will help you to meet the third learning outcome of the course as per the syllabus.
8.3 The Requirement for Audit
The Companies Act 2006 (‘CA 2006’) requires the financial statements of most limited companies to be audited.
However, there are some statutory exemptions available, relating to small companies, dormant companies and some
charities.
Small Company Audit Exemption
Companies are entitled to the audit exemption under the CA 2006, if they meet two out of the three following criteria:
• balance sheet total1 of not more than £5.1m;

• turnover (revenue) of not more than £10.2m; and/ or
• they have not more than 50 employees.
1. The balance sheet total means the sum of all the amounts shown as assets in the balance sheet without any deductions for liabilities
Notes

These rules are subject to the ‘two-year rule’. That is, a company will firstly qualify as ‘small’ and therefore exempt
from audit if:
• it is the company’s first accounting period and the above conditions are met; or
• the company met the above conditions for the current and preceding year.
Additionally, companies that have previously been classed as ‘small’ and are, therefore, exempt from audit, will
only cease to be classified as small if the conditions are not met for two consecutive years.
Certain types of company can never be exempt from audit. The exemption is not available to the following types of
entity:
• a public company (unless dormant);

• a banking company;
• an e-money issuer;
• an insurance company;
• a MiFID investment firm or a UCITS management company;
• a corporate body whose shares have been admitted to trading on a regulated market;
• a public sector entity (the vast majority of public sector entities must be audited).
Most subsidiary companies are exempt as long as their parent company guarantees their liabilities. There are also
additional rules for parent companies to be assessed as ‘small’.
Small Charities
There is enhanced public interest in charitable entities and therefore they are subject to a more rigorous programme
of external scrutiny than non-charitable companies. This is achieved through charity law having a lower audit
threshold. There are some differences in the reporting regimes for charitable companies incorporated in England and
Wales, from those incorporated in Scotland:
England and Wales Scotland
Audit required where: Audit required where:
• Gross income is over £1m; or • Gross income is £500,000 or more; or

• Gross assets are over £3.26m and gross income • Gross assets are over £3.26m; or
over £250,000; or • An audit is required by the charity’s constitution or
• An audit is required by the charity’s constitution or due to trustee or donor preference.
due to trustee or donor preference.
Independent examination* required where an audit Independent examination* required where an audit
has not been received unless its gross income is has not been received.
below £25,000.
*An independent examination is a less onerous external review than an audit and provides limited rather than
reasonable assurance.

Dormant Companies
A company is dormant if it has had no ‘significant accounting transactions’ during the period. Most dormant
companies are exempt from audit.
Activity 1
Why do you think that the CA 2006 permits some small companies, small charities and dormant companies to
be exempt from audit?
Solution
Notes

8.3.1 Shareholder Veto
Members, individually or in aggregate, who hold more than 10% of the company’s shares can veto the audit
exemption, provided they do so no later than one month before the end of the financial year in question.
Activity 2
What do you think are the arguments for and against retaining audits for small entities entitled to an exemption?
Retain audit Abolish audit
Solution
8.3.2 Filing Requirements for Audit Exempt Companies
The directors of a company using an audit exemption must include an additional narrative section in the balance
sheet containing:
1. a statement that the shareholders have not required an audit using the shareholder veto;
2. a statement that the company is entitled to the audit exemption;
3. an acknowledgement of the directors’ responsibilities to maintain proper accounting records and to prepare
accounts which give a true and fair view; and
4. a statement that the accounts have been prepared following the special provisions of the CA 2006 for small
companies.
Notes

Learning Outcome 1: Identify which companies are exempt from the need to have a
statutory audit
Small companies, small charitable companies and dormant companies are exempt from audit provided specific
criteria are met. Companies that are exempt must include additional statements on the balance sheet. The audit
exemption can be vetoed by 10% of any class of shareholders.
You should now be able to meet the first learning outcome for this module.
8.4 The Role of the Auditor
As we know, an audit is an examination of a company’s financial statements by an independent expert that results in
an opinion on whether the financial statements give a true and fair view to the shareholders. The primary purpose
of the audit is to add credibility to the financial statements.
The key responsibilities of the auditor, as defined by the CA 2006, are summarised below:
1. The auditor must express an opinion:
• as to whether or not the financial statements give a true and fair view in accordance with the relevant
financial reporting framework and the Companies Act 2006; and
• on the consistency of the strategic report and the directors’ report with the financial statements and
whether they have been prepared in accordance with applicable legal requirements.
2. The opinion is expressed to the company’s shareholders.
The Audit Opinion – Fundamental Concepts
As described above, one of the key responsibilities of the auditor is to express an opinion on the truth and fairness
of the financial statements. Behind this responsibility are fundamental concepts that must be considered to
understand the value of the audit opinion - truth and fairness.
Truth and Fairness
Truth and fairness is an accounting concept as well as an auditing principle. Therefore, you will be aware that
directors of UK companies are required to prepare financial statements that show a true and fair view of the
company’s financial performance and position. The external auditor must then give their opinion on whether the
financial statements do indeed present a true and fair view.
The concept of true and fair is concerned with the validity of the message conveyed by the financial statements.
Although there is no legal definition of the phrase ‘a true and fair view’, the commonly accepted view in the UK is
Notes

that it means compliance with company law and applicable accounting standards. Therefore, it is generally
accepted that the auditor needs to check whether the directors have followed applicable accounting standards, have
complied with the CA 2006, and have exercised appropriate judgement.
The auditor’s opinion is expressed within a document called an audit report.
Complying with the CA 2006 Responsibilities
If the purpose of audit is to add credibility to the financial statements, the shareholders must be confident in the
way in which the audit has been conducted, that is, the auditors themselves are credible. To assist auditors in the
performance of their duties, and to ensure quality and consistency in auditing practices, there is a body of standards
and guidance that auditors are required to follow. The main requirements relevant to UK auditors are contained in
the International Standards on Auditing (UK) (‘ISAs (UK)’). These standards and the other guidance available will
be considered later in the course. In addition, the CA 2006 lays down strict rules as to who can become a statutory
auditor – these rules will be examined in Section 8.6.
8.5 The Expectations Gap
The auditor’s role is defined by statute, common law and standards. However, it is commonplace for the general
public to misunderstand the scope of an auditor’s work.
Expectations Gap: The difference between the understanding that the public has about the auditor’s
responsibilities and the actual defined responsibilities of the auditor.
Activity 3
Are you aware of any common misconceptions of the auditor’s role that result in the expectations gap?
Solution
Notes

8.5.1 Managing the Expectations Gap
To maintain the perceived value of the audit process, the auditor must take steps to reduce the expectations gap.
One such example is including an explanation of the auditor’s and directors’ responsibilities within the audit report. In
addition, the audit report contains a description of the scope of the audit to assist in clarifying to the shareholders the
role of the auditor. It also clearly states that the report is addressed to the shareholders only.
8.6 Who can be an Auditor?
For an audit to be of value, the work of the auditor must be trusted – that is it must be credible. Credibility is a
fundamental concept of auditing and relates to whether users of financial statements will rely on an auditor’s report.
To ensure this, the profession has taken steps to maintain the credibility of its members. These steps involve
controlling who can become an auditor.
8.6.1 Credibility
The credibility concept concerns the personal qualities of the auditor: competence, independence, integrity and
ethics. Where an auditor is lacking in any of these areas, their work will not be trusted and is therefore worthless.
Competence Auditors are professionals and must be equipped to perform their duties to the expected
standard. Consequently, an auditor has a continuing duty to maintain their professional
knowledge and skill at the level required to ensure that a client or employer receives
a competent professional service, which is based on current developments in practice,
legislation and techniques. Auditor competence is an important element in reducing the
expectations gap.
Integrity, Integrity means that the auditor should be straightforward and honest in all professional
ethics and and business relationships. Ethics can be defined as a set of principles of proper conduct
independence or a system of moral values. ‘Professionals’, which include auditors, are expected to
conduct themselves with a higher level of ethical discipline than most others. The auditor
must therefore not only be completely free from situations that could make their work
less objective but must also be seen to be free from situations which could impact on the
auditor’s independence. If the auditor is not perceived to be independent, their audit report
will be of little value even if they acted in a completely independent manner. Independence,
integrity and ethics are covered further in Module 11.
Notes

8.6.2 Response of the Profession
The CA 2006 contains provisions to ensure that only persons who are appropriately qualified and properly
supervised are appointed as company auditors. It requires audits to be carried out properly, with integrity and with
a proper degree of independence. The CA 2006 refers to persons eligible for appointment as statutory auditors, but
they are often also referred to as registered auditors.
The path to becoming a statutory auditor:
Qualified
Supervised
Registered
A statutory auditor may only then accept an engagement where the independence and mandatory auditor rotation
rules of the CA 2006 are met.
Notes

8.6.3 Appropriately Qualified
A prospective statutory auditor must firstly become ‘appropriately qualified’ with one of the five Recognised
Qualifying Bodies (‘RQB’):
1. ACCA (Association of Chartered Certified Accountants);

2. AIA (Association of International Accountants);
3. ICAEW (Institute of Chartered Accountants in England and Wales);
4. CAI (Chartered Accountants Ireland); and
5. ICAS (Institute of Chartered Accountants of Scotland).
The CA 2006 lays down three areas of requirement that must be achieved to gain ‘appropriately qualified’ status:
1. Entry requirements;
2. Practical experience; and
3. Examinations.
Entry Requirements
The CA 2006 requires each RQB to have a minimum entry requirement of a university entry level (or approved
equivalent) or seven years of practical experience in the fields of finance, law and accountancy.
Practical Experience
Upon acceptance by the RQB, a trainee must complete three years’ practical training at an authorised training firm.2
To obtain the audit qualification, the CA 2006 requires a substantial part of this training to be in audit, with at least a
part being on statutory audit work.3
Examinations
The CA 2006 requires each RQB to have a formalised examination structure that tests theoretical and practical
knowledge. Once a trainee has completed the training contract and examination programme of their RQB they
become ‘appropriately qualified’.
2. ICAS requires that within the three years’ experience 450 days of client work must be completed (on most entrance routes)
3. ICAS requires 210 days of approved audit work of which 105 must be statutory audit work which is evidenced by the achievement log.
Notes

8.6.4 Properly Supervised
There are four Recognised Supervisory Bodies (‘RSB’). An ‘appropriately qualified’ accountant must become a
member of one of these RSB if they wish to obtain statutory auditor status. The four bodies are:
1. ACCA;
2. ICAEW;
3. CAI; and
4. ICAS.
8.6.5 Registration
Membership of a RSB is not sufficient to obtain statutory auditor status. Alongside the audit qualification the auditor
must hold a practising certificate.
Obtaining a practising certificate
To be eligible for a practising certificate (which must be renewed each year with an annual fee), members must apply
to the relevant RSB and prove that they:
• have completed at least two years’ post-qualifying experience; and

• are able to confirm compliance with the Continuing Professional Development byelaws to the Regulation and
Compliance Overview department of the Institute to which they are applying for registration; and
• have professional indemnity insurance.
Applying for Individual Statutory Auditor Status
To be entitled to sign audit reports, an individual must have statutory auditor status and be part of a registered audit
firm. To obtain this status the individual must apply to the Authorisation Committee (or equivalent) of their RSB. The
Authorisation Committee is responsible for awarding statutory (or registered) auditor status.
The Authorisation Committee should only award statutory auditor status to individuals who can demonstrate that
they:
• hold an audit qualification;

• are ‘fit and proper persons’;
• hold a practising certificate;
• are a member of a registered audit firm; and
• have adequate professional indemnity insurance.
Notes

Applying for Audit Firm Statutory Auditor Status
The Authorisation Committee will also grant statutory auditor status to firms. For a firm to be granted registered
auditor status:
• each of the principals (partners or directors) must be either a member of an RSB, a statutory auditor, an audit
affiliate of an RSB or equivalent;
• the majority of its principals (partners or directors) must have an appropriate qualification, be a statutory auditor
or equivalent4;
• the firm has appointed an audit compliance principal (i.e., it does not require every principal to be an audit
compliance principal);
• the firm must be ‘fit and proper’; and
• the firm must have adequate professional indemnity insurance.
In practice, this means that if a firm is a sole practice then the sole practitioner must be both a statutory auditor and
an audit compliance principal.
Audit Compliance Principal: an individual who is responsible for monitoring that the audit firm has
complied, and is likely to continue to comply, with relevant regulations, and whose identity is notified in writing
to the relevant RSB and who is the first point of contact with the relevant RSB in connection with regulations.
The Authorisation Committee is not only responsible for granting statutory auditor status but is also responsible for
withdrawing or suspending registrations.
For an individual, or firm, to become a registered auditor they must be deemed ‘fit and proper’. To be fit
and proper, an individual or firm must comply with the fundamental ethical principles laid out in Module 11
including acting with integrity, behaving professionally, and avoiding bringing any discredit to the profession.
Therefore, the requirement for auditors to be ‘fit and proper’ supports the promotion of ethical behaviour in the
profession.
4. Note that this is a stricter requirement than the one above and therefore applies only to the majority of principals.
Notes

Protecting the Public
To ensure that the public is aware of who has statutory auditor status, each RSB is required to maintain an up-to-
date list of auditors they have registered, which must be made available to the public.
To protect audit quality, registered auditors are monitored on a regular basis and the Authorisation Committee has
the power to requisition monitoring visits.
To summarise, to become a statutory auditor, the following requirements must be met:
Qualified
• Meet minimum entry
requirements
• Three years’ practical
experience
• Pass formalised exams
• RQB
Supervised
• Member of RSB
Registered
• Appropriately qualified
• Two years’ post
qualified experience
PC
• CPD
• Insurance
• Be a member of a
registered audit firm
• Apply to Authorisation
Committee of RSB
Notes

8.6.6 Statutory Requirements of Each RSB
To retain its status, the CA 2006 requires each RSB to maintain and enforce rules that assess:
• the eligibility of persons for appointment as a statutory auditor; and

• the conduct of statutory audit work.
The rules include:
• registration and disclosure of auditors;

• high standards of audit work;
• monitoring of quality;
• investigation and discipline; and
• accountability.
These rules help ensure the competence, integrity, ethics and independence of the auditor and hence assist in
promoting the overall credibility of the profession.
Activity 4
For each scenario detailed below identify if registered auditor status would be granted and if not, what is
required in order to obtain registered auditor status:
1. Fiona Green qualified as a chartered accountant three years ago and is still working in the audit
department of McLean and Co, a registered audit firm. She is complying with her continued professional
development regulations and is covered by the professional indemnity insurance held by her employer.
She wishes to apply for registered auditor status.
2. Ben Phillips, CA student member, wishes to register for auditor status with ICAS. He has just completed
his three-year training contract with his authorised training firm (who are also a registered firm with ICAS)
‘Smith, Romana and Co’. He has passed all of his formal exams, completed his 450 days of client work of
which 210 days were spent on approved audit work (105 in statutory audit work). He wishes to apply for
registered auditor status.
3. Shepherd and Falconer Partnership wish to apply for registered auditor status. Both partners are
qualified chartered accountants, each hold a practising certificate and the firm has professional indemnity
insurance cover. Shepherd has been appointed as the audit compliance principal.
Notes

Solution
Learning Outcomes 2 and 3: Describe who can perform an audit and why this is controlled
and identify the RQBs and RSBs and explain their role in audit supervision.
The auditor’s role is to form an independent opinion on the truth and fairness of the financial statements and on the
consistency of the strategic report and directors’ report with the financial statements, including whether they are
prepared in line with legal requirements. The auditor gives reasonable, not absolute, assurance that the financial
statements are free from material misstatement.
The general public often have misconceptions with regards to the nature and scope of the auditor’s work, resulting in
the expectations gap. The auditor takes steps to reduce this gap through the audit report.
The external audit is carried out by people external to, and independent of, the company who report to the
shareholders on the financial statements prepared by the directors. The work of the auditor must be credible (i.e., the
auditor should be competent, independent and act with integrity and ethics). The auditor needs to be appropriately
qualified, hold a practising certificate and be adequately supervised by and registered with a relevant Recognised
Supervisory Body.
You should now be able to meet the second and third learning outcomes for this module.
Notes

8.7 Summary
The need for external audit
Not all companies require an audit. The CA 2006 permits an audit exemption for some of the following types of
company;
• small companies (£10.2m turnover, £5.1m balance sheet, 50 employees);

• small charitable companies (differences between England and Wales and Scotland); and
• dormant companies.
Shareholders can veto audit exemptions (10% rule) and some entities can never be exempt.
The Role of the Auditor
An external, or statutory, audit is an examination of a company’s financial statements by an independent expert

that results in the expert providing an opinion on whether the financial statements give a true and fair view to the
shareholders.
The audit opinion provides reasonable assurance that the financial statements give a true and fair view. Hence
the auditor does not guarantee the accuracy of the financial statements.
The difference between the understanding that the public has about the auditor’s responsibilities and the actual
responsibilities of the auditor is known as the expectations gap. The main way that the auditor can manage the
expectations gap is through the audit report.
Who can be a statutory auditor?
The value of an auditor is dependent on whether shareholders can trust their work. Auditor credibility is dependent
on personal qualities: competence, integrity, ethics and independence. The CA 2006 requires the profession to
control the eligibility to audit by formalising qualification, supervision and registration procedures.
Notes

Appropriately qualified, supervised and registered
To become a statutory auditor:
Qualified
• Meet minimum entry
requirements
• Three years’ practical
experience
• Pass formalised exams
• RQB
Supervised
• Member of RSB
Registered
• Appropriately qualified
• Two years’ post
qualified experience
Practising Certificate
• CPD
• Insurance
• Be a member of a
registered audit firm
• Apply to Authorisation
Committee of RSB
Registered auditors are monitored on a regular basis and the Authorisation Committee has the power to requisition
monitoring visits.
You should now be able to achieve all the learning outcomes for this module. If you are not able to do so, go back to
the relevant section and re-read it.
Notes

The Companies Act 2006 permits audit exemptions for some companies as in small companies there is not
usually the same degree of separation between the management and ownership roles. Small companies tend
to be owner-managed businesses, and consequently agency risk is not a significant risk as the directors are
also the shareholders/ owners of the company. Additionally, the costs associated with an audit would normally
exceed the benefits for a small company/ charity.
Dormant companies have no significant transactions passing through their books during the year under
review, and consequently there is no requirement for a third party to review the underlying records as there
have been no material changes to the figures during the year. The costs associated with an audit would
normally exceed the benefits in respect of a dormant company’s financial statements.
Back to activity
Retain audit Abolish audit
The audit, via reports to management, It can be seen as an unnecessary cost for those companies that
provides useful commercial advice (i.e., are owner-managed to have an independent audit report to the
improvement in control/ efficiency). shareholders (who are the same as the director(s)).
For most small companies, another Other agencies do not rely on the audit report (for example credit
department from the audit firm may agencies, PAYE and VAT inspectors). Lenders have increasingly
act as accountant/ tax advisor and the been seeking personal guarantees for loans made to small, owner-
relative savings of discontinuing audit managed businesses.
work will be low.
Lenders, such as banks, will often

request to see audited financial
statements as a condition of financing.
Minority interests can gain assurance

that the business is being run properly.
Back to activity
Notes

Common areas where misconceptions relating to the auditor’s role arise include:
• The auditor guarantees that the financial statements are 100% correct – in fact the auditor expresses
an opinion on the financial statements providing reasonable assurance only. The ISAs (UK) permit the
auditor to undertake an audit on a sample basis. Therefore, there is always a risk that misstatements in
the financial statements will not be identified by the auditor.
• When a company collapses it is the fault of the auditor – the auditor is responsible for giving a true
and fair opinion on the financial statements, which should include highlighting where there are significant
uncertainties over the future of the entity. However, the responsibility lies with the directors for running the
company and making sure it remains viable.
• The auditor is responsible for the internal controls of the company – the auditor cannot be held
responsible for the way in which the company is run. The directors of the company are responsible under
statute for running the company and as such they are responsible for implementing a sound system of
internal controls. The audit may, as a by-product, serve as a control activity for the company – if staff know
that their work will be checked, then this may encourage them to do their work accurately (preventative
control) and the audit function itself can act as a detective control.
• The auditor is responsible for the detection of all instances of fraud – under the CA 2006 the
directors of a company have the responsibility for safeguarding the assets of the company and to maintain
proper accounting records. Therefore, it is their responsibility to prevent and detect fraud through the
implementation of sound internal control systems. The auditor is responsible for detecting material
misstatements in the financial statements due to fraud or error. Consequently, the auditor may detect
instances of fraudulent activity, but they are not responsible for the detection of all fraud. The auditor’s
responsibilities in relation to fraud will be considered in more detail in Module 15.
• Preparation and production of the financial statements – as per the CA 2006 the directors are
responsible for preparing financial statements that show a true and fair view.
• Checking compliance with all laws and regulations – again this is the directors’ responsibility, not that
of the auditor. The auditor is responsible for identifying material misstatements in the financial statements
due to breach of laws and regulations.
• Providing aid and advice to management – although this can be a by-product of the audit, it is not the
primary responsibility of the auditor to provide advice. If the directors requested that the auditor provide
aid and advice, the auditor would undertake the work in a separate engagement, providing a consultancy
function to the client. The auditor may, however, not be able to provide both consultancy and audit
services due to the importance of auditor independence. This will be discussed further in Module 11.
Back to activity

1. Fiona may be able to apply to become a registered auditor after she applies for a practising certificate
(for which she has currently met the conditions). Although she has an accountancy qualification she
must ensure that she met the requirements concerning the amount of statutory audit work that must be
performed to achieve the audit qualification before she can become a statutory auditor. This is on the
assumption Fiona is deemed a ‘fit and proper’ person.
2. Ben has only just achieved his audit qualification. He still requires a practising certificate. Once he has
achieved at least two years’ post-qualifying experience, maintains his continued professional development
and has professional indemnity cover, he can then apply for his practising certificate. Thereafter he can
apply for registered auditor status.
3. Shepherd and Falconer can apply for registered auditor status provided the firm is assessed as ‘fit and
proper’.
Back to activity
Notes

Module 9. Auditor Responsibilities:
Legislation
Contents
9.3 The Companies Act 2006 164
9.3.1 An auditor’s key rights and responsibilities 164
9.3.2 An auditor’s reporting responsibilities 166
9.3.3 Auditor appointment 166
9.3.4 Auditor remuneration 167
9.3.5 Auditor removal during the term of office 167
9.3.6 Failure to re-appoint auditor 168
9.3.7 Auditor resignation 168
9.3.8 Statement of circumstances 168
9.3.9 Duty of auditor to notify appropriate audit authority 169
9.4 Money Laundering Responsibilities 170
9.4.1 Proceeds of Crime Act 2002 171
9.4.2 ML Regulations 174
9.4.3 Impact on auditor 175
9.4.4 Accountants working outside the regulated sectors 177
9.5 Summary 178
Solution to Activities 179

9. Auditor Responsibilities: Legislation
9.1 Introduction
The role of the auditor is defined by statute, common law, auditing and ethical standards. In this module, the
auditor’s responsibilities under the Companies Act 2006 and legislation in relation to Money Laundering, along with
the rights that enable achievement of these responsibilities will be covered.
1. describe the auditor’s rights and responsibilities under UK company law in relation to different scenarios;
2. explain the procedures required for the appointment and removal of auditors; and
3. explain how money laundering legislation impacts the work of the auditor, and the applicability of this legislation
to other professions
Achieving these learning outcomes will help you to meet the fourth learning outcome of the course as per the syllabus.
9.3 The Companies Act 2006
9.3.1 An auditor’s key rights and responsibilities
Key responsibilities
Activity 1 – Module 8 recap
Describe what an audit is and identify the key responsibilities of the auditor under the Companies Act 2006.
Solution

To enable the auditor to fulfil these responsibilities, the auditor must ensure that they:
• adequately plan the audit in such a way as to obtain all the information and explanations considered necessary
to reach an opinion;
• obtain sufficient, appropriate evidence with which to judge the credibility of the financial statements; and
• report their findings and opinion in the required manner to shareholders and others.
Alongside these responsibilities, the CA 2006 specifically identifies auditor appointment, remuneration, removal
and resignation as having specific responsibilities related to them. These will also be considered in this module.
Auditor’s rights
In order to be able to meet their responsibilities the auditor has a number of rights given to them under CA 2006.
These can be split into two broad areas:
Rights to receive information Rights in relation to resolutions and meetings
• the right of access at all times to the company’s • the right to receive copies of all communications
books, documents and supporting records; relating to any written resolution proposed to be
• the right to require any directors or employees of agreed by a private company;
the company to provide them with any necessary • the right to receive all notices of any general
information and explanations; and meeting of the company and to attend such
• the right to require any subsidiaries, incorporated meetings; and
in the UK, of the company (and their auditors if • the right to be heard at any general meeting on
different) to provide them with any information any part of the business which concerns them as
they might need. auditor.
These rights are fairly wide-ranging – in theory, the auditor could demand to see the financial records in the middle
of the night (although the audit appointment may be short-lived as a result).
The CA 2006 makes it an offence to knowingly or recklessly give a misleading, false or deceptive statement
(written or verbal) to an auditor. Any employee or director who does so is liable to a fine and/ or imprisonment.
Notes

9.3.2 An auditor’s reporting responsibilities
Matters reported by exception
As well as the key reporting responsibilities detailed above, the auditor is also required by the CA 2006 to form an
opinion about several other matters. The auditor must consider whether:
• Returns have been received from branches not visited by the auditor;
• Accounts agree with the underlying records; RAPID
• Proper accounting records have been kept;
• Information and explanations necessary for the purposes of the audit have been received; and
• Directors’ emoluments (e.g., salary, bonuses, and pension contributions) and other benefits disclosures are
complete.
The auditor will report if any issues are identified in association with the ‘matters reported by exception’ (sometimes
referred to as ‘matters implied by silence’) within the audit report.
Note that “returns” in this context relates to any information requested from the branches by the company or the
auditor. For example, the head office of a retail chain might request a note of the stock that they have on site at each
location in order to confirm the total stock figure in the accounts.
Listed company responsibilities
Companies listed on the London Stock Exchange (‘LSE’) must comply with the more onerous disclosure
requirements of the LSE’s regulations, for example, the requirement to prepare a Corporate Governance Statement.
The additional requirements imposed on listed companies impact the scope of the auditor’s work.
9.3.3 Auditor appointment
The CA 2006 requires an auditor to be appointed each financial year that an audit is required.
The auditor is usually appointed by the shareholders via the passing of an ordinary resolution (over 50% of the
shareholders agree via a vote). However, there are three situations in which the directors are allowed to appoint the
auditor:
1. Any time before the company’s first period for appointing auditors (i.e., the first time a company requires an
auditor);
2. To fill a casual vacancy (e.g., if an auditor has resigned during the term of office); and
3. If the company had previously taken an audit exemption they would not have an auditor. If they lost this
exemption, and therefore required an auditor, the directors would be able to appoint the first auditors.
Notes

Where the auditor has been appointed by the directors, the shareholders must then decide whether that auditor
should be re-appointed at the end of the next financial year.
There are some differences between public and private companies:
Public companies Private companies
An auditor will be appointed/ re-appointed at each The auditor of a private company is deemed to have
annual general meeting (‘AGM’) by the shareholders. been automatically re-appointed unless 5% or more
of the shareholders object (or the auditors were first
appointed by the directors). It is also possible that
a company’s articles of association may prohibit
automatic re-appointment.
9.3.4 Auditor remuneration
The auditor’s remuneration (or audit fee) is fixed by whoever makes the appointment. It is therefore usually agreed
by the shareholders in a general meeting.
The company must disclose, in a note to the statement of profit or loss, the total amount paid in audit fees, as well as
any associated expenses. Fees paid to auditors for non-audit services may also be required to be disclosed in the
financial statements. This allows for clearer disclosure of fees, and improves insight into potential concerns around
the auditor’s independence.
9.3.5 Auditor removal during the term of office
The auditor can be removed at any time by the shareholders. The shareholders do this by passing an ordinary
resolution. However, the auditor has a number of rights to protect against unwarranted dismissal:
1. If any shareholders propose a motion to remove the auditors, a copy of this motion must be sent to the
auditors;
2. An auditor has a right to make written statements regarding their removal and have these passed to the
shareholders; and
3. The auditor retains the right to attend the normal AGM of the company in the year in which they were removed.
Notes

9.3.6 Failure to re-appoint auditor
Shareholders could also choose not to re-appoint the auditor at the end of the term of office. In a similar way
to the removal of an auditor, the auditor must be notified that they are to be replaced and the auditor has the
right to make written representations regarding the failure to reappoint them and have these distributed to the
shareholders.
9.3.7 Auditor resignation
The auditor could also decide to resign from the audit engagement. This may be due to, for example, insufficient fee
income, conflict of interest, inadequate staffing resources, integrity of management, or going concern issues.
In order for the auditor to resign from the appointment, the auditor is required to send a letter of resignation and,
where the company is a public interest company, a statement of circumstances (see Section 9.3.8) to the
registered office of the company. The auditors of non-public interest companies must also provide a statement
of circumstances to the company unless specific exemptions apply. Potential reasons for exemption include the
company becoming exempt from audit, being wound-up due to insolvency or the auditor ceasing to hold office at the
end of their term.
Where a statement of circumstances is deposited with the company, the auditor may request that a General
Meeting is called for the purpose of considering the circumstances connected with the resignation.
9.3.8 Statement of circumstances
A statement of circumstances must either:
• assert that there are no circumstances connected with the departure from office that, in the auditor’s opinion, the
shareholders and creditors of the company should be made aware of; or
• disclose details of such circumstances.
In most cases the statement of circumstances must be sent out to the company’s shareholders and debenture
holders (however auditors of non-public interest companies with no relevant information reported in the statement of
circumstances can be exempt from this requirement).
It is an offence (penalised by a fine) for an auditor to cease to hold office without depositing a statement of
circumstances, where one is required by law.
Notes

9.3.9 Duty of auditor to notify appropriate audit authority
Where the law as set out in Section 9.3.7 requires that a company be sent a statement of circumstances, the
statement must also be sent to the appropriate audit authority. The appropriate audit authority for public interest
companies is the FRC, otherwise it is the auditor’s Recognised Supervisory Body (‘RSB’). Again, most statements of
circumstances must also be submitted to Companies House unless the company obtains a court order to specifically
prevent this (non-public interest companies with no relevant information reported in the statement of circumstance
can be exempt from this requirement).
It is an offence (penalised by a fine) for an auditor to cease to hold office without meeting the above requirements.
Activity 2 – CA 2006 Summary
Describe the responsibilities of the auditor defined in the CA 2006.
Solution
Notes

earning Outcomes 1 and 2: Describe the auditor’s rights and responsibilities under UK
L
company law in relation to different scenarios and explain the procedures required for the
appointment and removal of auditors
You should now be able to identify and explain the auditor’s statutory rights and responsibilities in relation to:
• receiving information;
• resolutions and meetings; and
• appointment, remuneration, removal, re-appointment and resignation.
9.4 Money Laundering Responsibilities
Money laundering: involves possessing, concealing or dealing with the proceeds of any crime.
This is not just restricted to drug dealing or terrorism – money laundering includes tax evasion and other financial
crimes, and involves dealing with the proceeds of such crimes in any way. If money laundering is undertaken
successfully, the money launderer will be able to hide the proceeds of crime from law enforcement, retain control
over them, and ultimately provide a legitimate cover for their source of income.
There is guidance in place for all accountants, not just auditors, in relation to the criminal activity of money
laundering. This guidance is contained in the CCAB Anti-Money Laundering (AML) Guidance, most recently updated
in September 2020. It incorporates and interprets the main legislation applicable to accountants, such as:
• the Proceeds of Crime Act 2002 (‘POCA’);

• the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations
2017, as amended by the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (‘ML
Regulations’), and
• the Serious and Organised Crime and Police Act 2005 (‘SOCPA’).
An accountant, or their clients, may conduct money laundering by:
• knowingly and/or actively becoming involved in money laundering; or

• inadvertently becoming involved – being used by an employee, client/customer, or a third party, so that they do
not know that a transaction involves money laundering.
Notes

9.4.1 Proceeds of Crime Act 2002
Principal offences
The POCA sets out the three principal offences in relation to money laundering.
Offence Explanation Example
Concealing or transferring the A person commits an offence if Assisting in the use of criminal
proceeds of criminal conduct they conceal, disguise, convert property to purchase another
or transfer criminal property. It is asset or business.
also an offence to remove criminal
property from the UK.
Arrangements to facilitate the A person commits an offence Assisting in setting up a business

acquisition, retention, use or if they enter into, or become which they suspected would be
control of criminal property involved in, an arrangement which used for money laundering, or
they know, or suspect, facilitates giving references to another party
the acquisition, retention, use or for a client suspected of money
control of criminal property by or laundering.
on behalf of another person.
Acquiring, using or possessing A person commits an offence Knowingly or inadvertently

criminal property if they acquire, use or possess accepting payment from a client of
criminal property. An exception cash that has been obtained from
to this offence relates to criminal activity.
property acquired for adequate
consideration (to protect someone
who has inadvertently been sold
criminal property).
It is a defence to all three of these offences if the alleged offender makes an authorised disclosure to the police, a
customs officer, or a nominated officer at the first available opportunity, which can either be before the transaction
takes place or as soon as possible thereafter, if the person had a reasonable excuse for not disclosing earlier.
The penalties for these offences are up to 14 years in prison, a fine, or both.
Notes

Other offences – relating to individuals working in the regulated sector
The ML Regulations identify a specific group of businesses that are termed as ‘regulated sectors’. Individuals
undertaking ‘relevant financial business’ within one of these sectors are subject to more stringent money laundering
requirements. The requirements in this section of the Assurance and Reporting course apply more widely than
the audit sector. Although the primary focus of this section is on the impact of the ML Regulations on the work of
auditors, it is also necessary to understand their application to other professionals, including accountants.
The regulated sectors include:
• auditors, insolvency practitioners, external accountants and tax advisers;

• credit institutions;
• financial institutions;
• independent legal professionals;
• trust or company service providers;
• estate agents and letting agents;
• high value dealers;
• casinos;
• art market participants;
• cryptoasset exchange providers; and
• custodian wallet providers
Potential additional offences for those in the ‘regulated sector’ under the POCA for such individuals include ‘failure to
report’ and ‘tipping off’.
1. Failure to report
POCA requires disclosures to be made internally, in certain circumstances, to a nominated officer. The Money
Laundering Reporting Officer (‘MLRO’) is the nominated officer in an audit (or other professional) firm. All suspicions
or knowledge of money laundering should be reported to the designated MLRO or their deputy.
It is an offence under the POCA for an individual in a regulated sector to fail to report to their firm’s MLRO (or, in
very limited exceptional circumstances, the National Crime Agency (NCA) direct), in a timely fashion, where:
a) they knew or had reasonable grounds to know or suspect that someone is engaged in money laundering; AND
b) either:
they can identify the person or the whereabouts of any of the laundered property; or
they believe that the information they provide will identify either the other person or the laundered property; AND
Notes

c) the information has come to them in the normal course of business.
By making a disclosure, the individual concerned has discharged their responsibilities in law and responsibility
passes to the MLRO, who should investigate the issues raised.
An MLRO commits an offence where they fail to report to the NCA, in a timely fashion, where:
a) they knew, or had reasonable grounds to know or suspect, that someone is engaged in money laundering; AND
b) either:
they can identify the person or the whereabouts of any of the laundered property; or
they know or believe that the information they provide will identify either the other person or the laundered
property; AND
c) the information has come to them in the course of an individual reporting to them.
Example
A company involved in the retail business is likely to have been the victim of shoplifting offences, but the
information available to the MLRO of the company’s external auditor is unlikely to be sufficient to identify
the money launderer or the whereabouts of any of the laundered property. As such, the firm’s MLRO is not
required to report knowledge or suspicion of money laundering arising from such a crime.
An exception to this rule relates to terrorism – all suspicions or knowledge obtained through whatever means must
be reported if they concern terrorism.
The POCA contains no de minimis provisions: all suspicions that fall under the requirements above must be
reported, no matter how small.
2. Tipping off
The POCA also makes it an offence to ‘tip off’ someone who has been reported for a known or suspected money
laundering offence, as this may prejudice any investigation that is conducted in response to the report.
The offence arises when an individual discloses information which was received in their ordinary course of business
including:
• that a report has already been made; or

• that an investigation is being contemplated or is being carried out to determine whether a report has to be
made.
Notes

Both offences carry a penalty of imprisonment, a fine or a combination of both. Failure to report carries up to five
years in prison, while tipping off carries a maximum of two years.
9.4.2 ML Regulations
The ML Regulations require everyone who carries on a ‘relevant financial business’ in a regulated sector to establish
and maintain specific policies and procedures to guard against their services being used for the purposes of
money laundering.
The ML Regulations cover some key areas:
• Risk assessment and controls;

• Customer due diligence; and
• Registration and Supervision of relevant businesses.
This section is relevant for your knowledge of all regulated sectors. In the next section, the impact of the ML
Regulations on the audit firm and the audit approach will be considered.
Risk assessment and controls
Risk-sensitive policies and procedures must be implemented in regulated sector businesses. Within these controls is
a key focus on training and reporting of suspicions. Policies and procedures include:
Risk assessment Appropriate steps to identify and assess the risks of money laundering should be
undertaken based on the size and nature of clients and the audit/accountancy firm itself.
Policies, controls The establishment and maintenance of specific policies, controls and procedures
and procedures to mitigate and manage any risks of money laundering, including risk management and
compliance, reporting, and effectiveness monitoring. These should be kept in writing and
regularly updated.
Internal controls An individual, who is a member of the board or of senior management, should be
appointed to take overall responsibility for compliance with the ML Regulations.
This role can be fulfilled by the MLRO, but preferably by someone else with appropriate
seniority within the firm.
Training Relevant staff, particularly those who deal with clients, should be provided with written
anti-money laundering policies and procedures. They should be trained to identify
instances of money laundering and to understand how anti-money laundering policies and
procedures affect their work, including how to report suspicions to their firm’s MLRO.
Notes

Customer due diligence
All firms must seek satisfactory evidence to identify and verify their clients, on the basis of documents, data or
information obtained from a reliable and independent source. This includes:
• Directors (passport/ driving licence);

• The Company itself (Companies House Search); and
• Beneficial owners – someone with 25% or more of voting rights to an entity or who can exercise control over
management of the entity (passport/ driving licence).
Increasingly, firms are being encouraged to use online verification systems to carry out their customer due diligence,
as these are more robust than traditional paper methods. However, this has not yet been made mandatory.
Accountants should adopt a risk-based approach to due diligence, gaining more evidence when there is a higher
degree of risk. Enhanced due diligence is required where the client is, for example, from a high risk third country or
are a politically exposed person.
Records of any client identification procedures and risk assessments must be kept for five years. The information
that should be retained also includes information on any transaction made by a firm on behalf of a client. Records
relating to client identity must be deleted five years after completion of a relationship/transaction.
Supervision and registration
Some professional bodies, such as ICAS, must effectively monitor and take appropriate measures to ensure their
members comply with the ML Regulations. The professional bodies are set out in Schedule 1 of the 2017 MLRs,
however you are not required to know which bodies these are for exam purposes.
It is a criminal offence to provide accountancy services within the regulated sector without being supervised by an
appropriate AML supervisory body.
9.4.3 Impact on auditor
UK auditing standards support the anti-money laundering legislation rather than imposing further regulations.
All areas mentioned in the above section apply to auditors. Additionally, ISA (UK) 250 Section A – Consideration
of Laws and Regulations in an Audit of Financial Statements provides some guidance regarding the impact on the
auditor. This guidance emphasises the additional reporting requirement of auditors as part of the regulated sectors,
as well as providing some additional considerations regarding tipping off.
Notes

Tipping off
As discussed earlier, it is an offence under the POCA to ‘tip off’. The auditor, however, remains responsible under the
CA 2006 to express an opinion on whether the financial statements give a true and fair view. Therefore, the auditor
has to be careful that in gathering evidence for their audit opinion, they do not tip off any director or employee of the
company of any suspicion of money laundering.
ISA (UK) 250 Section A highlights circumstances where the auditor must be cautious not to tip off the client. These
include:
Instances of non- In performing audit procedures in the context of possible non-compliance within
compliance a set of financial statements, the auditor must take care not to alert a money
launderer, particularly where management or those charged with governance are
involved.
Communication with While the auditor is required to communicate significant findings with those charged
those charged with with governance, care should be taken where management, or those charged with
governance governance, are suspected to be involved in money laundering.
Resigning ‘Unexpectedly’ is in so far as the suspected money launderer is concerned.

unexpectedly from the
audit engagement
Issuing a modified The auditor should consider whether including information in the audit report about
audit report any identified or suspected money laundering activities (i.e., by modifying the
opinion or communicating key audit matters) could alert a money launderer.
Delaying the audit Any delay in issuing the audit report pending the outcome of an investigation may
report alert the money launderer.
If the auditor has concerns regarding any of these matters, they should seek advice from their MLRO, legal counsel,
or their professional body, for example, ICAS.
Notes

9.4.4 Accountants working outside the regulated sectors
There is currently no obligation (and no mechanism) for anyone operating outside the regulated sectors to make
a money laundering report unless it relates to terrorism.1 Where an accountant is faced with a suspicion of money
laundering outside the regulated sectors, they should consult their employer or professional body (e.g., ICAS) for advice.
Money laundering is a complex and sensitive area for any accountant, whether working in the regulated
sector or not. Where an accountant is faced with a suspicion of money laundering it is essential that the
ethical considerations, as well as the legal implications, are considered. Accountants should ensure to report
instances of money laundering through the appropriate routes whether this is a legal requirement or not.
Accountants should also ensure that they are not influenced into ignoring an inappropriate, illegal, or unethical
action due to the fear of speaking up, and should demonstrate the moral courage to appropriately deal with
suspicions of money laundering.
Learning Outcome 3: Explain how money laundering legislation impacts the work of auditors
and the applicability of this legislation to other professions
Money laundering involves possessing, concealing or dealing with the proceeds of any crime. Legal guidance is
contained in the POCA, ML Regulations and SOCPA.
The POCA sets out three principal offences:
• Concealing or transferring the proceeds of criminal conduct;

• Arrangements to facilitate the acquisition, retention, use or control of criminal property; and
• Acquiring, using or possessing criminal property.
There are additional offences laid out for those in the ‘regulated sector’ – Failure to Report and Tipping Off.
The ML Regulations set out specific policies and procedures to be implemented by firms. ISA (UK) 250 Section A
provides guidance for auditors in relation to money laundering.
1. Note: There is no legal obligation to contact the police, but ethically a CA should look to demonstrate the moral courage to report a known
crime where appropriate.
Notes

9.5 Summary
The auditor has a number of responsibilities under statute including:
• expressing an opinion to the company’s shareholders over the truth and fairness of the financial statements and
the consistency of the strategic report and directors’ report; and
• forming an opinion over the matters reported by exception:
• Returns have been received from branches not visited by the auditor; RAPID
• Accounts agree with the underlying records;
• Directors’ emoluments and other benefits disclosures are complete.
Therefore, the CA 2006 offers a number of rights for the auditor to help meet these responsibilities, including:
• rights to receive information; and

• rights in relation to resolutions and meetings.
There are also specific rules laid out in the CA 2006 regarding auditor appointment, remuneration, removal and
resignation.
The second source of auditor responsibility examined related to money laundering legislation including POCA, ML
Regulations and SOCPA. Money laundering involves possessing, concealing or dealing with the proceeds of any crime.
The POCA sets out three principal offences:
• Concealing or transferring the proceeds of criminal conduct;

• Arrangements to facilitate the acquisition, retention, use or control of criminal property; and
• Acquiring, using or possessing criminal property.
There are additional offences laid out for those in the ‘regulated sector’ – failure to report and tipping off.
The ML Regulations set out specific policies and procedures to be implemented by firms covering:
1. Risk assessment and controls;

2. Customer due diligence; and
3. Registration and supervision.
You should now be able to meet all of the learning outcomes for this module. Should you not be able to do so, you
should go back and re-read the relevant section or sections.
Notes

Solution to Activities
An audit is an examination of a company’s financial statements by an independent expert that results in the
expert providing an opinion on whether the financial statements give a true and fair view to the shareholders.
This description outlines the key responsibilities of the auditor defined by the CA 2006. These responsibilities
are as follows:
1. The auditor must express an opinion:

financial reporting framework and Companies Act; and
• on the consistency of the directors’ report and strategic report with the financial statements and
whether they have been prepared in accordance with applicable legal requirements.
2. The opinion is expressed to the company’s shareholders.
Back to activity
Notes

Key responsibilities
The auditor’s statutory responsibilities revolve around the audit report. The basic responsibilities are set out in
the CA 2006, which require the auditor to:
• express an opinion:
financial reporting framework and Companies Act; and
• on the consistency of the directors’ report and strategic report with the financial statements.
• express their opinion to the company’s shareholders.
The auditor is also required by the CA 2006 to form an opinion about several other matters, which are
reported by exception in the audit report, sometimes known as ‘matters reported by exception’.
The auditor must consider whether:
• Returns have been received from branches not visited by the auditor;
• Accounts agree to underlying records;
• Directors’ emoluments and other benefit disclosures are complete.
Responsibilities on cessation of office
To resign from an appointment, the audit firm is required to send a letter of resignation to the company.
An auditor of a public interest company must also deliver a statement of circumstances to the company’s
registered office if they cease to hold office. This is also a requirement for other companies unless the reason
for ceasing to hold office is exempted.
When a statement must be sent to a company it must be also sent to the Financial Reporting Council (‘FRC’)
for public interest companies and the auditor’s Recognised Supervisory Body (‘RSB’) for other companies.
Companies House must also be provided with statements relating to public interest companies, unless a court
order to prevent this is obtained by the company.
Back to activity
Notes

Module 10. Auditor Responsibilities:
Common Law
Contents
10.3 Common Law and Negligence 182
10.4 Establishing a Duty of Care 183
10.4.1 Duty of care to third parties 183
10.4.2 Duty of care to audit clients 185
10.4.3 Duty of care to shareholders 189
10.5 Breaching the Duty of Care 190
10.6 Quantifiable, Reasonably Foreseeable Loss 192
10.6.1 The ‘but for’ test 192
10.6.2 Remoteness of damage 192
10.7 Managing Auditor Liability 193
10.7.1 Avoidance of litigation 194
10.7.2 Limited liability 194
10.7.3 Defences 195
10.8 Summary 198

10. Auditor Responsibilities: Common Law
10.1 Introduction
The role of the auditor is defined by statute, common law, auditing and ethical standards. In this module the auditor’s
responsibilities defined by common law will be considered. In order to fully understand the auditor’s responsibilities
under common law, we must also consider the wider obligations imposed by law on individuals and professional
advisers in relation to negligence, as well as specific cases relevant to the auditor.
1. define negligence and describe the circumstances in which a duty of care is owed;
2. describe the circumstances that could result in a breach of duty of care and describe the concept of a
quantifiable, reasonably foreseeable loss; and
3. identify the main ways in which audit firms can limit liability or defend a negligence claim.
Achieving these learning outcomes will help you to meet the fourth learning outcome of the course as per the
syllabus.
10.3 Common Law and Negligence
In addition to their statutory responsibilities, auditors must adhere to their responsibilities laid down in common law.
Common law: the system of laws based on decisions made by judges in court. This is based on the
concept of judicial precedent, that is, the principle that the decision made by a court is binding on other courts
in later cases involving a similar set of circumstances and the same point of law.
Common law has established the legal precedents around negligence which impact all professional advisers (such
as solicitors or accountants).
Negligence: a breach of a legal duty of care which results in loss or damage being suffered by another party.
Notes

If an accountant is found to have been negligent and another party has suffered from that negligence, it is likely they
will have to pay the other party damages, in other words, financial compensation for any damages caused by the
accountant’s work.
To establish negligence and seek damages, a claimant must prove that:
• the accountant owed a duty of care to the claimant;

• the work was negligently performed (that is, there was a breach of the duty of care); and
• the claimant suffered a quantifiable, reasonably foreseeable loss because of the accountant’s negligence.
Each of these points will be discussed in more detail below.
10.4 Establishing a Duty of Care
The courts will only make an award of damages in relation to a negligence claim if it can be proved that a duty
of care was owed to the claimant. The concept of duty of care therefore places a limit on the persons who may
obtain such a legal remedy. This means that an accountant may be found to have acted negligently by the courts but
may not have to pay any compensation where no duty of care existed between the accountant and the claimant.
Specifically, in an audit, there is potential for a duty of care to exist to three groups of people – audit clients,
shareholders of those clients and third parties.
10.4.1 Duty of care to third parties
The auditor’s duty of care to third parties has been changed over time by common law.
The current precedent for duty of care to third parties and shareholders has been set by the ‘watershed’ Caparo
case.
Notes

Caparo Industries plc v Dickman and Others (1990)
Facts Caparo Industries relied on the audited accounts of Fidelity plc in making a successful
takeover bid for that company. The audited financial statements of Fidelity showed a profit
of £1.2 million. However, shortly after completing the purchase, Caparo discovered that the
result should have been a loss of over £400,000. Caparo alleged that the auditors had been
negligent in the auditing of the accounts and sought remedy for the loss through the court
system.
Outcome The court did not consider the allegation of negligence because it held that the auditor did
not owe a duty of care to the claimants.
The court clarified the conditions under which a duty of care would be owed to third parties.
The three conditions (known as the tripartite test of duty of care) that must be met to
establish duty of care are:
1. the economic loss arising would have to be reasonably foreseeable;

2. there would need to be a close and direct relationship between the defendant and
claimant, that is, at the time the audit report was prepared, the auditor knew, or ought to
have reasonably known:
• that the audited accounts would be shown to the specific third party; and
• the purposes for which the third party intended to place reliance on the audited
accounts; and
3. The imposition of a duty of care would have to be fair, just and reasonable in the
circumstances.
In this case it could be established that the loss was foreseeable due to the negligent
statement made by the auditors in their audit report. However, the House of Lords
established that while it is foreseeable that investors may use published accounts to make
investment decisions, the auditors who audited such accounts would not be liable for losses
as a result of the accounts being wrong. This is because there was insufficient proximity
between the auditors and Caparo. Therefore, the crucial factor in this case was that there
was no close or direct relationship between Caparo and Fidelity’s auditors.
Impact This case served to restrict the auditor’s duty of care to third parties to those individuals
on audit with whom the auditor has a close and direct relationship. This is known as the principle of
profession proximity.
Application Based on the Caparo precedent, the existence of an auditor’s duty of care to third parties
of the Caparo hinges on the subjective question of whether there was sufficient proximity between the
precedent parties at the time of the alleged negligence. While the precedent was deemed to be initially
controversial, the Caparo decision has been supported by more recent judgements, such as
the case detailed below.
The tripartite test of duty of care is considered further in the following sections.

Foreseeability of Harm
The nature of the damage for which a remedy is being sought must be reasonably foreseeable from the
perspective of a reasonable person in the defendant’s position.
Proximity of the Relationship
The main purpose of this criterion is to ensure that the claimant belongs to a ‘determinate class’ – i.e., a limited
class of persons who might reasonably foreseeably suffer damage as a result of the wrongdoer’s negligence.
This was particularly important in consideration of the Caparo case above.
Fair, Just and Reasonable
Even where the nature of the damage is foreseeable and there is sufficient proximity of relationship between the
claimant and defendant, a court may decide that it would not be fair, just or reasonable to impose a duty of care in
the circumstances. This can embrace a host of issues, but a common thread is whether imposing a duty of care
would result in more harm than good.
10.4.2 Duty of care to audit clients
The duty to an audit client is a contractual one, and failure to fulfil that duty can give rise to an action for negligence.
The contract between an auditor and their client takes the form of the engagement letter. The engagement letter
(which is covered in more detail in Module 14) sets out the responsibilities of the auditor whilst performing the
statutory audit.
Notes

AWA Limited v Daniels, trading as Deloitte Haskins & Sells & Ors (1992)
Facts A senior manager within AWA concealed losses of 50 million AUD, making it appear as if
the company was trading profitably. AWA sued the auditor for damages, alleging breach of
contract, caused by the auditor’s failure to draw attention to the serious deficiencies in the
company’s control systems and to qualify the audit reports.
Outcome The court held that the auditor had a duty of care to their audit client through the
engagement letter. Within the engagement letter the auditor had agreed to perform the audit
in accordance with the auditing standards of the time. The auditing standards required any
serious deficiencies to be reported to those charged with governance, so by failing to inform
the directors in accordance with the terms of the engagement letter, the court found the
auditor to be negligent.
The court had established both duty of care and negligence in this case and as the company
had suffered a foreseeable loss, the auditor was ordered to pay financial compensation.
However, the court held that the directors of the company also had a legal responsibility
to safeguard the assets of the company through the implementation of adequate internal
controls and had, therefore, contributed to the loss. The directors were found to be jointly
liable with the auditor, and the auditor was therefore ordered to pay AWA reduced damages.
Summary The auditor has a duty of care to the audit client to carry out the audit engagement as per the
terms of the engagement letter (including the relevant auditing standards).
Professional advisers: The special relationship
We demonstrated above that the duty of care between auditors and their audit clients is a contractual one. However,
common law has established that a liability could be attributed where a special relationship exists regardless of the
existence of a contractual relationship.
Notes

Hedley Byrne Ltd v Heller & Partners (1964)
Facts HB were advertising agents. They asked for a credit reference from Heller & Partners
(‘Heller’) – the bankers of a new client. The credit reference provided by Heller amounted to a
negligent misstatement but included a disclaimer of legal responsibility.
Outcome In the circumstances of the case the disclaimer did mean that Heller avoided liability.
However, the House of Lords took the opportunity to consider whether there could be a
situation where a duty of care to avoid causing financial loss by negligent misstatements
could arise in a situation where no contract existed between the parties.
Impact The House of Lords held that, in principle, a duty of care could be owed between parties in
on audit a special relationship to take reasonable steps to minimise the risk of pure economic loss.
profession So, had it not been for the disclaimer included by Heller in the credit reference they provided,
they would have been liable to HB for a breach of duty of care.
In order for a special relationship to exist a number of factors must be in place:
• one person must be acting in a professional or expert capacity;

• the other person relies on the advice they are given; and
• the person giving the advice knows or should know that their advice will be relied on.
If these conditions are met, then a duty of care arises.
There have been a number of cases which have examined the role of the auditor in relation to this special
relationship.
For example, in relation to giving professional advice, a distinction has been drawn by the courts between situations
where:
a) information is prepared knowing that a particular person will rely on that information, and
b) information is prepared for general circulation.
Notes

Royal Bank of Scotland plc v Bannerman Johnstone Maclay and Others (2002)
Facts RBS provided an overdraft facility to a company called APC Ltd. The overdraft facility
contained a clause requiring the company to send RBS a copy of the annual audited financial
statements each year. When the company went into receivership, RBS sued Bannerman (the
auditor) for negligence.
Outcome It was held that the auditor should have reviewed the overdraft facility letter as part of the
audit and should have known the reliance that RBS would place on the audit opinion. As such
the court ruled that Bannerman did owe a duty of care to RBS.
An undisclosed settlement was reached between the two parties and, as such, no verdict on
negligence was ever reached.
Impact ICAEW issued a technical release in the light of the Bannerman case recommending that
on audit auditors who wish to manage the risk of liability to third parties use a disclaimer in their audit
profession reports. This document has been endorsed by ICAS. The detailed wording of the audit report
is covered in Module 22.
Barclays Bank v Grant Thornton (2015)
Facts A company, having entered into a significant loan facility with Barclays, later went into
administration leaving Barclays with a substantial loss.
Barclays brought about a claim against the company’s auditor, Grant Thornton, for alleged
negligence in the production of non-statutory audit reports provided to third parties which
had been sent to Barclays. The reports failed to identify a fraud that misled the sales
and expenses position of the company. The reports included a disclaimer limiting Grant
Thornton’s duty of care.
Outcome The court held that as the disclaimer included in the reports was clear and used between two
commercially sophisticated parties, it was effective in excluding liability.
Impact This tested the ICAEW “Bannerman” technical release and found it to be valid.
on audit
profession
Notes

10.4.3 Duty of care to shareholders
Although the auditor’s contract is with the client company, the audit report is addressed to the shareholders of the
company who were responsible for appointing the auditor. Therefore, the matter of whether a duty of care can be
owed to shareholders should be considered. The Caparo case also provided the current precedent relating to auditor
duty of care to shareholders.
Caparo Industries plc v Dickman and Others (1990)
Facts Caparo held a small number of shares in Fidelity plc prior to their takeover of the company.
When they lost their initial case, Caparo then appealed on the grounds that they were
existing shareholders, to whom the audit report had been addressed.
Outcome The final judgement on duty of care owed to shareholders was that:
1. An auditor’s statutory duty to audit and to report is owed to the body of shareholders
as a whole, its purpose being to enable the shareholders collectively to exercise
informed control over the company; and
2. No duty of care is owed by auditors to shareholders or potential shareholders acting as
individuals to enable them to invest with a view to profit. Shareholder losses can only be
recouped if the company has also suffered a loss which can be recovered on behalf of
the shareholders.
Impact The auditor can only be sued for negligence by the body of shareholders as a whole.
on audit
profession
Learning Outcome 1: Define negligence and describe the circumstances in which a duty of
care is owed
Negligence is a breach of a legal duty of care which results in loss or damage being suffered by another party.
• the accountant owed a duty of care to the claimant;

• the work was negligently performed (that is, there was a breach of the duty of care); and
• the claimant suffered a quantifiable, reasonably foreseeable loss because of the auditor’s negligence.
Notes

A duty of care can be established where:
• the economic loss arising was reasonably foreseeable;

• there was a close and direct relationship between the defendant and claimant;
• the imposition of a duty of care is to be fair, just and reasonable in the circumstances.
The auditor can have a duty of care to three groups:
• Third parties;
• Audit clients; and
• Shareholders.
10.5 Breaching the Duty of Care
The standard of reasonable care requires that the person concerned should do what a reasonable person would do
and not do what a reasonable person would not do.
There are a number of factors that can be considered in determining whether a duty of care has been breached.
Professional/ A person who holds himself out as having a particular skill will be judged by reference to
skilled what a reasonable person with those same skills would do. This is a higher test than the
persons ‘reasonable person’ test.
So, in the case of professional advisers, they may be in breach of a duty of care if they fail to
reach the standard reasonably expected of a member of their profession.
In practice, it is quite difficult to assess the relevant standard, although help can be
obtained from other members of the profession and from the profession’s own guidelines of
professional conduct.
Probability of If the risk is high, then the reasonable person is expected to take greater care to ensure their
injury duty of care is not breached.
Seriousness The principle of ‘take your victim as you find him’ applies so that, in the case of a vulnerable
of the risk person like a child or disabled person, the level of care required is increased.
Practicability If the cost required to eliminate all risks is excessive compared to the risk of injury arising,
and cost then there is no breach of duty if all steps are not taken. A defendant is not expected to
eradicate the risk of injury or loss – they are expected to take reasonable precautions to
minimise the risk of foreseeable injury or loss arising from their acts or omissions.

A key case that we will use to demonstrate auditor negligence is Re Kingston Cotton Mill Co (1896). Although a fairly
old case, this is useful for illustrating the key points in auditor negligence.
Re Kingston Cotton Mill Co (1896)
Facts Over a number of years, a manager of Kingston Cotton Mill had exaggerated the stock
quantities and value in order to overstate the company’s profits.
The auditor had relied on a stock certificate signed by the manager with regard to the
quantity and value of stock. He had not attended the stock count, or attempted to value the
individual items of stock.
Outcome The court laid down the precedent that:
“It is the duty of an auditor to bring to bear on the work he has to perform that skill, care and
caution which a reasonably competent, careful and cautious auditor would use”.
Failure to do this constitutes auditor negligence.
In considering whether the auditor had been negligent in this case, the judge considered
what was expected of a reasonably competent, careful and cautious auditor. In 1896 there
was no requirement under law or auditing guidance for the auditor to attend the stock count.
Therefore, the court held that the auditor had taken a reasonable course of action and the
failure to discover a major error in stock did not constitute negligence. The judge also clarified
that in the context of ‘reasonable skill, care and caution’ it was not reasonable to expect the
auditor to discover every possible error or fraud. This would require a much greater amount
of testing than is considered practical.
Current ISA (UK) 501 Audit evidence – specific considerations for selected items requires the auditor
situation to attend the stock count if stock is a risky and/ or material balance. Therefore, if the Kingston
Cotton Mill case were to be tried again today, the outcome would likely be different.
Summary A breach of duty of care can, in general, be defined as a failure to exercise the level
of reasonable skill, care and caution that is appropriate to a particular set of
circumstances. It is likely that the courts would consider current auditing standards and best
practice to determine what constitutes a reasonable level of skill, care and caution, although
each case will be considered on its individual circumstances.
Impact An auditor must undertake the audit with reasonable skill, care and caution to avoid
on audit negligence. This has been interpreted to mean compliance with applicable law and
profession auditing regulations. It should be noted that auditing involves a great deal of judgement,
which may still be contended in a court, for example, whether sufficient, appropriate audit
evidence was actually collected. The application of reasonable skill, care and caution will
depend on the circumstances of each case individually.

10.6 Quantifiable, Reasonably Foreseeable Loss
A claimant, once they have shown that they are owed a duty of care and that the duty of care owed to them has
been breached, must then show that they suffered injury, harm or loss as a result of the breach. A person will only be
compensated if they have suffered actual injury, harm, loss or damage as a result of another’s actions.
Examples of such loss include:
• personal injury;
• financial loss directly connected to personal injury, for example, loss of earnings; and
• damage to property.
10.6.1 The ‘but for’ test
The test used to determine liability is often referred to as the ‘but for’ test. If the claimant’s loss would not have
occurred but for the defendant’s conduct, then the defendant has caused the loss. If, on the other hand, the claimant
would have suffered the loss regardless of the defendant’s conduct, then the defendant is not liable for the loss.
It is not always straightforward to determine what caused a claimant’s loss where, for example, there are a number
of possible causes including the negligent act. In such situations, the courts must decide on the facts of each case
whether the negligent act caused the injury or loss.
10.6.2 Remoteness of damage
Even where causation is proved, a negligence claim can still fail if the damage caused is ‘too remote’.
‘The grand rule on the subject of damages is that none can be claimed except as naturally and directly arise out of
the wrong done; and such, therefore, as may reasonably be supposed to have been in the view of the wrongdoer’.
Lord Kinloch in Allan v Barclay 1864
This does not mean that the exact event must be foreseeable in the way that it happened but rather that the eventual
outcome was foreseeable.
Notes

Learning Outcome 2: Describe the circumstances that could result in a breach of duty of care
and describe the concept of a quantifiable, reasonably foreseeable loss
and not do what a reasonable person would not do. A person who holds themself out as having a particular skill will
be judged by reference to what a reasonable person with those same skills would do. This is a higher test than the
‘reasonable person’ test.
A person will only be compensated for a negligence action if they have suffered actual injury, harm, loss or damage
as a result of another’s actions.
10.7 Managing Auditor Liability
As discussed above, the most common remedy for loss or damage suffered due to an auditor’s negligence is
financial compensation.
The professional indemnity insurance that all registered auditors are required to have has led to a perception that
auditors have “deep pockets”. The perception is that it may be more financially beneficial to sue the auditors rather
than other parties such as the financially stricken company.
Notes

10.7.1 Avoidance of litigation
Auditors should take measures to prevent negligence and hence avoid litigation claims being raised against them.
These approaches should include:
Formalising The auditor should ensure that there is an engagement letter (contract) in place for
the basis every engagement, to ensure that the responsibilities of the auditor, and the terms of the
of the engagement, have been set out in writing and agreed by the client. This prevents any
engagement subsequent misunderstanding of the terms of the engagement.
contract
Identifying the Appropriate procedures should be performed when investigating potential clients to avoid
risk profile situations where clients with poor ethical or financial records are taken on, thereby increasing
of potential the risk of litigation (also required by the Money Laundering Regulations).
clients
Ensuring a The auditor must ensure that they are following the applicable auditing standards
sound audit and guidance to protect against claims of negligence, but should recognise that sound
approach is professional judgement must also be exercised throughout the audit.
followed
Compliance with quality management procedures will also reduce the likelihood of litigation.
Such procedures will include:
• ensuring audit staff are adequately trained and supervised;

• ensuring that documentation standards are adhered to; and
• ensuring all work is reviewed effectively.
10.7.2 Limited liability
The “deep pockets” perception of auditors led to auditors often being sued for damages when a company failed, as
creditors felt that this would lead to a more favourable outcome than suing a failed business.
Many in the UK business community felt that this was becoming increasingly damaging to the UK economy and
that businesses which were perceived as “high-risk” would be unable to obtain audit services at an economic price.
The accountancy firms argued that reasonable liability limitation would be in the best interests of efficient markets,
shareholders and companies, as well as auditors.
Notes

Liability limitation agreements
The CA 2006 allows auditors to limit their liability by contract, in the form of a liability limitation agreement (‘LLA’).
A liability limitation agreement: limits the amount of liability owed to a company by its auditor in respect
of any negligence, default, breach of duty or breach of trust, occurring in the course of the audit for which the
auditor may be responsible in relation to the company.
The CA 2006 does not stipulate how the limit should be calculated – it could be a particular value, generated by a
formula or be described in another manner. However, the limit should not be set lower than an amount that is fair,
just and reasonable.
The CA 2006 imposes a number of requirements on the use of an LLA:
• Auditors can only limit liability by LLA for a particular, specified financial year;
• Each LLA must be authorised by the shareholders; and
• Details of an LLA must be disclosed in the annual accounts.
It should be noted that an LLA does not change the auditor’s statutory responsibilities, their duty of care, or the need
to follow professional standards.
Any liability that is negotiated could also still be challenged in court. The investor community has shown concern
over LLAs and the potential impact on audit quality. To try to allay the fears of investors the government introduced
legislation which means auditors can now face charges over ‘knowingly or recklessly’ giving an incorrect audit
opinion for which the penalty will be an unlimited fine.
10.7.3 Defences
Once the pursuer has established, on a balance of probabilities, that they were owed a duty of care by the
defendant, and that the defendant’s failure to achieve the standard of care expected caused the loss or injury for
which the pursuer is seeking a remedy, the pursuer may be said to have established a prima facie case. This means
that ‘at first sight’ the pursuer will win and the onus of proof shifts to the defender.
At this stage in the proceedings, the defendant can attempt to avoid liability or have the amount of damages which is
sought by the claimant reduced by putting forward an appropriate defence.
Notes

The most commonly relied upon defences in a negligence case are:
Contributory This defence may be relied upon where the claimant has aggravated or exacerbated the
negligence injury or damage which they have suffered by their own negligence. If the defendant proves
that the claimant was at least partially at fault, the court may reduce the compensation
payable to the claimant by an amount which represents their share of the blame.
Volenti non fit Where it can be proved that a claimant consented to a risk in a situation where a defendant’s
injuria actions carry an inherent risk, then the defendant will have a defence. The defence is
available either where it can be shown that both parties expressly consented to the risk
(e.g., where a waiver form is signed when taking part in extreme sports) or where it can be
implied by the conduct of the claimant.
In order for a defendant to be successful in arguing volenti, they must prove that the claimant
was fully aware of the risks and that they consented to them.
If volenti can be established, it will provide the defendant with a complete defence; they will
be exonerated from paying damages altogether.
Ex turpi A claimant is unable to pursue legal remedy where this arises from their own illegal act.
causa
This is demonstrated by the case below.
Notes

Moore Stephens v Stone & Rolls (2009)
Facts The controlling and sole shareholder of Stone & Rolls used Stone & Rolls to deliberately
carry out a scheme to defraud banks then pay monies to themselves. As a result, the
company went into liquidation.
Stone & Rolls (through the liquidators) brought a claim against the auditors Moore Stephens
for failing to detect the fraudulent transactions resulting in a delay to stopping the fraud.
Outcome The House of Lords held, by a 3 to 2 majority, that Moore Stephens were entitled to rely on
the ex turpi causa defence to strike out the claim by Stone & Rolls. As the sole shareholder
was also the sole director and therefore the controller of the company, Stone & Rolls had
knowledge of the fraudulent scheme. Although a duty of care did exist, the case was struck
out.
Impact The decision provided clarity of the scope of duty of care owed by auditors and the use of the
on audit defence of ex turpi causa where fraud arises as a result of the actions of a sole controller of a
profession company.
The application of the principle of ex turpi causa has been considered in other cases since the Moore Stephens v
Stone & Rolls case and the specifics of the case would be considered in any instance where this was being used as
a defence.
Learning Outcome 3: Identify the main ways in which audit firms can limit liability or defend a
negligence claim
Audit firms face the risk of being sued for negligence for potentially unlimited sums. There are certain quality
management measures firms can put in place to try to avoid negligence claims including:
• Formalising the basis of the engagement contract;

• Identifying the risk profile of potential clients; and
• Ensuring a sound audit approach is followed.
The government has also introduced LLAs allowing the auditor to negotiate a liability limit with their client.
The three most common defences against a negligence claim are:
• Contributory negligence;
• Volenti non fit injuria; and
• Ex turpi causa.

10.8 Summary
The source of auditor responsibility considered in this module was common law.
Negligence
1. The accountant owed a duty of care to the claimant
In establishing a duty of care, three factors are considered:
• the loss arising was reasonably foreseeable;

• a close and direct relationship existed; and
• the imposition of a duty of care was fair, just and reasonable.
The auditor can have a duty of care to three groups:
• Third parties;
• Audit clients; and
• Shareholders.
2. The work was negligently performed (that is, there was a breach of the duty of care)
and not do what a reasonable person would not do. The standard of a professional or skilled person will be higher.
3. The claimant suffered a quantifiable, reasonably foreseeable loss because of the auditor’s negligence
Managing auditor liability
A person will only be compensated if they have suffered actual injury, harm, loss or damage as a result of another’s
actions. Considerations include the ‘but for’ test and the remoteness of damage
There are certain quality management measures firms can put in place to try to avoid negligence claims including:
• Formalising the basis of the engagement contract;

• Identifying the risk profile of potential clients; and
• Ensuring a sound audit approach is followed.
The government has also introduced LLAs allowing the auditor to negotiate a liability limit with their client.
Notes

The three most common defences against a negligence claim are:
• Contributory negligence;
• Volenti non fit injuria; and
• Ex turpi causa.
Cases
There are number of key cases to be aware of in relation to negligence in the UK.
Caparo Industries v Dickman and Others Duty of care to third parties – the principle of proximity
Duty of care to shareholders
AWA Limited v Daniels Duty of care to audit clients
Hedley Byrne Ltd v Heller & Partners Special relationship
RBS plc v Bannerman Johnstone Maclay and Others Special relationship between an auditor and a third
party with no disclaimer
Barclays Bank v Grant Thornton Special relationship between an auditor and a third
party with a disclaimer
Re Kingston Cotton Mill Reasonable person test
Moore Stephens v Stone & Rolls Ex turpi causa
You should now be able to meet all of the learning outcomes for this module. Should you not be able to do so, you
should go back and re-read the relevant section or sections.
Notes

Module 11. Auditor Independence
and Ethics
Contents
11.3 Integrity and Ethics 202
11.3.1 ICAS Code of Ethics 203
11.4 Independence 204
11.5 FRC Ethical Standard 205
11.5.1 Part A: Overarching Principles 206
11.5.2 Section 1: General Requirements and Guidance 207
11.5.3 Section 1 – Additional Requirements 209
11.6 Provisions of the Ethical Standard 210
11.6.1 Section 2: Financial, Business, Employment and Personal Relationships 210
11.6.2 Ethical Standard Sections 3 to 5 219
11.6.3 Prohibition of non-audit services for public interest entities 225
11.6.4 Permitted non-audit/ additional services for public interest entities 225
11.6.5 Companies Act 2006 229
11.7 Sarbanes-Oxley 230
11.8 Summary 233

11. Auditor Independence and Ethics
11.1 Introduction
As discussed in Module 8, credibility is a fundamental principle of auditing and relates to whether users of financial
statements will rely on an audit report when it is issued. The credibility concept concerns the personal qualities of
the auditor: competence, integrity, ethics and independence. Where an auditor is lacking in any of these areas, their
work will not be trusted and will thus be worthless.
Society expects that the auditor should be completely independent of the company, and the members of the
company, being audited.
This implies that:
• the auditor should be free from any previous involvement in the company being audited; and
• the auditor should have no vested interest (personal or business) in the entity being audited or in the outcome,
or in any consequence, of the audit.
This module looks firstly at the basic theory surrounding auditor independence and ethical responsibility, and then
proceeds to explain the various arrangements that are in place to try to ensure that auditors are, and are seen to be,
independent.
1. summarise the main constituents of auditor independence and ethics;

2. describe the coverage of Part A and Sections 1 and 2 of the FRC Ethical Standard;
3. describe the coverage of Sections 3, 4 and 5 of the FRC Ethical Standard;
4. interpret situations that might threaten auditor independence and highlight any suggested safeguards; and
5. describe the requirements of the US Sarbanes-Oxley Act 2002 in relation to auditor independence.
Achieving these learning outcomes will help you to meet the sixth learning outcome of the course as a whole as
detailed in the course syllabus.
Notes

Integrity and ethics are fundamental for auditors. The guidance discussed in this module (including the ICAS
Code of Ethics and the FRC Ethical Standard) are there to provide support to both auditors and accountants
when faced with an ethical dilemma. It is essential that making ethical decisions remains at the forefront of an
auditor’s actions, and it is important that auditors can demonstrate the moral courage to follow the appropriate
course of action. Failure to do so can lead to damage to the credibility and integrity of the external audit.
Ethical decisions and considerations are discussed throughout this module.
11.3 Integrity and Ethics
Activity 1 – Recap from Module 8
Define ‘integrity’ and ‘ethics’ in relation to the role of an auditor.
Solution
Monitoring Integrity and Ethics
One of the key functions of the Recognised Supervisory Bodies (‘RSBs’) and accountancy bodies is to ensure that
public confidence in the accountancy and auditing professions is justified, hence maintaining the credibility of the
professions. Accountants and auditors are often faced with ethical dilemmas in their work and it is vital that they are
aware of the response expected of them. ICAS, along with other professional bodies, issues rules and guidance
identifying the level of ethical behaviour expected by individuals (both members and students) within the profession.
These rules and guidance impose a duty and a responsibility on members and students of an accountancy body to
observe high standards of professional conduct at all times – in the public interest – despite the fact that this may
sometimes be contrary to their own self-interest.
Notes

11.3.1 ICAS Code of Ethics
The ICAS Code of Ethics (‘Code of Ethics’) is largely based on the International Ethics Standards Board for
Accountants (‘IESBA’) Code of Ethics for Professional Accountants but provides additional explanatory guidance
in some areas. The Code of Ethics identifies five fundamental principles that all professional accountants should
observe:
Integrity A professional accountant should be straightforward and honest in all professional and
business relationships.
Objectivity A professional accountant should not allow bias, conflict of interest or undue influence of,
or undue reliance on, individuals, organisations, technology or other factors to override
professional or business judgements.
Professional A professional accountant has a continuing duty to maintain professional knowledge

Competence and skill at the level required to ensure that a client or employer receives competent
and Due Care professional services based on current technical and professional standards and relevant
legislation. A professional accountant should act diligently and in accordance with applicable
technical and professional standards when providing professional services.
Confidentiality A professional accountant should respect the confidentiality of information acquired as a

result of professional or business relationships and should not disclose any such information
to third parties without proper and specific authority unless there is a legal or professional
right or duty to disclose.
Confidential information acquired as a result of professional and business relationships

should not be used for the personal advantage of the professional accountant or third
parties.
Professional A professional accountant should comply with relevant laws and regulations, behave
Behaviour in a manner consistent with the profession’s responsibility to act in the public interest, and
should avoid any action that discredits the profession. A professional accountant should
conduct themselves with courtesy and consideration towards all with whom they come into
contact when performing their work.
COPIP
Notes

The Code of Ethics highlights the fact that its content does not contain a prescriptive approach for the resolution of
every type of ethical scenario and as such professional accountants should be guided by its general objectives and
fundamental principles in all matters. It does, however, contain some examples of typical situations that occur in the
accountancy profession, to allow readers to identify occasions when they may be at risk of failing to recognise or
conform to the professional standards of conduct.
The Code of Ethics applies to all members of ICAS, affiliates, students, employees of a member firm or an affiliate,
and member firms where relevant. These are referred to in the Code as “professional accountants”.
Moral Courage
In order to ensure compliance with the fundamental principles, an underpinning qualitative characteristic of the
professional accountant is the ‘courage’ to act morally. ‘Courage’ for the professional accountant is the need to
act in accordance with the fundamental principles, especially where there is a risk of suffering adverse personal
consequences.
11.4 Independence
The ICAS Code of Ethics requires professional accountants working in public practice on assurance engagements
to be independent of their clients. This is in addition to complying with the five fundamental principles of the Code
described above. The statutory audit represents one type of assurance engagement.
Guidance for auditors on independence, integrity and objectivity is contained in the Ethical Standard (‘ES’) issued
by the Financial Reporting Council (‘FRC’). The detail of these standards will be covered later in the module.
Independence is a key consideration for all auditors and is defined as:
Independence: freedom from conditions and relationships which make it probable that a reasonable and
informed third party would conclude that integrity or objectivity either is or could be impaired.
Independence relates to the circumstances surrounding the audit, including financial, employment, business and
personal relationships between the auditor and their client.
Independence is important because the audit derives its authority and its acceptance purely from the idea of
independence – agency risk (discussed in Module 2) cannot be reduced if the auditor is not independent of the audit
client. Therefore, without independence, an external audit provides little credibility.
Notes

When the auditor faces an ethical situation where there is no ‘correct’ course of action, then professional judgement
must be exercised. Unless the auditor remains independent, there is a risk that their integrity or objectivity may be
compromised, or suspected of compromise. The ES stipulates that whether the ethical principles contained within
have been met should be evaluated by reference to the perspective of an objective, reasonable and informed third
party. Independence therefore has two facets:
1. The fact of independence; and

2. The appearance of independence.
As such, the auditor must not only be independent, they must also be seen to be independent.
Both the individual practitioner and the auditing profession must strive to be and be seen to be independent. The
natural scepticism of the public regarding the integrity and objectivity of the individual auditor will only be overcome if:
• there is evidence that properly monitored standards have been established for auditor conduct; and
• these standards are properly enforced, either by the profession or by society.
Learning Outcome 1: Main Constituents of Auditor Independence and Ethics
The ICAS Code of Ethics outlines fundamental principles that all professional accountants should adhere to. Auditors
in the UK must also comply with the requirements of the FRC Ethical Standard.
Independence is fundamental to an audit. To be independent means that objectivity and integrity are not impaired.
Financial, employment, business and personal relationships between the auditor and their client could impair, or be
seen to impair, auditor independence.
You should now be able the meet the first learning outcome for this module.
11.5 FRC Ethical Standard
The Ethical Standard (‘ES’) has been issued to provide assurance practitioners with some guidance in meeting
ethical requirements. The ES is a single ethical standard broken down into relevant Parts and Sections. Part A of the
ES covers the overarching principles and supporting ethical provisions, with Part B providing general requirements
and guidance in relation to specific ethical matters. Part B is broken down into:
Section 1 General requirements and guidance;
Section 2 Financial, business, employment and personal relationships;
Section 3 Long association with engagements and with entities relevant to engagements;
Notes

Section 4 Fees, remuneration and evaluation policies, gifts and hospitality, litigation;
Section 5 Non-audit/ additional services; and
Section 6 Provisions available for audits of small entities.
Note: Section 6 recognises that the full ES can be hard to implement on all audits, particularly when auditing a
small entity, and therefore provides some alternative provisions for auditors of Small Entities. Section 6 will not be
considered further in the TC Assurance and Reporting course.
11.5.1 Part A: Overarching Principles
The ES is driven by the overall principles of integrity, objectivity and independence. That is:
• The audit firm, its partners and all staff shall behave with integrity and objectivity in all professional and business
activities and relationships; and
• In relation to each engagement, the firm and each covered person shall ensure that they are free from conditions
which would make it probable that an objective, reasonable and informed third party would conclude that
independence is compromised.
Covered person: A person in a position to influence the conduct or outcome of the engagement. On an audit
engagement this includes:
• each member of the engagement team;

• persons who provide engagement quality review1 for the engagement;
• any other person who is involved in the audit (e.g., an external expert of the audit firm); and
• a number of other individuals within the audit firm with supervisory, management and other oversight
responsibilities.
All covered persons should remain alert to conditions or relationships that could compromise the independence
of the firm. If they become aware of a possible impairment to independence, this should be reported to the
engagement partner.
1. Engagement quality reviews will be discussed in Module 14.
Notes

11.5.2 Section 1: General Requirements and Guidance
The ES identifies six categories of threat which may affect independence:
Threat Description Examples
Self-interest A self-interest threat arises when auditors Where the auditor:

have financial or other interests which
• has an investment in the client;
may cause them to be, or be perceived to
• needs to recover outstanding fee
be, reluctant to take actions that would be
income from the client; or
adverse to the interests of the audit firm or
• is excessively dependent on the client.
any individual in a position to influence the
conduct or outcome of the audit.
Self-review A self-review threat arises when the results Where the auditor is involved in:
of a non-audit service performed by the
• maintaining accounting records;
auditors or by others within the audit firm
• asset valuation or actuarial valuations;
are reflected in the amounts included or
or
disclosed in the financial statements.
• auditing controls that the auditor had
designed and implemented.
Management A management threat arises when the audit The auditor or audit firm is involved in:
firm undertakes work that involves making
• the design, selection and
judgements and taking decisions that are
implementation of accounting
the responsibility of management. In such
information systems; or
work the interests and views of the auditor
• executive recruitment services.
may become closely aligned with those of
the directors and management, resulting
in their objectivity and independence
potentially being, or being seen to be,
impaired.
MASSIF
Notes

Threat Description Examples
Advocacy An advocacy threat arises when the audit Where the auditor or audit firm:
firm undertakes work that involves acting
• acts on the client’s behalf to negotiate a
as an advocate for an audited entity and
reduction in tax liability;
supporting a position taken by management
• provides legal services to the client,
in an adversarial or promotional context. In
including acting as a legal advocate for
order to act in an advocacy role, the audit
the client in litigation; or
firm has to adopt a position closely aligned
• being actively responsible for marketing
to that of management. This creates both
an entity’s shares.
actual and perceived threats to the auditor’s
objectivity.
Familiarity A familiarity (or trust) threat arises when Where the auditor or audit firm:
the auditor is predisposed to accept, or is
• develops a close personal relationship
insufficiently questioning of, the client’s point
through long association with the client;
of view.
or
• has a family relationship with senior
client staff.
Intimidation An intimidation threat arises when the Where the auditor encounters:
auditor’s conduct is influenced by fear or
• an aggressive or dominating individual;
threats.
• threat of replacement as auditor due to
disagreement with the client; or
• pressure to reduce the extent of audit
work to reduce the fee.
The ES requires auditors to identify and assess the circumstances that could adversely affect the auditor’s
objectivity, that is, identify situations where one or more of the above threats to independence occur. Once these
threats have been identified, the auditor should apply procedures/ safeguards which will either:
1. eliminate the threat; or

2. reduce the threat to an acceptable level, that is, a level at which it is not probable that a reasonable and
informed third party would conclude that the auditor’s objectivity is impaired or likely to be impaired.
Notes

Where a threat is clearly insignificant, no safeguards are needed. However, an auditor should be aware that in some
situations it may not be possible to implement safeguards to either eliminate or reduce the threat to an acceptable
level. In such situations, the affected auditor or audit firm would be unable to undertake work on the engagement.
11.5.3 Section 1 – Additional Requirements
Ethics Partner
Each audit firm should have policies and procedures in place to ensure compliance with the Ethical Standard. Audit
firms should nominate a partner in the firm as an ‘ethics partner’ who is responsible for the adequacy of the policies
and procedures and for ensuring that they are communicated to the other partners and staff within the firm and
providing guidance to partners and staff on the application of the ES.
Communication with Those Charged with Governance
The auditor is required to communicate all significant facts and matters that impact on auditor integrity, objectivity
and independence to those charged with governance; either the audit committee, where one exists, or the board
of directors. Auditors of listed or public interest entities (‘PIEs’) are required to ensure that the audit committee is
provided with:
• a written disclosure of relationships that may bear on the integrity, objectivity or independence of the firm;
• details of non-audit services, including the fees charged;
• written confirmation that the firm and each covered person is independent;
• details of any inconsistencies between the ES and the policy of the entity for the provision of non-audit services;
• details of any breaches of the requirements in the ES, and of any safeguards applied and actions taken to
address any threats to independence; and
• an opportunity to discuss independence issues.
Public interest entity (‘PIE’): In the UK, public interest entities include:
• all UK entities that are listed on the London Stock Exchange or other regulated market (this does not
include the AIM listed entities);
• all credit institutions regardless of whether they are listed or not; and
• all insurance undertakings regardless of whether they are listed or not.
Notes

Documentation
The engagement partner must also ensure that their consideration of objectivity and independence (including threats
identified and safeguards put in place) is adequately documented in the audit file on a timely basis.
11.6 Provisions of the Ethical Standard
Sections 2 to 5 of the ES contain a number of scenarios where auditor independence might be threatened. Certain
scenarios can be safeguarded against, and these are identified by the ES. Certain other scenarios would definitely
threaten auditor independence, so are prohibited. The ES also highlights where heightened requirements exist for
listed entities and PIEs.
11.6.1 Section 2: Financial, Business, Employment and Personal Relationships
Section 2 of the ES is one of the longer sections, covering a number of different ethical scenarios. The following
common ethical situations are outlined below:
• Financial relationships;
• Business relationships;
• Employment relationships; and
• Family and other personal relationships.
Scenario Examples Threat(s) Exceptions
Financial interest a) Shareholdings Self-interest No exception for direct

in the audit holdings.
An auditor (or any person closely
client
associate with them2) or the audit firm Exception where the
b) Debt
should not hold any financial interest in interest is an immaterial
instruments,
an audit client or an affiliate of an audit indirect investment
for example,
client. Financial interests may be direct where the holder has no
debentures in
or indirect, that is, owned through influence over investment
the audit client;
intermediaries (e.g., via a pension decisions.
or
scheme).
c) Share options.
2. The FRC defines persons closely associated as a spouse (or legal equivalent), a dependent child, a relative with whom a house is shared for
at least a year and a firm that is controlled by the audit firm.
Notes

Loans and guarantees a) Mortgages; Self-interest A loan from an audit

b) Bank overdrafts; client is permissible if:
Auditors, persons closely associated Intimidation3
or
with them and the audit firm should • the client is a bank or
c) Car loans.
not accept a loan from, nor have their similar deposit taking
borrowings guaranteed by, an audit institution;
client or vice versa. • the loan is made in
the ordinary course of
business on normal
business terms; and
• it is not material to
the audit firm and
client.
Business relationships a) Joint venture Self-interest Where the transaction is:

with audit client;
The audit firm/ audit staff members Intimidation • in the normal course
b) Distribution/
(or persons closely associated with of business, on an
marketing Advocacy4
them) should not enter into business arm’s length basis;
arrangements;
relationships with the audit client. and
or
• the transaction is
c) Auditor leases
clearly not material to
office space
either party.
from client or
vice versa.
3. Possible where the auditor is dependent on the loan or guarantee.

4. Dependent on the nature of the relationship
Notes

Audit staff on loan to audit client Audit manager on Management The only exception
secondment to relates to staff employed
Firms shall not enter into agreements Self-review
client to assist with by a UK national audit
with audit entities or their affiliates to
the implementation agency5. In this case, an
provide partners or employees to work
of the new stock exception would be made
for them for a temporary period (i.e. on
system. assuming the seconded
a secondment).
role:
• included no line
management
or management
responsibilities
• was for a period of
no longer than three
months (six months if
the employee is on a
training contract)
• did not include
the provision of a
prohibited service
For all other audit firms,

there are no exceptions.
5. Examples of national audit agencies include Audit Scotland and the National Audit Office.
Notes

Audit staff potentially leaving to join Audit senior accepts Self-interest n/a
an audit client offer to become
Familiarity
internal audit
Where any member of the
manager of client. Intimidation
engagement team who was involved
in an engagement in the previous year
(or two years in the case of a partner),
is going to be employed by a client
they must:
• notify the firm of any situation

involving their potential/ probable
employment with any such entity;
• be removed from the engagement
team; and
• have a review performed of their
work on both their current and
most recent engagement.
Notes

Audit staff leaving to join an audit a) The Familiarity A former engagement

client engagement partner joining the
Self-interest
partner client, who has not been
It is not allowable6 for any partner
becomes Intimidation connected with the client
on an engagement to join the client
financial director for at least two years,
in a key management position, as a
of client; or may be an acceptable
director on the board or as a member
b) The tax threat, but should be
of the audit committee within 1 year (or
partner being carefully considered.
2 years in the case of a public interest
appointed to
entity) of the date the individual ceased A partner from the
the client’s audit
to be a partner on the engagement. firm, who has had no
committee.
involvement in the
There are also additional rules
engagement or with any
about other partners within the firm
of the members of the
joining an audit client (for which
engagement team for at
they are not necessarily involved in
least two years would
the engagement), whereby the firm
likely be an acceptable
may need to resign from the audit
threat.
engagement.
If a member of the audit team joins

the audit client in a key management
position within two years of leaving
the engagement team, then the
composition of the current audit team
should be considered to ensure
independence is maintained.
6. SI 2016/649 The Statutory Auditors and Third Country Auditors Regulations 2016, Schedule 1, paragraph 7
Notes

Former audit client staff joins the Financial controller Self-interest No exception to exclusion
audit firm at the audit client rule.
Self-review
joins audit firm as
Where a former director or employee
an audit senior Familiarity
of an audit client who was in a position
manager
to exert significant influence over the
preparation of the financial statements
joins the audit firm, they should be
excluded from any role that would
make them a covered person for the
engagement for a period of two years
following the date of leaving the entity.
Note that judgement is required, and

that this two year period may need to
be extended if the financial statements
are materially affected by this person’s
work at the entity for a longer time
period.
Significance of threat (and therefore

need to extend exclusions) depends on:
• Position the individual held within

the entity
• Length of time since the individual
left the entity
• Position the individual holds in the
engagement team or audit firm
Notes

Family and other personal a) Spouse working Familiarity The significance of the
relationships as finance threat depends on:
Self-interest
director – may
If a relative of a member of the audit • The audit member’s
not be deemed Intimidation
team has a financial, business or involvement in the
an acceptable
employment relationship with the audit engagement;
threat; or
client, then this may cause a perceived • The nature of the
b) Adult daughter
or actual impairment to auditor family relationship;
working in
integrity or objectivity. The firm should and
the marketing
have procedures for staff to report • The family member’s
department
any possible relationships that may relationship with the
– possibly
compromise independence and the entity.
acceptable
engagement partner must assess any
threat. A distinction is made
threats identified and apply appropriate
between persons closely
safeguards. The engagement partner
associated and close
may do this in consultation with the
family.7
ethics partner, if appropriate.
Note: These are the rules laid out in the relevant sections of the Ethical Standard. However, it should be
remembered that overarching these specific rules the auditor should always consider whether it is probable that a
reasonable and informed third party would conclude that integrity or objectivity either is or could be impaired.
7. The standard defines close family as parents, non-dependent children and siblings who are not ‘persons closely associated’.
Notes

Activity 2
Denbat plc (‘Denbat’) manufactures and sells sports bats and racquets. The company has been enjoying
substantial growth over the last few years and its auditors have resigned due to the fact that they have
insufficient staff to meet the needs of the expanding business. In light of this fact, Denbat has approached
your firm, AB LLP (‘AB’) to take on the audit going forward. You have been asked by the partners to assist
in their assessment of whether or not AB can accept the Denbat engagement by identifying which of the AB
members of staff identified below would be able to work on the engagement if it was accepted. From your
initial assessment you have identified a number of potential threats to AB’s independence due to links with the
audit engagement team and Denbat. Denbat is not a public interest entity.
Your audit partner has asked you to identify which staff can be involved in the audit and any safeguards that
could be put in place for each threat to ensure that AB can accept the engagement.
Name Details Threat(s)
1. Max Max and Denbat’s Chief Executive Max’s close relationship with Denbat’s
Mundalaney Officer (‘CEO’), Clint Clanger, personally CEO represents potential self-interest
(partner) sponsor the local under 18s’ Summer and familiarity threats. Although the ES
tennis tournament. Max and Clint have does not specifically mention friendship,
been friends since they trained together the perception here could be that Max
at ICAS. is not independent (in the eyes of a
reasonable and informed third party).
2. Erik Tronovski Erik worked at Denbat as the Financial Erik worked at Denbat, and as the
(senior Controller until 6 months ago, when he Financial Controller would likely have had
manager) joined AB in his current role. significant influence over the financial
statements. There is therefore a risk of
self-interest, self-review and familiarity if
he were to become involved in the audit.
Notes

Name Details Threat(s)
3. Gerry Grainger Gerry is married to Janet Grainger, Although the role of payroll assistant
(audit senior) Denbat’s payroll assistant. is not a senior role, the processing of
payroll does have an impact on the
financial statements. In addition, the
relationship is with a ‘person closely
associated’ with Gerry, and so the
perception may be that self-interest,
familiarity or intimidation threats exist.
4. Sam Cotteral Sam owns 100 £1 shares in Denbat, Potential self-interest threat, as the
(audit junior) which he inherited from his grandfather’s shares held represent a direct financial
estate. interest in Denbat.
5. Tilly Guthrie Tilly’s Father is FD of Denbat’s parent Potential self-interest, familiarity and
(audit junior) company, Super Sports Corp. intimidation threats due to her having a
close family relationship.
1.
2.
3.
4.
5.
Solution
Notes

Learning Outcome 2: Describe the coverage of Part A and Sections 1 and 2 of the FRC Ethical
Standard
Section 1 of the ES describes the six categories of threats to independence.
Section 2 covers a number of different scenarios in the areas of financial, business, employment and personal
relationships.
11.6.2 Ethical Standard Sections 3 to 5
The remaining sections of the Ethical Standard are:
• Section 3 – Long association with engagements and with entities relevant to engagements;
• Section 4 – Fees, remuneration and evaluation policies, gifts and hospitality, litigation; and
• Section 5 – Non-audit/ additional services.
The tables on the following pages identify some of the more common threats to auditor independence covered in
these sections.
Notes

Section Scenario Threat Safeguard/ ES Requirements
3 Longstanding Familiarity Rotation of the audit partner should be considered

association with the after 10 years in the role. If this is not carried out an
Self-interest
audit engagement alternative safeguard should be put in place such as:
Self-review
Long association by • involving an additional partner who is not or
one or more members has not recently been involved on the audit
of the audit team engagement to review the work; or
with a particular audit • applying independent quality reviews to the audit
client might lead to an engagement.
actual or perceived
If the individual is not removed, the reasons behind
lack of scepticism
the decision must be documented and those charged
when performing the
with governance of the audit client should be
audit.
informed.
There are some more specific safeguards for public

interest and listed company audits8:
a) The engagement partner should be rotated after

five years, with limited flexibility to extend to
seven years maximum (and must not return to
the role for five years);
b) The engagement quality reviewer (‘EQR’) should
be rotated after seven years (and must not return
to the role for five years);
c) Any other related key partner (such as the tax
partner) must be rotated after seven years (and
must not return to the role for two years); and
d) The independence of any other audit staff should
be seriously considered and discussed with the
ethics partner after seven years.
8. In June 2016, the Companies Act was updated to include rules on mandatory audit firm rotation of auditors of public interest entities (‘PIEs’). A
maximum period of ten years has been introduced which can be extended to twenty years provided that an appropriate tender process takes
place at least every ten years. Therefore, under the Companies Act 2006, an audit firm can only undertake a PIE audit for a limited period.
Notes

4 Contingent fees Self-interest Such arrangements create threats to independence

which are so significant that they cannot be eliminated
An audit should not
or reduced to an acceptable level.
be undertaken on
a contingent fee9
basis. The fee should
reflect the time spent
and the skills and
experience of the
audit team. It does
not depend on the
audit opinion given.
The audit firm should

also not provide
any non-audit or
additional services
on a contingent
fee basis, as this
may give rise to
the perception that
the firm’s interests
are closely aligned
with the client, and
therefore audit
independence could
be compromised.
9. A contingent fee is an arrangement made whereby a pre-determined amount is payable to the audit firm based on a specific event/ outcome
taking place, for example, the audit firm receives additional payment if they conclude that the accounts are true and fair, or if they complete
the audit quickly.
Notes

4 Overdue audit fees Self-interest If the firm does not resign, the engagement partner
should apply appropriate safeguards (such as a review
Where fees are
by a partner with relevant expertise who is not involved
overdue, the
in the engagement) and notify the ethics partner of the
engagement partner
facts concerning the overdue fees.
and ethics partner
should consider
whether the audit
firm can continue
or whether it is
necessary to resign
unless fees are
clearly trivial.
Dependence on Self-interest The total fees for non-audit services in relation to a

non-audit services public interest audit client are capped at 70% of the
Intimidation
average of the fees paid over the last three years for
If the auditor is
the audit of the entity.
receiving substantial
fees for non-audit
services from an
audit client there may
be a perceived threat
to independence.
Dependence on one Self-interest If total fees (audit and non-audit) are expected to
client regularly exceed 10% (public interest and other listed
Intimidation
clients) or 15% (non-listed clients) of the annual fee
If an auditor is
income of the audit firm, then the auditor should resign
perceived to be
or not stand for re-appointment.
dependent on a
particular client, Total fees approaching these limits should be
their independence disclosed to the ethics partner and those charged with
is threatened. Their governance at the entity. Potential safeguards include
reliance on a client reducing the amount of non-audit work and applying
could also lead to an independent internal quality reviews.
intimidation threat.

4 Remuneration for Self-interest N/A

selling non-audit
services
Auditors should not

be remunerated,
appraised or given
bonuses based on
the selling of non-
audit services to audit
clients. The focus
for evaluation and
remuneration should
be audit quality.
Gifts and hospitality Familiarity Gifts and hospitality can only be accepted where the
value is clearly trivial. Consideration should also be
Gifts or hospitality Self-interest
made of hospitality offered to audit clients by audit
given by or received
firms/ auditors, to ensure that auditor independence is
by the auditor
not impaired.
could be perceived
as a threat to
independence.
Threatened and Self-interest If litigation is in progress or is probable, the firm

actual litigation should either not continue with or not accept the audit
Advocacy10
engagement.
Where there is
Intimidation
litigation in relation to However, the firm is not required to resign in
audit and non-audit circumstances where an objective, reasonable and
services between the informed third party would not regard it as being in
audit client and the the interests of the shareholders (or equivalent) or
audit firm, this may otherwise contrary to the public interest.
pose a threat to the
auditor’s integrity,
objectivity and
independence.
10. Although advocacy is described by the FRC as ‘acting as an advocate for an audited entity and supporting a position taken by
management in an adversarial or promotional context’ it is specifically highlighted as a threat in this scenario by the ES.

5 Non-audit services Commonly: Common safeguards include:
Before a non-audit Self-interest • Having a separate team from the audit

service is accepted the engagement team perform the non-audit
Self-review
audit firm should: service; and
Management • Complete an independent engagement
• identify and assess
quality review on the audit engagement.
the significance of Advocacy
any threat to integrity, Some of the specific examples in Section 5
Note: Relevant
objectivity and include:
threats depend
independence;
on type of • Internal audit: An audit firm shall not provide
• identify and assess
non-audit internal audit services to any audit client
the available
service under • IT services: A non-audit engagement that
safeguards to
consideration involves design, provision or implementation
eliminate or reduce
(including of a significant part of the accounting
the threats; and
familiarity and system should not be undertaken due to
• consider whether an
intimidation). the potential self-review and management
objective, reasonable
threats.
and informed
• Tax services: Some such services may be
third party would
permitted, but should be considered on
consider that the
a case-by-case basis as there may be a
objectivity of the firm
self-interest, management, self-review or
or covered persons
advocacy threat. Where an entity is listed,
is compromised
the audit firm must not prepare current or
considering
deferred tax calculations which may be
applicable threats and
used by the entity to prepare accounting
safeguards.
entries. No tax work which involves the
If an objective, firm undertaking a management role is
reasonable and permitted.
informed third party • Corporate finance: No such work should
would conclude there be undertaken if it involves dealing,
exists an impairment to underwriting or promoting shares. There
independence then the may be a self-interest, self-review,
non-audit service should management or advocacy threat
not be undertaken or the dependent on the type of work provided.
auditor should resign from • Accountancy services: Audit firms must not
the audit engagement. provide any such service to listed entities
or to any other entity where part of the
service involves the audit firm undertaking a
management role. This is due to the self-
review and management threats.

11.6.3 Prohibition of non-audit services for public interest entities
Section 5 of the Ethical Standard also identifies a number of prohibited non-audit services for the auditors of public
interest entities. The prohibition of these services applies to the year being audited as well as the period immediately
preceding the year being audited. Prohibited non-audit services include (but are not limited to):
• Tax services including those relating to the preparation of tax forms, payroll tax and the calculation of direct,
indirect or deferred tax;
• Services that involve undertaking the role of management;
• Bookkeeping and accounts preparation;
• Payroll services;
• Valuation services; and
• Services related to the entity’s internal audit function.
11.6.4 Permitted non-audit/ additional services for public interest entities
Certain services are specifically permitted for public interest entities. The ES contains a list of such services which
includes (but is not limited to):
• Reporting required by a competent authority or regulator under law (e.g. reporting on client assets);
• Reporting on internal financial controls when required by law or regulation;
• Reporting on the iXBRL tagging of financial statements; and
• Reporting on government grants.
Notes

Activity 3
HK LLP is a medium-sized UK-based accountancy firm that provides accountancy, audit, tax and advisory
services to a broad range of clients across the UK. It has 70 partners across the business streams and has
enjoyed an increase in revenues over the last few years (last year’s total revenue was £52,000,000).
The ethics partner at HK, Gordon Goodman, has been reviewing the audit firm’s current and prospective client
portfolio. He wants to identify if there are any independence threats in relation to the current and prospective
clients that HK needs to respond to. He has asked you to review a portion of the current/ prospective clients
(see below) and for each one identify the following:
a) The independence threats to HK, if any; and
b) The actions HK should take in relation to the threats identified.
Name Current/ Details

prospective
1. Apples-2-Go Current Apples is looking to expand its customer base by offering sales of
Ltd (‘Apples’) its fresh fruit and vegetables over the web. Apples has approached
HK to advise the company in relation to the purchase and
implementation of an appropriate website and sales system to allow
customers to make web-based purchases of Apples’ goods over
the internet. HK currently undertakes Apples’ statutory annual audit.
2. Basic Banking Current For the last seven years, Finn Whizz has been the engagement
plc (‘Basic’) partner and Stanley Standback the EQR for the Basic audit. The
tax audit partner for the last year’s audit has just resigned from HK
and Shona Shepherd (HK partner) suggested that she could take
on the role again after a year’s absence from the job. She has an
excellent knowledge of the client given that she was the tax audit
partner on the engagement for the seven years prior to last year’s
audit. Last year, the work done for Basic by HK totalled £5,100,000.
Basic has a full listing on the London Stock Exchange.
3 Couture Current Charlie Cheaps, the owner and managing director of Couture, was
Curtains Ltd so impressed by the speed that Finn Whizz’s audit team completed
(‘Couture’) Couture’s year-end audit last year that he has said that he will pay
an additional £10,000 to HK if Fizz’s team can “do it as quick again
this year!”

Name Current/ Details
prospective
4 Doncaster Prospective Doncaster has just been bought over by Seriously Sweet Tooth
Doughnuts Ltd Ltd, who use IFRS by choice to prepare their financial statements.
(‘Doncaster’) As such Doncaster has approached HK for assistance in the
conversion of its accounts to ensure that they are IFRS compliant.
Peter Portley, the managing director of Doncaster, has told Stanley
Standback (HK partner) that if he is impressed with HK’s work then
he may also offer Doncaster’s annual audit to HK.
5 Eco-penzil Ltd Current Eco-penzil is currently suffering some financial difficulties due to
(‘Eco-penzil’) the failure in the market place of their latest range of eco-friendly
pens. As such they are three months behind in their payments to all
suppliers (goods and services). Gretna Green, the audit partner on
the engagement, is concerned about the going concern status of
the company.
6 Johnstone Current HK has audited Johnstone for the last 21 years. Albert Ancestral
Brothers’ has been the partner on the engagement for all but one of the
Joiners Ltd years.
(‘Johnstone’)
7 Prance & Prospective Prance & Dance are a family owned pre-school activity centre. The
Dance Ltd owners have approached Gretna Green (HK audit partner), whose
(‘Prance & daughter Molly attends the centre on weekday mornings, to take on
Dance’) the company’s statutory audit.
8 Tim’s Tables Current HK currently provides accountancy services to help Tim Thompson
Ltd maintain his ledgers. Tim is very pleased with the help that he has
received from Albert Ancestral (HK partner) and his accounting
team and as such has asked whether Albert and the team would
consider taking on the annual audit of the company.
Notes

Solution
Notes

11.6.5 Companies Act 2006
Activity 4 – Recap of Module 9
Identify the Companies Act 2006 (‘CA 2006’) provisions that are designed to safeguard auditor independence.
Solution
Learning Outcomes 3 and 4: Describe the coverage of Sections 3, 4 and 5 of the ES and
interpret situations that might threaten auditor independence and highlight any safeguards
Sections 3 to 5 of the ES cover further scenarios in which independence could be threatened:
• Section 3 – Long association with engagements and with entities relevant to engagements;
• Section 4 – Fees, remuneration and evaluation policies, gifts and hospitality, litigation; and
• Section 5 – Non-audit/ additional services.
Safeguards, where possible, are also identified. However, some services have no safeguards and are prohibited.
Additionally, the CA 2006 contains provisions to aid auditor independence.
You should now be able to meet the third and fourth learning outcomes for this module.
Notes

11.7 Sarbanes-Oxley
The introduction in the US of the Sarbanes-Oxley Act (‘SOX’) in 2002 has led to the establishment of heightened
standards over the independence of external auditors. These rules affect the audit of companies that are listed or
associated with a listed company registered with the Securities and Exchange Commission (‘SEC’) in the US. As
such, the US legislation has had an impact on UK auditors.
The effect of SOX and the implementation of subsequent rules made by the SEC are to establish more stringent
standards in relation to the independence of external auditors. The TC Assurance and Reporting course looks at the
following areas that have been affected:
• Prohibition of non-audit services;

• Pre-approval of services;
• Audit partner rotation; and
• Conflicts of interest.
The following table summarises the requirements of SOX in relation to the areas noted above in comparison to UK
Listed Companies not registered with the SEC.
Notes

SOX requirements UK listed company requirements
Prohibition of non-audit services
SOX prohibits accounting firms from providing The FRC ES includes a number of prohibited non-
specified additional services to audit clients. The list audit services for public interest entities. Where
includes bookkeeping, financial information systems non-audit services are allowable, the audit firm should
design and implementation, internal audit and consider whether there are any significant threats to
valuation services. auditor objectivity and the effectiveness of available
safeguards to combat any identified threats.
Pre-approval of services
All services provided by the external auditors (subject No formal pre-approval is required. The audit
to de minimus amounts), in relation to audit work as committee is, however, expected11 to approve non-
well as non-audit work, must be pre-approved by the audit services and monitor the levels of non-audit/
audit committee. Such approvals must be publicly audit work provided by the external auditor and
disclosed within the company’s annual report. consider the nature of permissible non-audit services
that can be supplied.
Audit partner rotation
SOX introduces partner rotation provisions for the Engagement partners should rotate after a period of
engagement partner and the partner in charge of the five years (and not return to the role for five years).
review of the audit. It states that the audit partner However, flexibility of up to an additional two years is
should be rotated after acting for a period of five permitted where the audit committee believes this is
years. However, SOX did not go so far as to insist on necessary to maintain audit quality and the extension
audit firm rotation. is disclosed to shareholders.
The independent review partner should be rotated

after seven years (and not return to the role for five
years).
11. Per the FRC’s Guidance on Audit Committees which is intended to help boards implement the relevant provisions of the UK Corporate
Governance Code
Notes

SOX requirements UK listed company requirements
Conflicts of Interest
SOX prohibits a registered public accounting firm from It is not allowable for any partner on an engagement
providing ANY audit services if the chief executive to join the client in a key management position, as
officer (‘CEO’), chief financial officer (‘CFO’) or chief a director on the board or as a member of the audit
accounting officer (‘CAO’) were employed by the committee within 1 year (or 2 years in the case of a
accounting firm, and participated in any capacity in public interest entity) of the date the individual ceased
the audit of the company during the year preceding to be a partner on the engagement.
the date of the initiation of the audit.
Learning Outcome 5: Sarbanes-Oxley impact
The Sarbanes-Oxley Act introduced legislative obligations for audits of listed companies or material associates
registered with the SEC. These include independence requirements for auditors which are enacted through tight
controls on non-audit work, pre-approval requirements, audit partner rotation and potential conflicts of interest.
You should now be able to meet the fifth learning outcome for this module.
Notes

11.8 Summary
Auditors are expected to behave in an ethical manner as professional business advisors. The ICAS Code of Ethics
identifies five fundamental principles, which all professional accountants including auditors should observe. These
principles are:
• Integrity;
• Objectivity;
COPIP
• Professional competence and due care;
• Confidentiality; and
• Professional behaviour.
Independence is a fundamental principle of auditing, and for an auditor to be independent they must behave with
integrity and objectivity. Independence is so critical that not only must the auditor be independent, they must also be
seen to be independent.
The FRC Ethical Standard explains the main threats to auditor independence:
• Self-interest;
MASSIF
• Self-review;
• Management;
• Advocacy;
• Familiarity; and
• Intimidation.
The auditor must identify such threats and on identification must either eliminate the threat or reduce it to an
acceptable level. To assist, the Ethical Standard highlights a number of situations where the auditor’s independence
might be threatened and for each of these situations the Ethical Standard identifies appropriate safeguards to be put
in place in response to the threats.
Auditors of US-listed companies or their subsidiaries must comply with and have additional independence guidance
in the form of the Sarbanes-Oxley Act auditor independence requirements. Although this is US legislation, it impacts
on the auditors of all SEC-registered companies and their material subsidiaries across the world.
You should now be able to meet all of the learning outcomes for this module. If you are not able to do so, go back to
Notes

Integrity means that the auditor should be straightforward and honest in all professional and business
relationships.
Ethics can be defined as a set of principles of proper conduct or a system of moral values. ‘Professionals’, which
include auditors, are expected to conduct themselves at a higher level of ethical discipline than most others.
Back to activity
Solution to Activity 2 – Denbat plc.
1. Max Mundalaney
Safeguard: Denbat’s Ethical Partner should be notified about the possible threat. Safeguards include
ensuring that Max is not part of the AB audit team if the Denbat engagement is accepted (the most
appropriate safeguard), or, if Max is involved, an independent partner should be involved to provide an
objective quality review of the engagement.
2. Erik Tronovski
Safeguard: The Ethical Standard states that a former employee with significant influence over the
financial statements should be excluded from any covered person role for a period of two years following
the date of leaving the entity. Erik should therefore not be included on the engagement team for at least
another 18 months.
3. Gerry Grainger
Safeguard: Gerry should not be included in the audit team as his wife works at the client in a role that
influences the financial statements.
4. Sam Cotteral
Safeguard: Sam should not be included in the Denbat audit team if he keeps the financial interest. If Sam
disposes of the shares, he could be involved in the engagement team.
5. Tilly Guthrie
Safeguard: Tilly should have no involvement in the audit due to the possible influence her father could
have over Denbat’s financial information.
Back to activity

Solution to Activity 3 – HK LLP
Apples-2-Go Ltd.
a) Independence threats: Potential self-review and management threats in relation to the purchase and
implementation of the website/ sales system.
b) Safeguards: Either the IT consultancy non-audit work should not be accepted, or the audit should not be
continued.
Basic Banking plc.
a) Independence threats: Potential familiarity, self-interest and self-review threats related to long
association of key members of the audit team with the audit and potential dependence on one client.
b) Safeguards: Basic is listed and as such HK must comply with the more stringent safeguard measures for
the audit of listed companies laid out in the ES. Engagement and EQR partners should not remain on the
audit for a maximum of seven years continuously – as such Finn Whizz and Stanley Standback should be
rotated off the Basic audit. This may prove problematic for HK if replacement partners cannot be found to
replace them. If replacements cannot be found, HK will need to resign from the audit. In relation to the tax
audit partner role, Shona Shepherd will be unable to take on the role as it is a key partner role and the ES
dictates that there must be a cooling off period of at least two years before a key audit partner can return
to the role. Shona has only been away from the job for one year. HK will need to find an alternative tax
audit partner to take on the role.
In addition, total fees of £5,100,000 are approaching the 10% fee threshold for listed companies. HK will
need to consider what safeguard they could implement to remove the perceived threat to independence.
This could include reducing the amount of non-audit work performed.
Couture Curtains Ltd
a) Independence threats: Self-interest due to the prospect of a contingent fee.

b) Safeguards: Contingent fees are not permitted by the ES and as such the £10,000 contingent bonus
cannot form part of the fee agreement between HK and Couture if HK wish to undertake the audit. HK
should ensure that no other part of the Couture fee, or indeed any other non-audit service fee, contains a
contingent element. Where Couture will only offer a fee on a contingent basis, HK should not accept the
current year audit engagement/ resign from the engagement.
Notes

Doncaster Doughnuts Ltd
a) Independence threats: Potential self-interest, self-review and management threats. The threats arise
if HK undertakes the IFRS non-audit work and then audits the financial statements that have been
converted to IFRS compliant statements under the advice of HK.
b) Safeguards: HK should only accept the non-audit IFRS work or the audit work.
Eco-penzil Ltd
a) Independence threats: Potential self-interest threat, as Eco-penzil is overdue with its payments and a
current client, which indicates that Eco-penzil is overdue with regards to the prior year audit fee.
b) Safeguards: Where audit fees are found to be overdue, the ES indicates that the engagement partner
should discuss this with the ethics partner, and HK should consider not agreeing to continue with the
current year engagement until the fee and payment method have been agreed. If this cannot be agreed,
HK should consider resigning.
Johnstone Brothers’ Joiners Ltd
a) Independence threats: Potential familiarity, self-interest and self-review threats in relation to Albert due
to his long association with the client.
b) Safeguards: The ES identifies that for non-PIE entities (like Johnstone), an engagement partner should
not remain on an engagement continuously for more than ten years unless it is possible to justify why
continued involvement does not result in a threat to the firm’s objectivity and independence. As such HK
should assess whether Albert’s long association is an issue and document their related justification if it
is believed not to be so, and communicate to those charged with governance. If a decision is made to
keep Albert as partner, HK should involve an EQR in the audit or have the audit independently quality
reviewed.
Prance & Dance Ltd
a) Independence threats: None. The relationship that Greta has with Prance is in the course of normal
business and is likely to be immaterial to both parties.
b) Safeguards: None required.
Tim’s Tables Ltd
a) Independence threats: Self-review threat if the audit engagement is accepted and the accountancy
services retained.
b) Safeguards: When an auditor significantly contributes to, and audits, the financial statements, this would
adversely affect the objectivity and independence of the firm in relation to the audit. HK should consider
either refusing the Tim’s Tables audit or resigning from the accountancy work. However, as Tim’s Tables
it is not a listed entity, then as long as the services do not involve a management role, and if appropriate
safeguards are put in place, the services are not prohibited. An appropriate safeguard would include
ensuring that appropriate Ethical Walls between the audit and accounting team were applied.
Back to activity

The CA 2006 contains a number of provisions to try to safeguard auditor independence:
• The shareholders appoint the auditor rather than the board;

• The auditor’s remuneration is fixed by shareholders;
• Publication of the detail of amounts paid to the auditor within the financial statements to enable
consideration of the balance of non-audit and audit work in the context of auditor independence; and
• There are penalties in place for failing to provide the auditor with information relevant to the audit (e.g., on
matters concerning independence). The auditor is given the investigative and reporting freedoms needed
to perform his duties.
Back to activity
Notes

Module 12. Regulatory Framework
Contents
12.3 Overview of the Independent UK Regulatory Framework 239
12.3.1 UK Assurance Standards and Guidance 240
12.3.2 Scope and Authority of FRC Pronouncements 242
12.3.3 The standard setting process 242
12.3.4 Enforcement and discipline 243
12.4 International Financial Reporting Standards 245
12.4.1 The Need for International Accounting Standards 245
12.4.2 Barriers to Global Adoption of IFRS 246
12.4.3 Development of IFRS 246
12.4.4 IFRS Interpretations Committee 247
12.5 International Auditing Standards 248
12.5.1 The need for International Auditing Standards 248
12.5.2 IFAC and the IAASB 248
12.5.3 Role of the IAASB 249
12.5.4 Oversight of the IAASB 249
12.5.5 International Standards on Auditing 249
12.5.6 Other IAASB Pronouncements 250
12.5.7 Scope and Authority of IAASB Pronouncements 251
12.6 Summary 252

12. Regulatory Framework
A panel discussion is available on myCABLE
12.1 Introduction
So far in the course we have introduced external audit and dealt with some of the statutory and common law
responsibilities of the auditor. Previous modules have referred to other requirements for auditors such as auditing
standards.
The regulatory environment for audit and corporate reporting in the UK is currently undergoing significant change
with the previous oversight body, the Financial Reporting Council (‘FRC’), being transitioned into a new body: the
Audit, Reporting and Governance Authority (‘ARGA’). The module will consider the impact of the globalisation of the
accounting and auditing professions on the development of auditor guidance.
1. describe the role and function of the UK’s auditing and corporate reporting regulator, including its standard
setting process;
2. describe the role and function of the International Accounting Standards Board, including its standard-setting
process and harmonisation; and
3. describe the role and function of the International Auditing and Assurance Standards Board, including its
standard-setting process and harmonisation.
Achieving these objectives will help you to meet the fifth learning outcome of the course as per the syllabus.
12.3 Overview of the Independent UK Regulatory Framework
In March 2019 it was announced that a new enhanced regulator will be established to transform the audit and
accounting sector in response to the comprehensive Independent Review led by Sir John Kingman. The new
regulator replaces the Financial Reporting Council (‘FRC’), the UK’s independent regulator for corporate reporting
and governance.
The FRC’s transformation programme is currently in progress, with the intention that ARGA will be created, fully
formed, as soon as legislation permits. Based on the FRC’s 3-year plan (2022-25) and budget for 2022/23 onwards,
it is expected that ARGA should be created within this next three year period, i.e. by 2025. Whilst the transition
continues, the FRC remains the current regulator.
Notes

The role of the FRC includes, but is not limited to:
• Acting as the Competent Authority for statutory audit in the UK, setting auditing and ethical standards and
monitoring and enforcing audit quality;
• Setting UK and Ireland accounting standards (Financial Reporting Standards ‘FRS’);
• Monitoring/maintaining the UK Corporate Governance Code, the UK Stewardship Code and standards for
actuarial work;
• Monitoring and taking action to promote the quality of corporate reporting; and
• Operating some independent disciplinary arrangements for accountants and actuaries and overseeing
accountants and actuaries.
The aim of the FRC is to promote investor engagement, true and fair reporting, good governance, high quality
audit, high quality actuarial work and trustworthy professions. This is in order to establish confident investors, sound
decision making by companies, effective capital markets and enhanced trust in business.
We will not consider the FRC’s role in relation to actuaries further in this course.
12.3.1 UK Assurance Standards and Guidance
International Standards on Auditing (UK)
One of the FRC’s responsibilities is to set and issue standards for auditing. These standards are based on an
international set of standards called the International Standards on Auditing (‘ISAs’), which are issued by the
International Auditing and Assurance Standards Board (‘IAASB’). The FRC makes some amendments as necessary
to the ISAs to adapt them to the requirements of the UK marketplace and law. The IAASB and its auditing standards
will be revisited in detail in Section 12.5.
ISAs (UK): set out the basic principles and essential procedures with which external auditors in the UK are
required to comply.
Notes

Other Assurance Pronouncements Issued by the FRC
In addition to the ISAs (UK), the FRC also published other pronouncements which can impact the way in which an
auditor performs an audit engagement or other types of engagements that the auditor may be requested to perform:
Ethical The FRC issues an Ethical Standard on the integrity, objectivity and independence of
Standard auditors, and those carrying out other public interest assurance engagements. The Ethical
Standard contains overarching principles and supporting ethical provisions as well as general
requirements and guidance. This was covered in detail in Module 11.
Practice The FRC issues practice notes to assist auditors in applying general auditing standards to
Notes particular circumstances and specific industries. For example, Practice Note 11 provides
the auditor with guidance in relation to the audit of charities in the United Kingdom.
Practice notes are persuasive rather than prescriptive and are indicative of good practice.
Bulletins Bulletins are issued by the FRC to provide auditors with timely guidance on new or
emerging issues. For example, Bulletin 2009/4 Developments in Corporate Governance
Affecting the Responsibilities of Auditors of UK Companies is a bulletin on auditors’
responsibilities when reviewing compliance with the UK Corporate Governance Code.
Bulletins are persuasive rather than prescriptive and are indicative of good practice.
International The FRC has adopted ISQM 1 and 2, which are produced by the IAASB. ISQM (UK) 1 and 2
Standard will be discussed further in Module 14.
on Quality
Management
(UK) 1 and 2
International The FRC has adopted ISRE 2410, which is produced by the IAASB, and have issued it
Standard as ISRE (UK) 2410. This ISRE provides guidance for the auditor when reviewing interim
on Review financial information produced by entities.
Engagements
(UK) 2410
Standards for The FRC produces Standards for Investment Reporting (‘SIRs’). These contain basic
Investment principles and essential procedures with which reporting accountants must comply whilst
Reporting conducting an engagement in connection with an investment circular (e.g., a prospectus,
listing particulars, circular to shareholders or similar documents) prepared for issue
in connection with a securities transaction governed wholly or in part by the laws and
regulations of the UK.
Standards The FRC issued a standard on Providing Assurance on Client Assets to the Financial
for providing Conduct Authority (‘FCA’). The Client Asset Assurance Standard is specifically for Clients
assurance on Assets Sourcebook (‘CASS’) auditors in conducting an engagement to report to the FCA in
client assets respect of Client Assets.
to the FCA

12.3.2 Scope and Authority of FRC Pronouncements
Under the rules of each Recognised Supervisory Body (‘RSB’), e.g., ICAS, statutory auditors in the UK are
required to follow the UK auditing standards produced by the FRC including the ISAs (UK). Auditors who fail
to comply may have their statutory auditor status withdrawn by their RSB. All relevant FRC pronouncements, and in
particular auditing standards, are likely to be taken into account when the adequacy of the work of auditors is being
considered.
12.3.3 The standard setting process
The FRC has a consistent approach to the development and issue of codes and standards, across the range of its
responsibilities.
The process for the development and issue of codes and standards is as follows:
1. Development
A topic may be identified as requiring the issue or amendment of an FRC pronouncement. This identification may
originate from the FRC Board, elsewhere in the FRC’s governance structures or the FRC Executive. The Executive
then considers whether it would be appropriate to develop new or revised material. The Executive then undertakes
any necessary research and consultation required for the issues raised to be considered by the relevant bodies
within the FRC for debate and refinement.
2. Consultation
The FRC consults, formally and informally, on what new or amended content would be appropriate. An exposure
draft is then prepared which is considered internally by the FRC and then, as amended, published to allow all
interested parties to comment. There may be a further round of consultation and refinement, though the final content
of any pronouncement is ultimately the responsibility of the FRC.
Notes

Activity 1
Prior to issuing or amending a pronouncement, the FRC issues a draft which is put into the public domain for
comment. Why do you think this is the case?
Solution
3. Governance and voting
Any proposal to issue, amend or withdraw a Code or Standard will be put to the FRC Board with the full advice of the
relevant FRC bodies. A two-thirds vote of the FRC Board is required.
4. Publication
The issued or amended pronouncement will be published on the FRC website and any withdrawn pronouncement
will be identified as such. A press notice will be published, and any relevant authorities will be informed.
12.3.4 Enforcement and discipline
The FRC is the UK Competent Authority for statutory auditors and the independent disciplinary body for accountants
and actuaries in public cases. Therefore, the FRC can currently investigate and act against:
Auditors The FRC has responsibility for enforcement action in relation to audit firms and individual
auditors.
Accountants The FRC can also take enforcement action in respect of suspected misconduct by individual
accountants and firms of accountants, who are members of a participating accountancy
body, in relation to non-audit work in public interest cases. ICAS is an example of such a
participating accountancy body.
Notes

The Audit Enforcement Procedure (‘AEP’)
The process for the FRC to investigate and discipline auditors is as follows:
Initial Initial enquiries are conducted by a Case Examiner, who may in turn refer the case to the
enquiries FRC’s Board or Conduct Committee, who will determine whether the matter should be
referred to the FRC’s Executive Counsel to be investigated. The Conduct Committee will also
decide whether the fact of an investigation is to be published.
Investigation An investigation will be conducted by the Executive Counsel’s in-house team of lawyers
and forensic accountants, culminating in an Investigation Report. At the conclusion of the
investigation, the Executive Counsel will issue a Decision Notice which will set out any
Adverse Findings and a proposed sanction.
If the findings and sanction are accepted by the investigation subject, the process will
end there. Agreed Decision Notices are subject to approval by an Independent Reviewer.
Publication of sanctions issued is mandatory.
Tribunal If a matter is not concluded at the investigation stage nor otherwise settled, it shall be
referred to the Tribunal. The Tribunal will hear evidence and determine whether or not to
make an Adverse Finding. Where an Adverse Finding has been made, the Tribunal may
impose sanctions. Publication of sanctions issued is mandatory.
Settlement At any time after a notice of investigation has been issued but before a Tribunal has issued
its decision, the parties may seek to agree settlement. The Executive Counsel will issue a
Settlement Decision Notice if the terms of settlement are agreed. Agreed Settlement Decision
Notices are subject to approval by an Independent Reviewer. Proceedings will continue if no
settlement is reached.
Parties under investigation retain a right to appeal within 28 days of the issuing of the Final Decision Notice or Sanction,
and the Board may reconsider decisions made where it appears that the decision was materially flawed, or significant
and relevant new evidence has been received, and it is deemed necessary to reconsider in the public interest or to
prevent injustice.
At the initial enquiries stage, the Board can choose to delegate the investigation to the appropriate RSB, rather than
refer it to the Executive Counsel. In this case, the RSB may exercise powers of investigation on behalf of the FRC.
Under the CA 2006, each RSB is required to have formal procedures for the investigation of complaints against
members and participate in the independent investigation process for public interest cases run by the FRC.
Notes

Learning Outcome 1: Describe the role and function of the UK’s auditing and corporate
reporting regulator, including its standard setting process
The aim of the FRC is to promote investor engagement, true and fair reporting, good governance, high quality
audit, high quality actuarial work and trustworthy professions. This is in order to establish confident investors, sound
decision making by companies, effective capital markets and enhanced trust in business.
The FRC has clearly established processes for setting standards and guidance as well as for investigating and
disciplining auditors and accountants.
12.4 International Financial Reporting Standards
This section will look at accounting standards from an international perspective.
12.4.1 The Need for International Accounting Standards
The globalisation of businesses and capital markets has resulted in a need for internationally comparable and
consistent financial statements. Therefore, the regulatory bodies responsible for protecting stakeholders and
the integrity of the accounting profession (e.g., the FRC and the IASB) have been making considerable efforts to
develop high quality accounting standards that can be implemented in the global and domestic capital markets.
The International Accounting Standards Board (‘IASB’): the independent standard-setting body of the
IFRS Foundation. It is an independent group, normally consisting of 14 experts with responsibility for the
development and publication of International Financial Reporting Standards (‘IFRS’) and for approving
Interpretations of IFRS as developed by the IFRS Interpretations Committee.
The IFRS issued by the IASB have helped to improve and harmonise financial reporting around the world. The
standards are used:
• as national requirements, often after a national process;

• as the basis for all or some national requirements;
• as an international benchmark for domestic and foreign companies;
• by regulatory authorities for domestic and foreign companies; and
• by companies themselves.
Notes

12.4.2 Barriers to Global Adoption of IFRS
Two main barriers to global adoption of IFRS have been identified:
The difference between US US standards are generally quite prescriptive, detailing the exact accounting
accounting standards and treatment to use in particular situations rather than the principle-based approach
international standards favoured by the international standards.
Concern that the The IASB’s response to the perceived bias towards large companies has been
international standards to prepare an International Financial Reporting Standard for Small and Medium-
are overly onerous to sized Entities (IFRS for SMEs) which provides a simplified set of accounting
small businesses, as they principles that have been derived from the full IFRS, and are deemed
are aimed towards listed appropriate for smaller, non-listed companies.
companies
12.4.3 Development of IFRS
Standard-Setting Process
The IASB uses the Conceptual Framework for Financial Reporting and consultative procedures to develop its
accounting standards. These procedures are designed to ensure:
• transparency and accessibility;

• extensive consultation and responsiveness; and
• accountability.
Notes

The process for the production of IFRS is as follows:
Step 1: Publication of a This document is not mandatory, although it is normally published by the IASB
Discussion Paper to explain the issues in the standard and is a way to receive feedback from
constituents at an early stage in the process. If the IASB decides to omit this
step it will clearly state its reasons for doing so.
Step 2: Publication of an This document is mandatory and is the IASB’s main vehicle for consulting
Exposure Draft the public. Unlike a discussion paper, an exposure draft sets out a specific
proposal in the form of a proposed IFRS standard (or amendment to an existing
standard). Any comments are considered by the IASB and may be incorporated
into the IFRS.
Step 3: Publication of an An IFRS is only issued once approved by the board.

IFRS
Authority of the IASB
At present the IASB has no means of directly enforcing the adoption of IFRS. Instead they must be adopted by:
• governments (e.g., the UK or EU);

• individual standard-setters (e.g., the FRC); or
• particular companies.
This is why the requirement for UK and EU listed companies to adopt IFRS for their consolidated accounts has been
so important to the status of these standards.
12.4.4 IFRS Interpretations Committee
The IFRS Interpretations Committee is the interpretative body of the IASB and works with the IASB in supporting
the application of IFRS Standards. The Interpretations Committee responds to questions about the application of the
Standards and does other work at the request of the Board.
Notes

Learning Outcome 2: Describe the role and function of the IASB, including its standard-
setting process and harmonisation
The IASB produces IFRS following a wide-ranging consultation process. IFRS Interpretations Committee issues
guidance on areas of conflict or emerging areas to provide timely guidance to the preparers and users of financial
statements.
12.5 International Auditing Standards
This section will look at auditing standards from an international perspective.
12.5.1 The need for International Auditing Standards
Globalisation of business activities and securities markets, facilitated by rapid developments in IT, has created a
need for global harmonisation of auditing standards, particularly for cross-border financing transactions.
Companies entering into global markets are often faced with multiple sets of different auditing standards requiring
them to meet various reporting requirements. The increase in costs and decrease in market efficiency have been
driving factors in the harmonisation of global standards.
The auditing standards issued by the International Auditing and Assurance Standards Board (‘IAASB’) – the
International Standards on Auditing (‘ISAs’), are the current leader for global auditing standards.
12.5.2 IFAC and the IAASB
The International Auditing and Assurance Standards Board is one of the boards of the International Federation of
Accountants (‘IFAC’).
International Federation of Accountants (‘IFAC’): the global organisation for the accountancy profession. It
is dedicated to serving the public interest by strengthening the profession and contributing to the development
of strong international economies.
Notes

IFAC, through its independent standard-setting boards, sets international standards of ethics, auditing and
assurance, education and public sector accounting. It also issues guidance to encourage high quality performance
by professional accountants in business.
The international structure for the setting of auditing standards of which you need to be aware is set out below.
International Federation
of Accountants ‘IFAC’ Public Interest Oversight
Board ‘PIOB’
oversees
International Auditing and Various other boards

Assurance Standards Board ‘IAASB’ and committees
12.5.3 Role of the IAASB
As one of the boards of IFAC, the IAASB’s goals are to enhance the quality and uniformity of practice throughout
the world, and strengthen public confidence in the global auditing and assurance profession by:
• setting high quality auditing, quality management, review, other assurance and related services standards; and
• facilitating the convergence of international and national standards.
Members of the IAASB board are appointed by the IFAC board.
12.5.4 Oversight of the IAASB
The Public Interest Oversight Board (‘PIOB’) was formally established by the international financial regulatory
community to oversee the public interest activities of IFAC. The objective of the PIOB is to increase investor
confidence, and the confidence of other interested parties, that such activities are properly responsive to the public
interest.
12.5.5 International Standards on Auditing
The IAASB produces a number of different types of pronouncements. International Standards on Auditing (‘ISAs’)
provide standards and guidance on the audit of historic financial information. ISAs are intended for use on all
external audits — publicly traded companies, private business of all sizes and government entities at all levels. The
ISAs contain basic principles and essential procedures, together with related guidance in the form of explanatory
Notes

notes and other material, including appendices. It is necessary to consider the whole text of a standard to
understand and apply the basic principles and essential procedures.
The process outlined below is applicable to the development of all IAASB standards:
Step 1: Research A project task force is ordinarily established with the responsibility to develop a draft
and consultation standard or practice note. The task force develops its position based on appropriate
research and consultation.
Step 2: Transparent A proposed standard is presented as an agenda paper for discussion and debate at an
debate IAASB meeting, which is open to the public.
Step 3: Exposure Exposure drafts are placed on the IAASB’s website and are widely distributed for
for public comment public comment. The exposure period is ordinarily 120 days.
Step 4: The comments and suggestions received as a result of exposure are considered at
Consideration of an IAASB meeting, which is open to the public, and the exposure draft is revised
comments received as appropriate. If the changes made after exposure are viewed by the IAASB to be
on exposure substantive so as to require re-exposure, the revised document will be reissued for
further comment.
Step 5: Affirmative Approval of exposure drafts, re-exposure drafts and final international standards is
approval made by the affirmative vote of at least two-thirds of the members.
12.5.6 Other IAASB Pronouncements
The other documents produced by the IAASB include the following:
• International Standards on Assurance Engagements – ISAEs are to be applied on assurance engagements

dealing with subject matters other than historical financial information, for example an opinion on whether
specified controls have operated during a specified period;
• International Standards on Related Services – ISRSs are to be applied to compilation engagements
and engagements to apply agreed upon procedures to information, for example ISRS 4410 – Compilation
engagements;
• International Standards on Quality Management – The IAASB also develops quality management standards
(‘ISQMs’) for firms and engagement teams in the practice areas of audit, assurance and related services;
• International Standards on Review Engagements – ISREs are issued to be applied in audits and reviews of
historical financial information, for example for half-yearly financial reports; and
• International Auditing Practice Notes – IAPNs provide practical assistance to auditors on specific matters.
Notes

12.5.7 Scope and Authority of IAASB Pronouncements
Adoption
At present, the IAASB has no means of directly enforcing the adoption of ISAs. Instead they must be adopted
either by individual standard-setters or national governments.
Impact in the US
In the US, the auditing standards for auditors of all US companies are issued by the American Institute of Certified
Public Accountants (‘AICPA’) and are known as US generally accepted auditing standards (‘US GAAS’). In addition,
the Public Company Accounting Oversight Board (‘PCAOB’), which supervises auditors of public companies,
establishes auditing and quality control standards for public company audits.
The US has indicated that it does not plan to adopt the ISAs in place of US GAAS. However, the both the AICPA’s
auditing standards and the PCAOB standards have been clarified, including convergence with the IAASB ISAs. The
PCAOB’s standards are specific to companies registered with the Securities and Exchange Commission in the US
and hence these are not currently being converged with the ISAs.
Learning Outcome 3: Describe the role and function of the IAASB, including its standard-
setting process and harmonisation
• The IAASB is one of the boards of IFAC. IFAC sets international standards for ethics, auditing and assurance,
education and public-sector accounting. The ISAs are the current leader for global auditing standards;
• The IAASB are overseen by the PIOB;
• There is a prescribed approach to developing all IAASB standards; and
• The IAASB has no means of directly enforcing the adoption of ISAs.
Notes

12.6 Summary
The Financial Reporting Council is the independent regulator of the accounting, actuarial and auditing professions
in the UK.
The role of the FRC includes:
• Acting as the Competent Authority for statutory audit in the UK setting auditing and ethical standards and
monitoring and enforcing audit quality;
• Setting UK and Ireland accounting standards;
• Monitoring/maintaining the UK Corporate Governance Code, the UK Stewardship Code and standards for
actuarial work;
• Monitoring and taking action to promote the quality of corporate reporting; and
• Operating some independent disciplinary arrangements for accountants and actuaries and overseeing
accountants and actuaries.
The FRC issues:
• FRS;
• ISAs;
• Ethical Standard;
• Practice Notes;
• Bulletins;
• ISQM (UK) 1 and 2;
• ISRE (UK) 2410;
• SIRs; and
• Standards for providing assurance on client assets to the FCA.
The approach to developing standards includes: The process for the FRC to investigate and discipline
auditors involves:
1. Development;
2. Consultation; • Initial enquiries;
3. Governance and voting; and • Investigation;
4. Publication. • Tribunal; and
• Settlement
Notes

The Impact of international developments on the auditing profession
The IAASB seeks to harmonise the world’s auditing standards through the release of its ISAs. In the UK, the IAASB’s
auditing standards are used as a basis for the ISAs (UK). The IASB is an independent standard-setter that produces
IFRSs following a wide-ranging consultation process. These standards have been adopted by many countries around
the world.
Issues IFRS for:

IASB • Setting national
requirements
• Basis for national
benchmarks
Reviews divergent/ • International
IFRS Interpretations benchmark
unacceptable treatment
Committee • Use by regulatory
within IFRS Context
authorities
• Use by companies
No means to directly
enforce
• Worldwide
organisation for IFAC
accountants
• Through boards,
sets international
standards of
ethics, auditing and IAASB PIOB
assurance, education
and public sector
accounting
1. Issues ISAs 6. Produces:

2. Sets auditing, assurance, quality management, review, a) ISAEs (other assurance engagements)
other assurance and related services standards b) ISRSs (compilation agreements, AUP)
3. Facilitates convergence of standards c) ISQMs (quality management standards)
4. Members appointed by IFAC board d) ISREs (half-yearly financial report reviews)
5. No means to directly enforce e) IAPNs (practical assistance)
Notes

Process for the development of standards
IASB Pronouncements IAASB pronouncements
IFRS e.g. ISAs, ISQMs
1. Discussion Paper 1. Research and Consultation

2. Exposure Draft 2. Transparent Debate
3. Publication 3. Exposure for Public Comment
4. Consideration of comments received
5. Affirmative Approval
You should now be able to achieve all of the learning outcomes for this module. If you are not able to do so, go back
and revisit the relevant sections.
Notes

Public comment is requested in the process by which auditing standards are produced as it enables all
interested parties to contribute to the generation of standards. Consequently, it provides a transparent
process, whereby any issues regarding the standards for regulators or users are highlighted and considered
at an early stage.
Back to activity
Notes

Module 13. Audit Process:
Fundamental Concepts
Contents
13.3 Audit Risk and Methodology 257
13.3.1 Audit risk definition 257
13.3.2 The risk-based approach 258
13.4 The Audit Process – Fundamental Concepts 259
13.4.1 Materiality 259
13.4.2 Evidence 261
13.4.3 Audit judgement 262
13.5 Audit Risk Model 263
13.5.1 Audit risk model 264
13.5.2 Inherent risk 265
13.5.3 Control risk 267
13.5.4 Risk of material misstatement 268
13.5.5 Detection risk 269
13.6 Summary 271

13. Audit Process: Fundamental Concepts
13.1 Introduction
In this module, we will identify and discuss the fundamental concepts of auditing which represent the foundations
that underpin the audit process.
On completing this module you should be able to:
1. define audit risk and explain the risk-based approach to auditing and the fundamental process concepts of
external auditing; and
2. identify and explain the components of the audit risk model.
Achieving these outcomes will help you to meet the seventh learning outcome of the course as per the syllabus.
13.3 Audit Risk and Methodology
13.3.1 Audit risk definition
Audit Risk: the risk that the auditor gives an inappropriate opinion on the financial statements when the
financial statements are materially misstated.
The auditor will seek to reduce audit risk to an acceptably low level. Giving the incorrect opinion may result in
damage to the firm’s reputation and possible regulatory action.
The auditor will give the wrong opinion where there is a material misstatement in the financial statements that has
not been identified and correctly reflected in the audit opinion.
Misstatement: where there is a difference between an amount, classification, presentation or disclosure

reported in the financial statements and the correct treatment in accordance with the applicable financial
reporting framework. Misstatements can arise from fraud or error.
Notes

Example
Some examples of misstatements are:
• Including debtors in the financial statements as £21,000 instead of £12,000;

• Not recording the write-off of a bad debt in the financial statements; or
• Stating in the fixed assets note in the financial statements that buildings have been depreciated over 25
years, when actually they have been depreciated over 30 years.
13.3.2 The risk-based approach
The external audit requires a balance. The shareholders are keen to have the auditor highlight irregularities in
the financial statements whilst avoiding undue delay of the publication of the information that is being audited and
without running up a significant audit fee.
Auditors have responded to these pressures by developing a ‘risk-based’ approach to auditing, which is required by
the ISAs (UK). This is designed to:
• provide the highest quality evidence in a given time or for a given fee; and
• ensure that adequate evidence is collected on which the audit opinion can be based.
The risk-based approach is not about saving time and money, instead it allows the auditor to focus audit work on the
areas that are most likely to contain issues and so ensures that the audit is efficient.
Risk-based approach: where the auditor tailors the nature, extent and timing of audit procedures
performed on each area of the financial statements according to the risk of there being a misstatement in
that area.
Notes

Example
The auditor may conclude that there is a low risk of the share capital balance in the accounts being misstated
as there are very few transactions occurring in this account during the year. Therefore, the audit procedures
performed on this area would be minimal.
However, the auditor may determine that there is a high risk that debtors may not be recoverable and
therefore their value is overstated. Therefore, additional procedures using more reliable and corroborative
methods would be performed on this area by the auditor.
13.4 The Audit Process – Fundamental Concepts
In addition to the central concept of risk, there are some underlying fundamental concepts that relate to the practical
process of auditing, which we will discuss in turn:
1. Materiality;
2. Evidence; and
3. Audit judgement.
13.4.1 Materiality
An opinion saying that the financial statements give a true and fair view provides reasonable assurance that
the financial statements are free from material misstatement. Therefore, the auditor must consider what level of
misstatement is acceptable before the accounts do not give a true and fair view – that is, what is material?
Materiality: an expression of the relative significance or importance of a particular matter in the context
of the financial statements as a whole. A matter is considered to be material if its omission or misstatement
would reasonably influence the economic decisions of the users taken on the basis of the financial
statements.
Practically, the auditor cannot contact the users (i.e., the shareholders) to ask at what level their judgement would
be influenced. Therefore, the auditor must apply their own professional judgement to determine whether a matter is
material (see section 13.4.3).
Notes

In practical terms, materiality impacts the audit in a number of ways:
• It determines the scope of the work performed (which items are tested and to what degree); and
• It determines the nature of the final audit opinion. Where a material misstatement exists in the financial
statements, they do not show a true and fair view.
An item can be material because of its size or nature.
Example
Reason for item being material Example
An item is material because it is comparatively An error of £400,000 for a company with a

very large (size) profit of £500,000 is likely to be material as the
shareholders would likely be concerned if the profit
figure was wrong by such a large amount. If the
error was £5 the shareholders are less likely to be
concerned.
An item is material because it is important to the If the directors had reported to the shareholders
shareholders not due to its size (i.e., it is material that they did not receive a bonus this year,
due to its nature) but actually did get one, this would likely be
considered material. If this bonus had been
omitted from the accounts, even if it was very
small, the shareholders would want to know.
This is due to the trust put in the directors by the
shareholders to run the business in their interests.
Disclosing director remuneration correctly is one
way to reduce agency risk.
Notes

Using materiality in the audit process
Materiality is used as a threshold throughout the audit process to direct the audit effort towards transactions,
balances and items that are significant to the users. In practical terms, materiality should be considered by the
auditor when:
• identifying transactions and balances that are individually material (planning);

• evaluating the potential impact of identified risks (planning);
• determining the nature, timing and extent of audit procedures (planning/ testing);
• evaluating whether sufficient appropriate evidence has been gathered (completion); and
• evaluating the effect of unadjusted misstatements (completion).
13.4.2 Evidence
The external auditor’s opinion must be informed. The auditor can only express an opinion over whether the
accounts give a true and fair view if they have collected enough evidence to support the figures. Consequently,
the auditor will seek evidence to examine figures and explanations given by management in respect of items in the
Reasonable assurance
Reasonable assurance, introduced at Module 7, means that the auditor must gather sufficient, appropriate audit
evidence to reduce audit risk to an acceptably low level. To achieve this aim, it may not be necessary to obtain
evidence on every single accounting transaction that relates to the financial statements. Therefore, the ISAs (UK)
permit the use of audit sampling (i.e., testing less than 100% of the items that make up a balance in the financial
statements).
How much evidence constitutes ‘enough’ will be discussed in Module 17.
Methods of Gathering Evidence
In practice there are three main methods in which the auditor gathers evidence:
• Understanding the entity and the overall control environment – this provides evidence on the susceptibility of
the financial statements to misstatement in the first place (i.e., the risks that exist due to the nature of the entity).
This evidence is gathered predominantly at the planning stage of the audit;
• Testing the controls of the entity – good controls reduce the risk that the figures in the financial statements
are incorrect as they will help prevent or detect errors and fraud. This evidence is gathered at the systems and
controls stage of the audit; and
• Testing the numbers in the financial statements – this is called substantive testing and allows the auditor to
detect misstatements in the financial statements. This evidence is gathered at the substantive testing and
completion stages of the audit.

13.4.3 Audit judgement
The auditor makes judgements and continually assesses if issues identified are significant (material) enough to
affect the conclusions drawn on the financial statements. The auditor will use judgement in assessing the evidence
and in forming conclusions about the financial statements.
The appropriateness of an auditor’s judgement is dependent on the competence and experience of the auditor and
the need to comply with accepted methodology (auditing standards) to obtain evidence on which to make those
judgements. Audit judgement is often referred to as professional judgement.
Professional scepticism
Professional scepticism is the cornerstone of a good quality audit. It requires an attitude that includes a questioning
mind that challenges management with a degree of doubt that demands hard evidence, being alert to conditions
which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence. Auditors
must ensure that they apply reason and critical thinking to determine the validity of evidence that has been gathered.
Professional scepticism is important as there is always a risk of fraud or error occurring, regardless of how confident
the auditor may be in an organisation based on previous experience.
Professional scepticism is required in order to avoid a situation where a material misstatement is not identified due to
the auditor not appropriately challenging or corroborating information included in the financial statements.
Judgement must be applied throughout the audit to evaluate the evidence in terms of materiality. An auditor should
have a questioning mind, not simply taking the word of management at face value, in order to act in the best
interests of the shareholders.
However, it is important that auditors distinguish between cynicism and scepticism and auditors should challenge
information with an open mind. They must also ensure that they are not impacted by bias, whether conscious or
unconscious. Unconscious bias could for example arise through similarities in personality with a client or initial
impressions of a client’s office. Auditors should also ensure that they do not allow time pressure or deadlines to
compromise their critical thinking.
Learning Outcome 1: Define audit risk and explain the risk-based approach to auditing and
the fundamental process concepts of external auditing
• Audit risk is the risk that the incorrect audit opinion is given, when the financial statements are materially
misstated.
• Auditing standards require auditors to take a risk-based approach when undertaking an audit.
• The risk-based approach focuses testing on the areas where the risk of the financial statement figures being
materially misstated is considered to be higher.
• In addition to risk, the fundamental auditing process concepts are:
• Materiality
• Evidence; and
• Audit judgement.

13.5 Audit Risk Model
As discussed previously, audit risk is the risk that the auditor gives an inappropriate opinion on the financial
statements when they are materially misstated. Effectively, this is the risk that the auditor will miss a material
misstatement in the financial statements and therefore provide an incorrect opinion. The risk that the auditor
might express an opinion that the financial statements are materially misstated when they are free from material
misstatement is specifically excluded from the definition.
Activity 1
1. How could an auditor miss a material misstatement?

2. What would the consequences be of giving an incorrect opinion?
3. Why is it unlikely that the auditor will give an incorrect opinion stating that the accounts are not true and fair?
Solution
The auditor is responsible for planning and performing the audit so that audit risk is reduced to an acceptably low
level. The auditor does this by planning and performing audit procedures to obtain the evidence on which to base
the audit opinion.
Notes

13.5.1 Audit risk model
Audit risk is the product of three different components:
Risk Component Definition
Inherent Risk (‘IR’) The susceptibility of a financial statement account to a material misstatement,
irrespective of related internal controls.
Control Risk (‘CR’) The risk that the entity’s controls will not prevent or detect and correct a material
misstatement in the financial statements on a timely basis.
Detection Risk (‘DR’) The risk that the auditor’s procedures will not detect material misstatements that exist
in the financial statements.
Misstatements described above may be material, individually or in aggregate.
These components together make up the audit risk formula.
Audit Risk Inherent Risk Control Risk Detection Risk

= x x
AR IR CR DR
Audit risk must always be set at an acceptably low level (i.e., the risk of the auditor giving the wrong opinion should
be acceptably low).
Notes

13.5.2 Inherent risk
Inherent risks can arise from two sources:
Source Explanation Example
Business Risk Business risks that would have an impact If a business is in a fast-moving technology
on the financial statements would be sector, this may result in stock items being
considered an inherent risk regularly superseded and would result
in a risk that obsolete stock is not valued
correctly.
Inherent Risk Characteristics of events or conditions A revaluation of property, plant and

Factors may affect the susceptibility of a financial equipment that has taken place in the year
statement account to misstatement. Such would likely be complex and open to some
factors include complexity, subjectivity, subjectivity, including management bias to
change, uncertainty or susceptibility to overstate the asset position, and there is
misstatement due to management bias or therefore a risk that this is not accounted for
other fraud risk factors. and valued correctly.
The impact of these risks can then be categorised into two categories:
1. Financial statement level risks – something that will affect the financial statements as a whole. The impact of a
misstatement would be at the financial statement level.
2. Assertion level risks – relate to individual transactions, balances and assertions. Examples may include known
risks to debtors’ valuation or the completeness of sales transactions. The impact of a misstatement would be at
the assertion level (assertions will be discussed further at Module 17).
Notes

Examples of Inherent Risk
Category of risk Example Explanation
Financial statement Going concern Where the company is suffering financial instability
level (e.g., cash flow difficulties), there is a risk that the
basis of accounting is incorrect, that is, the financial
statements have been prepared on a going concern
basis rather than a break-up basis. This would result in
the financial statements being materially misstated.
Assertion Level Susceptibility of stock A client with high value stock items will generally have
to misappropriation a higher inherent risk. As this relates to a particular
balance (stock), it is at the assertion level, as there is a
risk around whether the stock is actually there and has
not been stolen since the records were created.
These sources of risk (i.e. business risk and inherent risk factors) help auditors to identify relevant inherent risks
at their clients, however there is no requirement for them to specifically categorise these risks as such once
identified. However, they are required to categorise the impact in terms of financial statement or assertion level,
as this will help them to determine their audit approach to these risks. This will be considered further in TPS
Assurance and Data.
Approach to Assessment
IR is assessed from the start of the audit, with the majority of the work on IR being performed at the planning stage.
The auditor gathers evidence over IR by gaining an understanding of the entity. The practical approach to gaining
this understanding will be considered in Module 15.
Notes

Activity 2
Identify which of the following inherent risk factors are financial statement level or assertion level risks.
Risk Financial Statement Level/ Assertion Level
The Finance department is overworked due to a staff

shortage, and has insufficient time to perform all of its
duties
The depreciation policy is complex due to the assets

owned by the business
The company is required to calculate and recognise

a provision for warranty claims, the level of which
fluctuates each year
Solution
13.5.3 Control risk
Control risk increases where the internal control systems at an entity are poorly designed or do not operate effectively.
Approach to Assessment
CR is assessed predominantly at the systems and controls stage of the audit, although some of our understanding of
the entity’s control systems and control environment will come from the work done at planning to understand the entity.
The approach to performing this assessment will be considered in Module 16.
Notes

13.5.4 Risk of material misstatement
The IR and CR may vary for different parts of the financial statements. The auditor will generally categorise risk as
high, medium or low, as the judgement involved makes generating an exact figure or percentage difficult.
Risk of Material Misstatement (‘ROMM’): the combination of inherent risk and control risk. It is the risk that a
material misstatement may exist in the financial statements prior to the auditor undertaking any procedures.
References to the auditor identifying ‘audit risks’ at planning generally refer to the auditor attempting to identify
areas of the financial statements with a high ROMM with a view to directing their audit work.
Example
An entity is billed for and pays its rent quarterly, which it has done for years. This is a routine transaction,
and therefore it is not susceptible to misstatement (IR is low). Also, the entity has established controls in
place to ensure that invoices received are recorded correctly. Therefore, there is a low risk that these internal
processes and controls will result in rent being recorded incorrectly (CR is low). Hence, the auditor will
conclude the ROMM in the recording of rent to be low.
Inherent Risk Control Risk ROMM

x =
low low low
However, the entity also manufactures devices and calculates the cost of stock by compiling the material
costs, labour costs and overhead costs for each product. This is a more complex procedure than if the entity
purchased completed devices. Therefore, the calculation of the stock value is more susceptible to material
misstatement (IR is high). In addition, the entity has an entirely manual costing system that is only operated
at the year end with few controls to check the accuracy of these cost calculations. Therefore, there is a high
risk that errors in the cost of stock won’t be prevented or detected and corrected (CR is high) and the auditor
will conclude that the ROMM in the cost of stock will be high.
Inherent Risk Control Risk ROMM

x =
high high high
Notes

The auditor uses professional judgement throughout the audit process to assess the level of ROMM in each financial
statement account (e.g., fixed assets, stock etc.) and to determine the response that should be taken in the form of
audit tests.
13.5.5 Detection risk
Detection risk is the balancing figure in the audit risk equation. Detection risk is the risk that the auditor will not find
a misstatement. Once the ROMM in the financial statements has been assessed as high, medium or low, the auditor
will know what the level of detection risk needs to be. This is because the audit risk must always be acceptably low,
and therefore, the detection risk is driven by the ROMM. ROMM and detection risk have an inverse relationship,
that is if ROMM is high then detection risk will be low. If ROMM is low, then detection risk will be high.
The detection risk level will determine the nature, extent and timing of the substantive testing that must be carried
out on each of the financial statement accounts to ensure that the auditor has an acceptable chance of finding
material misstatements.
The detection risk is the only element of risk controlled by the auditor.
Low detection The auditor is less willing to accept the chance that they will not detect a material
risk misstatement. Therefore, the auditor will increase the work performed to detect
misstatements (increase the level of substantive testing).
High detection The auditor is more willing to accept the chance that they will not detect a material
risk misstatement. Therefore, the auditor can reduce the work performed to detect
misstatements (reduce the level of substantive testing).
Relationship between ROMM and DR
Low ROMM:
When ROMM is low, there is less chance of an error occurring in the financial statements, therefore the auditor can
do less work to detect misstatements as they are not likely to occur. This mean the auditor can accept a much
higher level of detection risk (i.e., a higher risk that they will miss a misstatement) as there is less chance errors
exist in the first place.

= x x
low low low high
Notes

High ROMM:
Where ROMM is high, there is a higher risk of misstatement in the accounts so the auditor has to do more work to
get comfort over the figures to be able to conclude whether they are true and fair or not. This means that they can
only accept a lower level of detection risk – they will only tolerate a low risk of missing a material misstatement,
because there are potentially a lot of material misstatements in the accounts.

= x x
low high high low
The balancing effect of detection risk aids the auditor in keeping audit risk at an acceptably low level despite the
increased ROMM.
Components of Detection Risk
Detection risk is made up of two elements:
Element Explanation Example
Sampling risk The risk that testing a sample from Errors exist in the population that are not
(‘SR’) a population does not give the same selected as part of the sample.
conclusions as testing the whole population
would have given. It can be reduced by
increasing the sample size.
Non-sampling The risk that an incorrect judgement is The selection of an inappropriate audit
risk (‘NSR’) made because the audit procedures used procedure, failure to perform an audit
were not appropriate or testing results were procedure, failure to perform an audit
wrongly interpreted by the audit team. It procedure correctly or the misinterpretation
can be reduced through adequate planning, of the results of an audit procedure.
professional scepticism and adequate
review of work performed.
Notes

Learning Outcome 2: Identify and explain the components of the audit risk model
Audit risk consists of inherent risk, control risk and detection risk. The auditor must assess inherent and control
risk in order to set detection risk. Using the audit risk model the auditor can identify what areas of the financial
statements are most likely to contain a material misstatement. This information is then used to drive the nature,
timing and extent of the audit work performed.
13.6 Summary
The Risk-Based Audit Approach
• Audit risk is the risk that the auditor gives an inappropriate opinion (effectively the risk that they fail to detect
a material misstatement) when the financial statements are materially misstated. The auditor must reduce the
audit risk to an acceptably low level.
• Auditing standards require the auditor to adopt a risk-based approach to auditing. This approach focuses
attention to the areas most likely to contain a material misstatement and therefore allows for an efficient
approach.
Fundamental Audit Process Concepts
The following concepts impact the work of the auditor throughout the audit process:
• Materiality – a measure of significance. Where a matter is ‘material’ its omission or misstatement would impact
the decisions of the users;
• Evidence – the audit opinion must be supported by sufficient, appropriate evidence; and
• Audit (professional) judgement – the quality of judgement is driven by competence, experience and the need
to comply with the auditing standards.
The Audit Risk Model
The auditor uses the audit risk model to break down audit risk into component parts:
Audit risk = Inherent risk x Control risk x Detection risk
ROMM SR and NSR
Notes

Inherent risk can arise from two sources: business risks or inherent risk factors. Its impact can then be classified
into two categories: financial statement level risks or assertion level risks.
The auditor can only influence detection risk – it can be lowered by increasing the amount of substantive testing. To
assess the level of testing required, the auditor needs to consider the risk of material misstatement (‘ROMM’) within
the organisation.
Notes

1. How could an auditor miss a material misstatement?
The auditor could miss a material misstatement and express an inappropriate audit opinion due to the fact
that audits are examinations of the financial statements performed on a sample basis (i.e., the auditor is not
required to test every single transaction). Therefore, there is a risk that a transaction or balance not tested
by the auditor represents a material misstatement in the financial statements. As auditors can never give
absolute assurance that the financial statements are correct, ways must be found to minimise that chance of a
wrong opinion being given.
2. What would the consequences be to the auditor of giving an incorrect opinion?
The reputation of the auditor could be damaged and if the auditor had been negligent then they could be sued.
It could also damage the relationship with the client.
3. Why is it unlikely that the auditor will give an incorrect opinion stating that the accounts are not true and fair?
If the auditor was incorrectly stating that the accounts were not true and fair, the directors of the company
would be likely to resist this and prove why the accounts were, in fact, true and fair. Therefore, it is less likely
that the auditor will give the wrong opinion in this way.
Back to activity
Risk Financial Statement Level/ Assertion Level
The Finance department is overworked due to a staff FS – Overworked staff are more likely to make
shortage, and has insufficient time to perform all of its mistakes, leading to potential misstatements
duties across the whole financial statements. Alternatively,
if controls and checks are not being performed
correctly, there is a greater opportunity for fraud to be
committed and not detected, also leading to potential
misstatements
The depreciation policy is complex due to the assets A – The risk is specifically associated with whether
owned by the business depreciation is correct.
The company is required to calculate and recognise A – The risk is related to the provision recognition.
a provision for warranty claims, the level of which
fluctuates each year
Back to activity

Contents
14.3 Quality Management and Communication 275
14.3.1 Firm resourcing 276
14.3.2 Working paper management 276
14.3.3 Communication with those charged with governance 277
14.4 Acceptance 278
14.4.1 The Engagement Letter 278
14.5 Planning 280
14.5.1 The audit strategy memorandum 280
14.5.2 Audit planning meeting 282
14.6 Systems, Controls and Completion 282
14.6.1 The management letter 282
14.6.2 Other internal completion documents 284
14.7 Additional Requirements for Listed Companies 285
14.8 Summary 286

14. Audit Process: Engagement and Client Management
14.1 Introduction
As discussed in Module 7, there are ongoing phases of an audit that the auditor must consider throughout the
engagement. Engagement and client management is important to ensure that the audit is completed efficiently, as
well as in line with auditing standards and other relevant laws and regulations.
Risk Assessment
Systems
Substantive
Testing
Analysis
This module will focus on the general quality management and communication requirements for an audit, as well as
considering some of the specific documents that the auditor will produce to ensure the audit is completed in line with
relevant auditing standards.
1. describe the quality management and communication requirements for an audit; and
2. identify and describe the content of the audit engagement letter.
Achieving these outcomes will help you to meet the seventh learning outcome for the course as per the syllabus.
14.3 Quality Management and Communication
There are a range of audit procedures that must be performed by the auditor during an audit engagement. Quality
management in the form of engagement and client management procedures gives the auditor assurance that all
of these procedures are performed.
Engagement and client management procedures must be performed throughout the audit process to promote
Notes

the smooth and effective running of the engagement process. These procedures are quality management
procedures, and when performed correctly help to reduce audit risk and provide assurance that the audit complies
with professional standards and applicable legal and regulatory frameworks.
The key quality management standards that provide guidance to the auditor are:
• ISQM (UK) 1 Quality management for firms that perform audits or reviews of financial statements, or other
assurance or related services engagements;
• ISQM (UK) 2 Engagement quality reviews;
• ISA (UK) 220 Quality management for an audit of financial statements; and
• ISA (UK) 230 Audit documentation
This module will introduce certain concepts from these standards which audit firms should consider when managing
their audit engagements and client relationships.
14.3.1 Firm resourcing
ISQM (UK) 1 requires audit firms to establish objectives that address appropriately obtaining, developing, using,
maintaining, allocating and assigning resources in a timely manner, in order to support quality management.
These objectives should encompass human resources (i.e., through effective recruitment and evaluation
processes), technological resources, intellectual resources (i.e., standardised documentation and resources
regarding quality management) and service providers.
ISQM (UK) 1 also requires audit firms to assign an engagement partner for each audit engagement, who will be
responsible for managing and achieving quality on the engagement. ISA (UK) 220 clarifies that the engagement
partner has responsibility for the direction, supervision and review of the audit engagement in compliance with
professional standards, regulatory and legal requirements.
14.3.2 Working paper management
It is not sufficient for an auditor to simply carry out an audit; they must be able to provide evidence demonstrating
that the audit has been completed. Documentation of audit work and all material matters of judgement during the
audit is therefore vital.
Additionally, it is essential that audit work is reviewed. The purpose of reviewing working papers is to ensure that:
• sufficient, appropriate evidence has been gathered to support the audit report;
• judgements and conclusions drawn are appropriate; and
• the requirements of the auditing standards and company law have been fulfilled.
Notes

The only way an auditor can demonstrate that they have performed an audit in accordance with the relevant
legislation, regulations and standards is through documentation. In light of this, all working papers must include:
• the identifying characteristics of the specific items or matters tested;

• who performed the audit work and the date it was completed; and
• who reviewed the audit work and the date and extent of such review.
This will normally be achieved by the preparer and reviewer initialling and dating the audit file, either electronically or
manually. The review of the audit work will usually be undertaken by the audit manager. On larger jobs, the review of
junior staff’s work may be carried out by the audit senior rather than the audit manager, who will concentrate more on
riskier areas.
ISA (UK) 230 Audit documentation sets out the standards required for the content of the auditor’s working papers.
Essentially, if an experienced auditor, otherwise unconnected with the engagement, were to read a completed audit file,
they should be able to understand the procedures and judgements underlying the opinion given in the audit report.
All working papers, including systems and controls documentation, should be prepared and reviewed on a timely basis.
14.3.3 Communication with those charged with governance
The auditor also must communicate with those charged with governance on a number of matters, outlined in ISA
(UK) 260 Communication with those charged with governance. Effective two-way communication with those charged
with governance is important to help develop a constructive working relationship between the auditor and the client
and in assisting the auditor in obtaining necessary information from the client throughout the audit.
ISA (UK) 260 requires auditors to communicate to those charged with governance regarding:
• the auditor’s responsibilities in relation to the financial statement audit;

• the planned scope and timing of the audit;
• significant findings from the audit; and
• auditor independence.
Not all matters identified during the audit will necessarily need to be in written format. Unless otherwise specified by
the ISAs, the auditor should use their professional judgement to assess whether oral communication is sufficient, or
whether significant findings require to be communicated in a written format.
Notes

ISA (UK) 260 includes a list of significant findings from the audit that should be communicated to those charged with
governance. These are:
• Views on the qualitative aspects of the entity’s accounting practices and financial reporting (i.e., accounting
policies or estimates);
• Significant difficulties, if any, encountered during the audit;
• Unless all those charged with governance are involved in day-to-day management, significant audit matters
discussed with management, and details of written representations requested by the auditor;
• Circumstances that affect the form and content of the auditor’s report (such as the need to modify the audit
opinion); and
• Any other significant matters that are judged relevant by the auditor.
For public interest entities and those entities that report on the UK Corporate Governance Code, ISA (UK) 260
includes additional matters to be reported to the entity’s audit committee.
The requirements to communicate with those charged with governance will be discussed further in TPS Assurance
and Data.
Engagement and client management must be considered throughout the audit. However, there are also specific
considerations that must be made at particular stages of the audit.
14.4 Acceptance
14.4.1 The Engagement Letter
Once the auditor has decided that an assurance/ audit engagement can and will be accepted, the terms of the
engagement must be agreed with the client.
The auditor should establish an understanding of the terms of the engagement at the beginning of the audit
engagement. The agreed terms should be documented in an engagement letter.
The engagement letter acts as a contract between the practitioner and the client, serving to protect both
parties and reduce the risk of misunderstandings in relation to the engagement.
ISA (UK) 210 Agreeing the terms of audit engagements provides the auditor with guidance regarding the content and
the timing of the engagement letter.
Notes

Content of the Engagement Letter
ISA (UK) 210 highlights a number of elements that must be included in the engagement letter, including:
1. the objective and scope of the audit of the financial statements;

2. the responsibilities of the auditor;
3. the responsibilities of those charged with governance;
4. identification of the applicable financial reporting framework for the preparation of the financial statements; and
5. reference to the expected form and content of any reports to be issued by the auditor, including a statement
that there may be circumstances in which a report may differ from the expected form and content.
The ISA also recognises that engagement letters vary depending on the engagement and, therefore, lists additional
information that may be included in the letter including fee and billing details and arrangements regarding the
planning and performance of the audit, such as the composition of the audit team.
ISA (UK) 210 also states that the auditor must obtain the agreement of management, and (where applicable) those
charged with governance, that they acknowledge and understand their responsibility for:
1. preparing accurate financial statements in accordance with an acceptable financial reporting framework;
2. ensuring proper internal controls over the preparation of financial statements are in place; and
3. providing the auditor with access to all records, information and persons relevant to the audit and providing any
explanations necessary.
Timing of the engagement letter
There is no requirement to issue a new engagement letter for each year of the audit, but many firms do this as
policy. ISA (UK) 210 suggests that it may be appropriate to issue a new engagement letter if:
• there is any indication that the client has misunderstood the objective or scope of the audit;
• there are any revised or special terms of the audit engagement;
• there have been significant changes of senior management;
• there have been significant changes in ownership of the entity;
• there have been significant changes in legal or regulatory requirements;
• there has been a change in the financial reporting framework adopted in the preparation of the financial
statements;
• there has been a significant change in the nature or size of the client’s business; or
• there has been a change in other reporting requirements.
Notes

14.5 Planning
After acceptance, the next stage of the audit process is planning. This is where the audit team will develop their
understanding of the entity so that they can work out where to focus their attention. The auditor will focus attention
on the areas most likely to contain incorrect information that would impact the users of the financial statements.
Planning also allows the auditor to consider how to plan the resource of the audit such as what staff are required and
what times of year they will work on the audit.
14.5.1 The audit strategy memorandum
One of the key summary documents produced as an output of the planning phase is the audit strategy
memorandum (‘ASM’). The ASM summarises the key decisions made during the planning phase, such as the
results of the risk assessment, the audit strategy and materiality levels, and also contains administrative details.
The ASM is an internal document which should not be given to the audit client.
Notes

Typical content for an ASM is as follows:
B SSMART
Section heading Explanation
Background client An overview of the key aspects of the client. For example, this will likely include
information the industry, the year-end date, the relevant financial reporting framework and any
changes since the prior year.
Systems and control An overview of the key processes, systems and control framework in place at the
information client. For example, this would detail the accounting system used by the client to
prepare financial information.
Staffing and key A list of members of the audit team and key contacts at the client, such as the finance
client contacts director or payroll manager.
Materiality The overall, performance and specific items materiality figures would be included.
This will include the methodology used to calculate materiality figures, including any
judgements made (or may be cross referenced to where this information can be found
on the audit file).
Analytical procedure An explanation of the planning analytical review performed as part of the auditor’s risk
results assessment procedures. This will include any explanations provided for any unusual or
unexpected numbers.
Risk assessment A summary of the key areas of ROMM identified by the auditor at planning, including
findings and the approach that the auditor will adopt in auditing the risks identified. This will include
procedures planned the auditor’s intended testing strategy, designed to obtain sufficient, appropriate audit
in response evidence to address the key risks identified.
Timetable A timetable for the audit will include key dates such as:
• the audit planning meeting;

• the year-end date;
• dates of any key meetings with the client including those charged with governance;
• dates the audit team will be on-site at the client; and
• the reporting deadlines for the engagement.
Materiality, analytical review and risk assessment will all be discussed in more detail in Module 15.
Notes

14.5.2 Audit planning meeting
At planning, the engagement partner and other key engagement team members must discuss the ROMM at
the entity (including ROMM due to fraud risk). This is normally done through an audit planning meeting. If any
engagement team members are unable to attend this meeting it should be considered what information should be
communicated to them.
14.6 Systems, Controls and Completion
At the systems and controls stage of the audit, the auditor will understand the internal control system of the client
(including the accounting information systems) and test how well the client’s systems can prevent and/ or detect
incorrect information materialising in the accounts. This work will be built upon throughout the remaining stages of
the audit.
ISA (UK) 265 Communicating deficiencies in internal control to those charged with governance and management
states that any significant deficiencies in a client’s accounting and internal control systems specifically are reported
to those charged with governance and an appropriate level of management (unless circumstances deem it
inappropriate) promptly and in writing. This is often included in a management letter.
14.6.1 The management letter
The management letter allows the auditor to meet the requirements of two ISAs:
• ISA (UK) 265; and

• ISA (UK) 260.
Therefore, the auditor will use the management letter to communicate any significant deficiencies identified in the
client’s internal control systems as well as any other significant matters such as misstatements or disagreements
between the auditor and management.
The management letter should be constructive, in that it should identify:
• the issue (e.g., a control weakness);

• the impact or implications of that issue; and
• a recommendation for management to resolve the issue.
The management letter is usually addressed to the board of directors of the company and the audit committee. The
auditor should obtain written feedback/ responses from the client to the issues identified. This response will vary
according to the client. Management will respond with the actions they intend to take to rectify the problem.
Notes

Example
Below is an example of a management letter point and recommendation:
Control Weakness Implication Recommendation
No authorisation of Items purchased that All purchases need to be authorised by the

purchase requisitions are not to be utilised for purchasing manager and there must be
required before purchase business purposes. a signature on each purchase requisition
orders are placed. document by an authorised individual.
Timing
ISA (UK) 265 requires communications to be given on a timely basis to enable the directors to take appropriate action.
For example, if controls weaknesses were found during an interim visit, these should be communicated as soon as
possible, rather than waiting until the final accounts have been signed, which could be several months later. This
should result in an ‘interim’ management letter being issued after the Systems and Controls Analysis stage of the audit,
and a ‘final’ management letter being sent once the Completion stage, and the audit, have been concluded.
Activity 1
What are the benefits of issuing a management letter for:
• the client; and

• the auditor?
Solution

14.6.2 Other internal completion documents
At the completion stage, in addition to the external documents such as the management letter and the letter of
representation (Module 21) there are often a number of internal completion documents produced. Three of these
documents are covered below. Note that format and terminology may vary from firm to firm.
Points forward schedule
A points forward schedule is a list of points that should be documented and brought to the attention of next year’s
audit team. It assists with the planning of next year’s audit by helping to ensure that any problems identified this year
are properly addressed next year. Additionally, any information gained during the year that relates to next year’s
audit can be documented for the benefit of next year’s audit team.
Examples of matters which could be included in a points forward schedule are:
• Delays in receiving information from the client, and the need to manage the information request process better
next year;
• Details of a product still in development at year end that is due to go into production next year;
• Changes to accounting information systems planned for next year;
• Major capital expenditure additions or disposals planned for next year; and
• Situations where Audit Data Analytics could be a more effective way of obtaining evidence in future.
Audit highlights or summary review memorandum
This document concludes on the performance of the audit and summarises the key matters of importance. It is
usually prepared by the audit manager or senior for the engagement partner. The best way to think of this document
is as the ‘actual’, when the audit strategy memorandum was the ‘budget’ or ‘expected’ at planning.
This is an internal document, but in some cases a version will be prepared for the client.
Examples of matters which could be included in a highlights memorandum are:
• Details of all audit issues identified, how these were resolved and how sufficient appropriate evidence was obtained
• Work done in response to risks identified at the planning stages
• Details and reasons for any changes to the ASM
• Changes to the client’s business and industry since the ASM was prepared
• Summary of the final overall analytical review (See Module 21)
• A summary of uncorrected misstatements (See Module 21)
• Suggested wording for the audit opinion (See Module 22)
• Any other issues encountered during the audit and how they were dealt with
Notes

14.7 Additional Requirements for Listed Companies
ISQM (UK) 1 also requires a separate engagement quality reviewer (‘EQR’) to be appointed for each listed
company audit. The reviewer will be independent of the engagement (i.e., not involved in any of the day-to-day work)
and as such will provide an objective assessment of the significant judgements made by the audit team and the
conclusions reached in forming the audit opinion. The EQR is responsible for completing an engagement quality
review, and the engagement partner is not able to issue the audit report until the engagement quality review has
been completed.
The engagement quality review should include:
• Reading and understanding information communicated by the engagement team;

• Discussions, with the engagement partner and team, of significant matters and judgements;
• Review of the financial statements and the proposed audit report;
• Review of selected audit documentation relating to any significant judgements made by the engagement
team, including:
• An evaluation of professional scepticism exercised by the engagement team;
• An evaluation of whether the engagement documentation supports the conclusions reached;
• An evaluation of whether conclusions reached are appropriate;
• A consideration of the engagement partner’s assessment of the firm’s independence from the client;
• An assessment of whether appropriate consultations have taken place on difficult matters; and
• An evaluation of the engagement partner’s determination that the engagement partner’s involvement has been
sufficient and appropriate throughout the engagement.
ISQM (UK) 2 also describes additional requirements for the EQR for public interest entities (which has a wider
definition that just listed entities). These will be considered in the TPS Assurance and Data course.
earning Outcomes 1 and 2: Describe the quality management and communication

L
requirements for an audit and identify and describe the content of the audit engagement letter
The whole audit process must be adequately controlled by ensuring that appropriate engagement and client
management procedures are put in place. Additionally, specific requirements are necessary at the acceptance,
planning, systems and controls and completion stages of the audit.
Notes

14.8 Summary
Quality management in the form of engagement and client management procedures must be performed throughout
the audit process to promote the smooth and effective running of the engagement process.
Key elements of engagement and client management include:
1. Firm resourcing;
2. Working paper management; and
3. Communication with those charged with governance.
There are also considerations that must be made at specific stages of the audit.
The engagement letter
The engagement letter acts as the contract of the engagement. ISA (UK) 210 highlights a number of elements that
must be included in the engagement letter, including:
1. the objective and scope of the audit of the financial statements;

2. the responsibilities of the auditor;
3. the responsibilities of those charged with governance;
4. identification of the applicable financial reporting framework for the preparation of the financial statements;
and
5. reference to the expected form and content of any reports to be issued by the auditor, including a statement
that there may be circumstances in which a report may differ from the expected form and content.
A new engagement letter should be issued when there have been significant changes or misunderstandings.
The audit strategy memorandum
The ASM summarises key decisions made during the planning phase of the audit. Typical content includes:
• Background client information;

B SSMART
• Systems and control information;
• Staffing and key client contacts;
• Materiality;
• Analytical procedures results;
• Risk assessment findings and procedures planned in response; and
• Timetable.
Notes

Audit planning meeting
At planning, the engagement team must discuss the ROMM at the entity.
The management letter
The management letter allows the auditor to communicate any significant deficiencies identified in the client’s
internal control systems as well as any other significant matters such as misstatements or disagreements between
the auditor and management. The letter should be constructive in nature and is commonly addressed to the board.
The management letter should be issued promptly which commonly means as soon as possible after the final
accounts are signed. If there are findings at the systems and controls stage of the audit, an interim management
letter should be issued.
Points forward schedule
At completion, the auditor will document any significant findings or information that will help to guide next year’s audit.
Audit highlights/ summary review memorandum
The highlights memorandum is used to document conclusions and key matters of importance.
Engagement quality review
For listed company engagements, an EQR must also be involved to ensure that an engagement quality review is
carried out.
You should now be able to meet all learning outcomes for this module. If you are not able to do so, go back and
re-read the relevant section.
Notes

Benefits to the Client
Providing the client with a management letter should be a benefit in that it focuses attention on areas of major
weakness in the systems and provides advice to help run the organisation more effectively.
Benefits to the Auditor
The issuance of a management letter should benefit the auditor because if the client takes on board
the recommendations there should be a reduced risk of errors in the system, reduced control risk and,
accordingly, reduced audit risk. Commonly the risk will be reduced in future audits rather than in the current
year engagement. It should also help protect the auditor to some extent against future criticism if the
recommendations are not taken on board and if problems are encountered in the future.
Back to activity
Notes

Module 15. Audit Process: Planning
Contents
15.3 Audit Planning 291
15.3.1 The Purpose of Planning 291
15.3.2 Overall Audit Strategy and Detailed Audit Plan 291
15.4 Risk Assessment 291
15.4.1 Understanding the Entity 293
15.4.2 Risk Assessment Procedures 296
15.4.3 Analytical Procedures at Planning 297
15.4.4 Analytical Procedure Techniques 298
15.5 Materiality 301
15.5.1 Defining Audit Materiality 301
15.5.2 Types of Materiality Used in an Audit 302
15.5.3 Calculating Overall Materiality 303
15.5.4 Setting Performance Materiality 304
15.6 Fraud 305
15.6.1 Responsibilities in Relation to Fraud 306
15.6.2 Fraud Risk at the Planning Stage 307
15.7 Audit Data Analytics 309
15.7.1 Consider the overall objective of the ADA and how it will be achieved 310
15.7.2 Obtain and cleanse the data to be used in the ADA 310
15.7.3 Consider whether the data to be used is relevant and reliable 311
15.7.4 Carry out the ADA technique 311
15.7.5 Evaluate and report on the result of the ADA 312
15.7.6 Examples of ADAs being used as risk assessment procedures 312
15.8 Summary 322

15. Audit Process: Planning
15.1 Introduction
The following diagram was introduced in Module 7 and provides an overview of the audit process:
Risk Assessment
Systems
Substantive
Testing
Analysis
The acceptance stage of the audit was discussed in Module 7.
Overview
The auditor now commences the second stage in the audit process – the planning stage. This stage usually
commences before the year end.
This module discusses the purpose and key procedures that are involved in planning a statutory audit so that it is
executed efficiently, and that sufficient, appropriate audit evidence is obtained to support the audit opinion.
1. explain how and why the auditor assesses and uses risk in planning the audit, including gaining an
understanding of the entity;
2. explain how and why an auditor uses analytical procedures to help in understanding the entity;
3. explain the concept of materiality;
4. explain the auditor’s responsibilities with respect to fraud; and
5. describe audit data analytics and explain how they are applied throughout the audit process.
Notes

15.3 Audit Planning
15.3.1 The Purpose of Planning
The objective of a statutory audit is to obtain reasonable assurance about whether the financial statements are free
from material misstatement and, therein, to express an opinion on whether the financial statements are true and fair.
Adequate planning helps to lower audit risk.
Planning for an audit will allow the auditor to achieve this overall audit objective by:
• helping to ensure that sufficient and appropriate attention is directed to the important areas of the audit;
• helping to ensure that potential problems are identified and resolved early;
• assisting in the selection of appropriate engagement staff, including the assignment of work to them;
• helping to complete work effectively and efficiently; and
• facilitating direction and supervision of the audit.
15.3.2 Overall Audit Strategy and Detailed Audit Plan
The International Standards on Auditing (UK) (‘ISA (UK)’) require the auditor to establish an overall audit strategy
for the engagement, which sets out the scope, timing and direction of the audit. From this strategy, the auditor
is then required to develop a more detailed audit plan for gathering evidence in order to reduce the audit risk to an
acceptably low level. The detailed audit plan describes the approach for the expected nature, timing and extent
of the audit procedures to be performed.
15.4 Risk Assessment
To plan an audit, the auditor must understand the entity whose financial statements are being scrutinised. The
auditor should obtain sufficient knowledge of the entity to understand events, transactions and practices that may
have a significant effect on the financial statements. This understanding provides the basis for planning the overall
audit approach; one that responds to the unique characteristics of the entity and enables the auditor to achieve
one of the key objectives of the planning stage – identifying areas of the financial statements with a higher risk
of material misstatement (‘ROMM’). Therefore, during the planning stage, the auditor must identify sources of
inherent risk and, often, control risk through gaining a detailed understanding of the entity.
To ensure that relevant risks are identified, the auditor will perform risk assessment procedures. These procedures
are discussed at Section 15.4.2 below.
Notes

Example
A supermarket chain holds a lot of perishable inventories at many branches across the UK. This leads to the
inherent risk that goods are past their best before date (and not able to be sold). Stock will therefore be more
likely to contain a material misstatement (as items may not be identified as requiring a write-off) and will be a
higher risk area for the audit.
Activity 1 – Recap Module 13
Define inherent risk and provide some examples of inherent risks at an audit client.
Reminder: Inherent risks can arise either from business risks or inherent risk factors.
Solution
Once an inherent risk has been identified, the auditor will then determine whether it impacts the financial statement
level or the assertion level. This was covered in Module 13.
Notes

15.4.1 Understanding the Entity
The first step to identifying risks in the financial statements is through understanding the entity that is being audited.
ISA (UK) 315 Identifying and assessing the risks of material misstatement requires that risk assessment procedures
must be performed to obtain an understanding of:
• The entity and its environment, including:

• Organisational structure, ownership and governance, and business model
• Industry, regulatory and other external factors
• The measures used, internally and externally, to assess the entity’s financial performance
• The applicable financial reporting framework and the entity’s accounting policies. The auditor will evaluate
whether the accounting policies are appropriate and consistent with the financial reporting framework.
• How inherent risk factors identified will affect the susceptibility of assertions to misstatement, and the degree to
which they do.
• Internal controls (Covered in Module 16).
Collecting evidence on all these areas will allow the auditor to develop a picture of the client and therefore aid the
identification of sources of inherent and control risk. Once both inherent and controls risks have been assessed, the
auditor will consider the overall impact on the risk of material misstatement (see Module 16). The procedures used to
gather this information are discussed in Section 15.4.2.
Notes

Example
Some examples of information gathered at planning for a shoe shop, Soul Trader Shoes Ltd, are listed below:
The entity and its environment
Organisational structure, ownership and governance, and business model
• this is a private limited company so it will have to follow the Companies Act 2006 (‘CA 2006’) requirements; and
• it is an owner-managed business so there are no external shareholders
• it sells shoes from a small number of high street branches
Industry, regulatory and other external factors
• the company is a retailer, so will have to ensure that any consumer rights are enforced (e.g., accepting
returns if the shoes are damaged); and
• the shoe industry is competitive, and there is strong competition from discount stores and online retailers
who can sell more cheaply than Soul Trader Shoes Ltd.
The measures used, internally and externally, to assess the entity’s financial performance
• it was identified that in order to fund a future merger, the company has requested additional finance from
the bank. The bank will only provide this if certain profit levels and key performance indicators (‘KPIs’) are
met; and
• management will therefore be focusing on these external measures.
Financial reporting framework and accounting policies
• The company prepares its accounts using UK GAAP;

• the shoes can go out of fashion quickly, and so a key accounting policy is that inventories should be held
at the lower of cost and net realisable value (‘NRV’); and
• there have been no changes to the accounting policies in the year.
How inherent risk factors affect susceptibility of assertions to misstatement
• It has been identified that shoes go out of fashion quickly, and that there is significant competition from
discount stores. There is therefore a high risk that the inventory may be overstated, if appropriate write-
downs are not made; and
• It was noted that there is pressure on management to meet targets, which could increase the risk of
management bias or fraud in the preparation of the financial statements.
Notes

Activity 2
You recently met with a new audit client, Jenkins Pentland plc (‘JP’), and undertook risk assessment
procedures in order to contribute to the engagement team’s understanding of the entity.
The following information was obtained in relation to the industry, regulatory and other external factors and the
nature of the entity.
JP Plc is a listed company based in the UK. JP makes wedding dresses for sale to wholesale customers and
in their UK-wide stores. JP makes all its sales on credit. The wedding industry in the UK is seasonal, and
historically JP has made the majority of its sales in winter. JP is financed by a significant loan that is to be
repaid in full in the next 12 months.
As a result of the information gathered, identify the areas of concern that the audit team may have in relation
to the financial statements of JP.
Solution
Notes

15.4.2 Risk Assessment Procedures
A range of procedures can be used by the auditor to gather the information needed to identify inherent risks as
part of understanding the entity. ISA (UK) 315 identifies the following risk assessment procedures:
• Analytical procedures (Section 15.4.3);

• Enquiry;
AEIO U
• Inspection; and
• Observation.
An auditor will use a combination of these techniques to gather evidence at the planning stage.
Enquiry
The auditor will have initial planning meetings with those charged with governance i.e., the directors (and
management, where applicable) to discuss the objectives of the entity and any changes that have occurred during
the year. The auditor will also make enquiries of others within the entity (e.g., the internal audit function and client
staff) and may also make enquiries of third parties (e.g., lawyers, providers of finance and valuation experts).
Activity 3
Enquiry alone is not considered to be sufficient to gain audit evidence. Why do you think this is?
Solution
Notes

Inspection
Documents that might be inspected to gather information about the entity and assess inherent risk include:
• prior year financial statements;

• prior year audit files;
• internal control files;
• business plans and strategic documents of the entity;
• industry publications;
• analyst reports; and
• the entity’s website.
Observation
Auditor observation may include a tour of the client’s premises or observation of their operations.
Timing of risk assessment
It should be noted that while risk assessment and understanding the entity play a significant part of the planning
stage of the audit, risk assessment is a dynamic process that must be considered at all stages of the audit (as
depicted in the audit process diagram). Similarly, the auditor should always be alert to any information they gather
throughout the audit that may alter their understanding of the entity.
Learning Outcome 1: Explain how and why the auditor assesses and uses risk in planning
the audit, including gaining an understanding of the entity
The auditor must plan an audit to help reduce audit risk to an acceptably low level and to ensure the audit is
completed in an effective and efficient manner. To do this, the auditor will create an overall audit strategy and a
detailed audit plan. In order to assess risks on an engagement the auditor must first understand the entity.
15.4.3 Analytical Procedures at Planning
Analytical procedures: involve the evaluation of financial information through analysis of plausible
relationships among both financial and non-financial data. This can involve the analysis of significant
ratios and trends to identify consistencies and predicted patterns or significant fluctuations and unexpected
relationships, and the results of subsequent investigations.
Notes

The purpose of analytical procedures at planning (also known as planning analytical review) is to identify any areas
of the financial statements which appear unusual. They can also help to enhance the auditor’s understanding of the
entity by highlighting otherwise unknown aspects of the client’s operations. Any unexplained, unusual or unexpected
numbers may suggest that there is a misstatement. In turn, this can highlight areas of higher ROMM.
The analysis of financial data also provides the auditor with information about what has been happening at the
organisation during the year which can further develop the auditor’s understanding of the entity.
Timing
ISA (UK) 315 and ISA (UK) 520 Analytical procedures require the auditor to undertake analytical procedures as
a risk assessment procedure (i.e., during the planning stage) and when forming an overall conclusion on the
consistency of the financial statements (i.e., during the completion stage). The auditor can also choose to use
analytical procedures as a substantive procedure to gather audit evidence – this is considered in more detail in
Modules 17, 19 and 20.
Approach to analytical procedures
Analytical procedures during planning can involve comparisons of financial information with:
• prior periods (e.g., last year or last month);

• expectations (e.g., budgets, forecasts, or the auditor’s expectation); and
• a comparable entity’s information (e.g., an entity in the same industry).
At planning, the auditor will typically compare account totals and ratios to the prior year and budgets to identify
unexpected or unusual movements.
15.4.4 Analytical Procedure Techniques
Some techniques that can be used as analytical procedures are:
• Comparison;
• Ratio analysis;
• Reasonableness tests;
• Trend analysis; and
• Large and unusual items review.
Notes

Technique Commonly used during Why?
Comparison Planning and completion Comparison is commonly high level and therefore does
not provide sufficient audit evidence for a substantive
procedure. It can, however, indicate an unexpected or
unusual figure for the purpose of planning risk assessment
and an overall review of the financial statements.
Ratio Analysis Planning Ratio analysis is commonly a high-level comparison and

therefore may not provide sufficient audit evidence for a
substantive procedure. It can, however, indicate unexpected
or unusual figures for the purpose of planning risk
assessment.
Reasonableness Planning and Substantive Reasonableness tests can be high level or can be based
Test Testing on corroborated evidence sources and therefore are
appropriate at both the planning and substantive testing
stages.
Trend Analysis Substantive Testing Trend analysis requires more detailed information (i.e.,
broken down by month or week) and, therefore, is generally
used at substantive testing to get a more in-depth review of
an account.
Large and Substantive Testing Large and unusual items reviews require more detailed
Unusual Items information (i.e., broken down by transaction) and therefore
Review are generally used as a substantive test to get a more in-
depth review of an account.
Note: This is where techniques are more commonly used – all techniques can be used at any stage of the audit
where appropriate. An explanation of comparison and ratio analysis have been provided below. Reasonableness
tests, trend analysis and large and unusual items review will be covered at Module 17.
Comparison
Whenever an auditor receives a draft copy of the financial statements, they will compare current and prior year
primary financial statements and related notes for any new or significantly different figures. At planning, this may be
performed using management accounts if draft financial statements have not yet been prepared.
Notes

Whilst this is not the most robust test and would not be a way of gaining sufficient, appropriate evidence over the
numbers in the financial statements alone (i.e., it is not a substantive procedure), it is a good technique to use at the
planning and overall review (completion) stages. The auditor may also do a comparison with budgeted figures or
industry average figures. Any unusual items or movements may indicate an area of increased ROMM.
Ratio analysis
Ratio analysis involves an analysis of relationships between figures in the financial statements. There are a
number of ratios that accountants use to analyse financial information which are covered in detail in the TC Finance
course.
Examples of common ratios
• Gross profit margin

= gross profit/sales x 100%
• Debtors’ days (the average number of days the company takes to receive money from customers)
= debtors/sales x 365
• Creditors’ days (the average number of days the company takes to pay money to suppliers)
= creditors/purchases x 365
• Gearing (debt/equity)
= debt capital/shareholders’ funds x 100%
A current period ratio can be compared with the same ratio in previous periods, with budgets, with external industry
statistics, or (in larger companies) across departments of the same company. This may, again, indicate areas of
increased ROMM.
Example
When comparing the gross margin of a company year on year, an increase could indicate a failure to include
all expenses, an increase in the sales price, an error in cost of sales or overstatement of the year-end stock
figure (therefore resulting in cost of sales being understated).
Notes

Learning Outcome 2: Explain how and why the auditor uses analytical procedures to help in
understanding the entity
In order to gain an understanding of the entity, the auditor can use a number of analytical procedures.
15.5 Materiality
Materiality is a fundamental auditing concept. ISA (UK) 320 Materiality in planning and performing an audit provides
the auditor with guidance on the topic of materiality.
15.5.1 Defining Audit Materiality
1. Define materiality and explain what type of matter is considered to be material in the context of an audit.
2. Some items may be small in value, but material because of their nature. Can you name an example of
such an item?
1.
2.
Solution
Notes

15.5.2 Types of Materiality Used in an Audit
In this course, three types of materiality level will be considered:
Overall Overall materiality represents a threshold as to what is significant to the financial statements
materiality as a whole. This is calculated at planning and is recalculated at the completion stage of the audit
based on the final financial statements. ISA (UK) 320 uses the terminology ‘materiality’ instead of
‘overall materiality’, but we have added the extra word in the TC Assurance and Reporting course
to more clearly differentiate it from performance materiality (below). This may be referred to as
planning materiality or reporting materiality depending on the timing of the materiality calculation.
Performance Performance materiality is set below overall materiality to reduce the probability that
materiality uncorrected/ undetected misstatements exceed overall materiality to an acceptably low level.
It is the materiality level used to perform testing during the audit.
Specific items Individual accounts or disclosures in the financial statements may have their own, lower,
materiality materiality levels as they may be judged by the auditor to be material (that is of specific
interest or concern) to the users of the financial statements in their own right. This could
include setting a lower materiality figure for directors’ remuneration due to its material nature.
The difference between overall materiality and performance materiality
Overall materiality is calculated at the overall financial statement level and so relates to the accounts as a whole.
If all the misstatements in the financial statements added together are above overall materiality, the accounts are
materially misstated and not true and fair.
However, planning the audit solely to detect individually material misstatements (i.e., those greater than overall
materiality) overlooks the fact that the aggregate of individually immaterial misstatements may cause the financial
statements to be materially misstated, and leaves no margin for possible undetected misstatements.
Performance materiality impacts the amount of work the auditor performs, including being used to:
• decide which areas and accounts of the financial statements the auditor will focus their attention on (not all
accounts in a set of financial statements require in-depth audit procedures);
• determine statistical sample sizes;
• determine whether analytical review variances should be investigated; and
• assess the risk of material misstatement (‘ROMM’).
Therefore, the auditor calculates a lower testing or performance materiality to design procedures that will detect
more misstatements that, together, could add up to more than the overall materiality threshold.
Notes

Example
At a client, overall materiality has been set at £1,000.
Say the following errors exist in the financial statements: an error of £300 in the revenue balance, an error of
£700 in cost of sales and £650 in distribution costs.
If overall materiality has been used to perform testing, then it is possible that none of these errors would have
been identified as none are considered individually material. However, the aggregate total of these (£1,650) is
above overall materiality and so the accounts would be materially misstated. The auditor would be issuing the
wrong opinion if not identified and corrected.
However, if the auditor reduces the materiality used to perform the testing, that is performance materiality,
to a lower level (say £600) then more issues would be identified. In this instance, the errors of £700 and
£650 would be detected. The auditor would therefore have identified two errors that, although below overall
materiality individually, together led to an error greater than overall materiality (£1,300). Therefore, the auditor
could request that the client corrects these misstatements.
The auditor would now be issuing the correct audit opinion as the remaining misstatement of £300 does not
exceed overall materiality.
15.5.3 Calculating Overall Materiality
ISA (UK) 320 does not prescribe how materiality thresholds should be set as the auditor must use professional
judgement to set materiality. Although materiality is concerned with both nature and value, most auditors will initially
calculate an overall materiality value using a materiality benchmark.
Example
Common examples of materiality bases include:
• 1% of revenue;
• 5% of profit before taxation; and
• 2% of net assets.
These are just examples as each audit firm will have its own materiality bases and the final materiality level will be
based on the auditor’s professional judgement.
Notes

Timing of calculation
To be able to collect sufficient, appropriate audit evidence throughout the audit, overall materiality is provisionally
set during planning. As the planning stage of the audit usually commences prior to the year end, the financial
statements will not yet be available. Consequently, prior year results, interim results or forecasts may be used by the
auditor to make an initial calculation of overall materiality (sometimes called ‘planning materiality’).
Materiality is re-assessed throughout the audit as circumstances inevitably change.
The overall materiality figure is recalculated at the completion stage of the audit based on the actual financial
statements (known as ‘reporting materiality’).
15.5.4 Setting Performance Materiality
Each individual auditor and firm will have their own views on what is an appropriate level for calculating performance
materiality. It will ultimately depend on their knowledge of the entity, the industry in which it operates and the
auditor’s expectations in relation to misstatement in the current year. It is often set as a percentage of overall
materiality (e.g., 50% or 75%), but again, exercising professional judgement is crucial.
The calculation of overall and performance materiality will be covered further at TPS Assurance and Data.
Whilst audit firms provide guidance on materiality, setting the level of overall, performance and specific items
materiality requires the exercise of auditor judgement.
The selection of a materiality threshold drives the amount of work an auditor will perform, for example a
lower materiality level will generally result in more items being tested and larger sample sizes. Therefore, an
unethical auditor could select an inappropriately high materiality level to reduce the amount of work they and
their team have to perform.
The auditor must ensure that in selecting materiality thresholds, they are not influenced by the impact on their
own workload, but that their professional judgements are unbiased and based on the application of auditing
standards and matters that would influence the users of the financial statements.
Notes

Learning Outcome 3: Explain the concept of materiality
There are three types of materiality that you must be aware of: overall materiality, performance materiality and
specific materiality.
15.6 Fraud
Misstatements in the financial statements can arise as a result of fraud or error.
Error: an unintentional mistake.
Fraud: an intentional act involving deception to obtain an unjust or illegal advantage.
There are two types of fraud:
1. Fraudulent financial reporting (more commonly performed by management); and

2. Misappropriation of assets (more commonly performed by employees).
Fraudulent financial reporting: an intentional manipulation of financial information to obtain an unjust or

illegal advantage.
Misappropriation of assets: an intentional theft of company assets or inappropriate and unauthorised

use of company assets.
Notes

Example
Examples of fraudulent financial reporting include:
Type of fraudulent financial reporting Example
Falsification or alteration of records or other Raising false invoices to make sales and debtors
documents appear higher
Deliberate failure to process all transactions Only including three quarters of the rent expense
for the year to make expenses and creditors
appear lower
Intentional misapplication of accounting policies Depreciating a computer over 50 years instead of

four years to minimise the depreciation expense
and, therefore, increase profits
Examples of misappropriation of assets include:
• Theft by staff of stock items held in the warehouse; and

• Unauthorised use of company assets such as a laptop or company car for non-work usage.
Misappropriation of assets may lead to the production of false or misleading documents or records in order to
conceal the fact that the assets are missing.
Auditors are required to design audit procedures to detect material misstatements whether due to fraud or error.
However, it is harder for an auditor to identify material misstatements due to fraud because deception has been
used to hide the fraud.
15.6.1 Responsibilities in Relation to Fraud
ISA (UK) 240 The auditor’s responsibilities relating to fraud in an audit of financial statements clearly states the
responsibilities of the directors and auditor in relation to fraud and the initial procedures that an auditor should
undertake on every audit.
Notes

Directors
The directors (and management) of the company are responsible for preventing and detecting fraud by
implementing a sound system of internal controls at the company and encouraging an appropriate culture.
Auditor
Although the fact that the audit is performed may act as a deterrent, the auditor is not (and cannot) be held
responsible for the detection and prevention of fraud.
The auditor is responsible for obtaining reasonable assurance that the financial statements are free from
material misstatement, whether due to fraud or error.
When conducting their work, the auditor must maintain an attitude of professional scepticism at all times. In
relation to fraud, professional scepticism means considering the potential for management to override controls and
recognising that audit procedures designed to detect material misstatements due to error may not be appropriate.
Having an attitude of professional scepticism is particularly crucial where the ROMM due to fraud is higher.
15.6.2 Fraud Risk at the Planning Stage
ISA (UK) 240 states that the auditor should recognise the possibility of fraud throughout the audit. To achieve
this, the auditor must consider the ROMM in the financial statements due to fraud as part of the overall risk
assessment.
Fraud risk factors are those that increase the potential for fraud at a client. Where these factors exist, the auditor
should perceive a higher risk of fraud. They fall into three categories:
Factor Explanation
Incentives or pressures Incentives or pressures that motivate an individual to perpetrate a fraud
Opportunities Opportunities that allow an individual to perpetrate a fraud
Rationalisations The mind-set of an individual making them believe that it is justifiable or

acceptable to perpetrate a fraud
Notes

Activity 5
For the below examples of fraud risk factors, identify to which category they belong:
1. The company’s recent results mean that bank covenants will be breached.
2. There is a lack of controls over the sales process, with a lack of segregation of duties in the process.
3. Staff believe they are over-worked and underpaid.
4. Management are remunerated through bonuses based on meeting revenue targets.
Solution
Fraud and audit risk
A high risk of fraud will result in a higher ROMM. Therefore, the detection risk will be low and the auditor will perform
additional procedures to collect sufficient, appropriate evidence.
Fraud risk factors relating to incentives and rationalisation represent inherent risks. Incentives or rationalisations
to commit fraud are inherent to the financial statements due to the nature of the entity.
Fraud risk factors relating to opportunities represent control risks. Opportunities exist where there are no controls,
weak controls or controls not operating effectively to prevent fraud occurring and, therefore, staff or management
have the opportunity to commit a fraud.
Learning Outcome 4: Explain the auditor’s responsibilities with respect to fraud
The auditor must assess the ROMM due to fraud in the financial statements and increase the level of work
performed over areas where the fraud risk is considered higher.
You should now be able to meet the fourth learning outcome for this module.
Notes

15.7 Audit Data Analytics
Increasingly, Computer Assisted Audit Techniques (‘CAATs’) and Audit Data Analytics (‘ADA’) tools are being used in
the audit process. In the TC Assurance and Reporting course we will use the term Audit Data Analytics to cover both
ADA and CAATs.
The International Auditing and Assurance Standards Board defined ADA as follows:
Audit data analytics: the science and art of discovering and analysing patterns, deviations and
inconsistencies, and extracting other useful information in the data underlying or related to the subject matter
of an audit through analysis, modelling and visualisation for the purpose of planning and performing the audit.
The heightened use of ADA techniques in the audit process has been driven in part by the availability of increasingly
advanced technologies and also the availability and volume of client data. Some of the main advantages of ADA
techniques include:
• Data can be processed more quickly and accurately by automated processes which allows sampling risk to
be reduced;
• Once suitable technology has been invested in, the use of ADA can make the audit process more cost
effective; and
• Improving audit quality, for example, through allowing a deeper understanding of the entity, allowing the
stratification of large data populations or identifying instances of fraud.
ADA techniques are used throughout the audit process and can be used in performing risk assessment procedures
at the planning stage. They are used to both supplement and enhance the traditional procedures performed by the
auditor, and range from very simple tools and procedures, to complex in-depth analysis of client data.
Example
Examples of ADA tools that are used in practice for risk assessment include:
• Analysing the full population of journal entries for evidence of fraud risk factors or other risk indicators,
such as unusual Dr/Cr combinations or accounts not frequently posted to; and
• Graphs showing the trends in revenue over time split by region or product.
Notes

In order to ensure that an ADA provides sufficient and appropriate evidence, and is effective as a risk assessment
procedure, the auditor should consider a number of steps when planning, carrying out and evaluating the ADA.
1. Consider the overall objective of the ADA and how it will be achieved;
2. Obtain and cleanse the data to be used in the ADA;
3. Consider whether the data to be used is relevant and reliable;
4. Carry out the ADA technique; and
5. Evaluate and report on the result of the ADA.
These steps will be considered in more detail below.
15.7.1 Consider the overall objective of the ADA and how it will be achieved
The first step is to consider what the purpose of the ADA is. It may be to perform a risk assessment procedure to
identify the risk of fraud within the financial statements, or to perform a planning analytical procedure. Alternatively,
the objective may be to assess whether the depreciation expense for the year is fairly stated (a substantive
procedure).
The auditor will also consider what data will be required to perform the ADA. This may include a download from the
client’s system of all journals posted through the general ledger or may be a sub-ledger such as the sales ledger.
The auditor must also select the appropriate technique. Many firms have ADA technologies referred to as ‘tools’ or
‘routines’. This would be the program developed to perform the ADA and create any outputs and is often developed
internally by the audit firm.
15.7.2 Obtain and cleanse the data to be used in the ADA
Once the ADA has been planned, the auditor must obtain the data from the client and ensure it is in an appropriate
format to be used in the ADA tool. This may involve ‘cleansing’ of the data – this is the process of replacing,
modifying or deleting data to create a dataset in an accurate format for processing.
Example
A client’s system may generate output data with a date field formatted in the style 21 December 2019.
Cleansing the data could involve reformatting the date field to show the date as 21/12/19, being the required
format for input into the ADA tool.
Notes

The extraction of the data from the client’s system is increasingly performed by standard data extraction tools
developed by firms that can extract data from common accounting systems, but may also be performed manually by
specialist IT staff within the audit firm working alongside the client’s IT department.
15.7.3 Consider whether the data to be used is relevant and reliable
As with any audit evidence, it is essential that the auditor considers the relevance and reliability of the data, including
the completeness and integrity of the captured data.
Example
A common check performed to obtain assurance over the completeness of a dataset extracted from the client
that includes all journal entries posted in the year, is to agree that opening balances for the accounting period
(having been confirmed as accurate by agreement to the prior year financial statements) plus the net impact
of all the journals in the year is equal to the closing balances reported by the client’s system.
The relevance and reliability of audit evidence is considered further in Module 17.
15.7.4 Carry out the ADA technique
The auditor, having planned the ADA and extracted reliable data from the client, will now perform the ADA. This will
likely involve the ADA tool performing default automated procedures that can be evaluated by the auditor or may
involve the auditor tailoring the tool to perform specific analysis based on the auditor’s understanding of the entity.
Examples of ADA techniques for risk assessment and the corresponding outputs are included at Section 15.7.6
below. Outputs are often in the form of stratified data sets that require further investigation or audit procedures to be
performed, or visualisations such as graphs or bubble charts.
Notes

15.7.5 Evaluate and report on the result of the ADA
The auditor will conclude on the results of the ADA and whether the objective laid out at Step 1 was fully achieved. At
the planning stage of the audit, this conclusion would likely be:
• A risk of material misstatement has been identified that requires the design of additional procedures to address
the risk; or
• The conclusion that no risks of material misstatement have been identified through the performance of the ADA;
or
• The ADA objectives have not been achieved and alternative procedures are required to be performed.
15.7.6 Examples of ADAs being used as risk assessment procedures
The following sections include several examples of ADAs that can be used when performing risk assessment
procedures. This is not an exhaustive list of examples, and the complexity and level of use varies significantly
by firm.
Notes

15.7.6.1 Analytical procedures for revenue
We discussed at Section 15.4.3 the requirement for the auditor to perform analytical procedures as a risk
assessment procedure. ADA could be used to present revenue data by region or time period to address where
unexpected trends appear that may indicate a risk of material misstatement.
Consider the overall The client offers a global social media platform for sharing photos for which
objective of the ADA and users pay a subscription.
how it will be achieved
The objective of the ADA is to identify any risks in relation to the countries
and regions in which the client operates/ provides services, to facilitate an
understanding of the entity. A comparison between the current year and prior
year data is to be performed.
Obtain and cleanse the Data relating to the registered addresses of the platform’s users in 20X8 and
data to be used in the 20X9 was extracted from the client’s system by the audit team and did not
ADA require any cleansing.
Consider whether the The data has been checked for accuracy, completeness, validity and reliability
data to be used is by the audit team. No issues were identified.
relevant and reliable
Carry out the ADA The ADA was carried out successfully by the audit team to visualise the
technique geographical locations of the company’s platform users. The output is shown
below.
Evaluate and report on The audit team reviewed the outputs of the ADA tool. Several accounts were
the result of the ADA identified as requiring further audit procedures including PPE, current bank loan,
revenue, administrative expenses and taxation.
Additionally, the auditor identified that the decrease in cost of sales appeared
unusual given the significant increase in revenue and therefore required
further analysis.
Notes

Customer numbers by country in 20X8
Customer numbers by country in 20X9
Notes

15.7.6.2 General ledger review
ADAs can be used to quickly present insightful visualisations of large data sets. At the planning stage of the audit the
auditor could use an ADA tool to perform a planning analytical review of all financial statement accounts.
Consider the overall The objective of the ADA is to identify any initial risks by comparing current year
objective of the ADA and financial statement balances to the prior year. The auditor will further investigate
how it will be achieved any movements not in line with their understanding or where the movement is
greater than £8,500k.
Obtain and cleanse the The full general ledger was extracted from the client’s system by the audit team
data to be used in the and did not require any cleansing.
ADA
Carry out the ADA The ADA was carried out successfully by the audit team. The output provided a
technique visualisation of the financial statement movement between the two years and is
shown below.
Evaluate and report on The audit team reviewed the outputs of the ADA tool. Several accounts were
the result of the ADA identified as requiring further audit procedures including PPE, current bank loan,
revenue, administrative expenses and taxation.
Additionally, the auditor identified that the decrease in cost of sales appeared
unusual given the significant increase in revenue and therefore required further
analysis.
Notes

Financial Statement Line Items Compared with the Prior Year
Financial Statement Line Items Compared with Prior Year

£000,000’s
-10 -5 0 5 10 15 20 25
Property, plant and equipment
Inventories
Trade and other receivables
Cash and cash equivalents
Ordinary share capital
Share premium
Retained earnings
Non-current bank loan
Lease payable
Other payables
Trade payables
Current bank loan
Current tax
Revenue
Cost of sales
Other income
Distribution costs
Administrative expenses
Finance costs
Taxation
Notes

15.7.6.3 Fraud risk analysis
ADAs are often used in relation to identifying the risk of fraud, as the ability to visualise and search a full dataset can
provide a good understanding of inconsistencies in the data which may indicate a fraud risk.
Consider the overall The objective of the ADA is to identify any areas of fraud risk within the financial
objective of the ADA and statements, by reviewing some of the characteristics of the journals being
how it will be achieved posted.
Obtain and cleanse the The full general ledger was extracted from the client’s system by the audit
data to be used in the team and did not require any cleansing. The general ledger extract included
ADA characteristics such as whether journals were automated or manual, the
frequency of users posting journals and the accounts through which the most
journals were processed.
Carry out the ADA The ADA was carried out successfully by the audit team. The output provided
technique visualisations of the journals posted during the year meeting specified
characteristics. Extracts from the output is shown below.
Evaluate and report on The audit team reviewed the outputs of the ADA tool.
the result of the ADA
• It was noted that the value of manual journals was higher than expected as
the auditor’s understanding of the entity indicated that most processes were
automated. This indicated a need to investigate further the nature of the
manual journals and the accounts affected by them to ensure journals were
genuine. An increased fraud risk in relation to posting manual journals was
identified.
• The analysis of ‘most posted to accounts’ was in line with the auditor’s
understanding of the entity and no additional risks were identified.
• The analysis of ‘most and least frequent journal posters’ was also consistent
(as the users were all members of the finance department). However,
user Burr, whilst being an infrequent poster, was identified as the Finance
Director and therefore an increased risk of management override was
identified by the audit team as it was not expected that the finance director
would post any journals.

Manual and automated journals proportion (by value)
Proportion of Manuals vs Automated Journals
Manual Journals
Automated Journals
Top 5 financial accounts posted to (by value)
Top Financial Accounts by Journal Value
Revenue
Cost of Sales
Payroll
Depreciation
Other expenses
0 2 4 6 8 10
Notes

Most frequent users posting journals (by value)
Most Frequent Posters
Washington
Hamilton
Schulyer
Jefferson
Fayette
0 5 10 15
Least frequent users posting journals (by value)
Least Frequent Users
Madison
Burr
Laurens
Seabury
Mulligan
0 0.1 0.2 0.3 0.4 0.5

Activity 6
It is November 20X9. You are the audit senior working for Millar, Gorrie and Hopkinson LLP (‘MGH’). Your
current assignment is the audit of IT ServiceCompany Ltd (‘ITSC’). ITSC provide an outsourced IT service to
organisations of varying sizes including the maintenance of servers and consultancy services regarding IT
security and data protection legislation.
Your audit partner has asked you to review some of the outputs from the revenue audit data analytics tool
to identify any areas within revenue that will require further investigation or additional audit procedures to be
performed (i.e., any risk of material misstatement). You have been provided with the current year actuals to
October 20X9 and full prior year’s data for comparison (including details of revenue stream).
Your understanding of the entity is that the revenue is largely consistent throughout the year, and any
seasonality in 20X9 should follow the pattern of 20X8. Additionally, you are not aware of any significant
changes to the nature of the work performed by ITSC or demand for their services.
The data has been cleansed and checked for accuracy, completeness, validity and reliability by the audit team
and no issues were identified.
The following extracts have been provided:
Total revenue time series comparison to prior year
Revenue (£000’s)
2,500
2,000
1,500
1,000
500
-
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
20X8 20X9
Notes

Total revenue broken down by revenue stream
Trend in Revenue Streams
20X9
20X8
20X7
20X6
0% 20% 40% 60% 80% 100%
ackup and
B IT auditing and IT consultancy Miscellaneous onitoring and
M
disaster recovery reporting services services maintenance
services services
Solution
Learning Outcome 5: Describe audit data analytics and explain how they are applied
throughout the audit process
the audit process.
The fifth learning outcome of this module will be considered further in Modules 16, 17 and 19.

15.8 Summary
Planning
The auditor must plan an audit to help ensure that audit risk is reduced to an acceptably low level. Planning helps
the auditor by:
• helping to ensure that sufficient and appropriate attention is directed to the important areas of the audit;
• helping to ensure that potential problems are identified and resolved early;
• assisting in the selection of appropriate engagement staff, including the assignment of work to them;
• helping to complete work effectively and efficiently; and
• facilitating direction and supervision of the audit.
The auditor will create an overall audit strategy and a detailed audit plan.
Understanding the entity
In order to assess risks on an engagement the auditor must first understand the entity. In doing so the auditor must
perform risk assessment procedures to obtain an understanding of:
• The entity and its environment, including:

• Organisational structure, ownership and governance, and business model
• Industry, regulatory and other external factors
• The measures used, internally and externally, to assess the entity’s financial performance
• The applicable financial reporting framework and the entity’s accounting policies. The auditor will evaluate
whether the accounting policies are appropriate and consistent with the financial reporting framework
• How inherent risk factors identified will affect the susceptibility of assertions to misstatement, and the degree to
which they do
• Internal controls (Covered in Module 16)
In order to gain an understanding of the entity, the auditor can use a number of techniques including:
• Analytical procedures;
• Enquiry; AEIO U
• Inspection; and
• Observation.
Notes

Analytical procedures
There are a number of analytical procedure techniques that can be using including: comparison, ratio analysis,
reasonableness test, trend analysis and large and unusual items review. Comparison, ratio analysis and
reasonableness test are commonly used at planning.
Materiality
There are three types of materiality that you must be aware of:
• Overall materiality;
• Performance materiality; and
• Specific items materiality.
Fraud
The auditor must assess the ROMM due to fraud in the financial statements. The overall responsibility for the
prevention and detection of fraud lies with the directors.
There are two types of fraud:
1. Fraudulent financial reporting; and

2. Misappropriation of assets.
Fraud risks can be organised into three categories:
1. Incentives or pressures;
2. Opportunities; and
3. Rationalisations.
Audit Data Analytics
the audit process.
Notes

The five steps that an auditor should consider when using ADAs in the audit process are:
1. Consider the overall objective of the ADA and how it will be achieved;
2. Obtain and cleanse the data to be used in the ADA;
3. Consider whether the data to be used is relevant and reliable;
4. Carry out the ADA technique; and
5. Evaluate and report on the result of the ADA.
Notes

Inherent risk (‘IR’) is the susceptibility of a financial statement account to material misstatement, irrespective of
related internal controls. Inherent risks can arise from the following sources:
1. Business risks that will affect the reliability of the financial statements; and
2. Inherent risk factors – characteristics that affect susceptibility of an account balance or transaction to misstatement,
such as complexity, subjectivity, change, uncertainty or susceptibility to management bias or fraud risk factors.
Examples of inherent risk:
• Going concern risk;

• High market competition;
• Integrity of management is questionable;
• Changes in management;
• Inexperienced management;
• Remuneration linked to profit targets;
• History of regulatory breaches;
• History of previous errors;
• Production of financial statements subject to time pressure;
• Technological obsolescence;
• Complex accounting transactions and policies; and
• Susceptibility of assets to misappropriation.
Back to activity
Areas that the auditor may identify as higher risk for JP would include:
• Listed – JP is a listed company and, therefore, management are under increased pressure and scrutiny to
produce good results. This may result in a higher risk of management manipulating financial information –
affecting the overall financial statements.
• Credit sales – JP makes sales on credit and, therefore, is at risk of debts going bad, affecting the valuation of
trade debtors.
• Seasonality – the wedding industry is seasonal and, therefore, unsold stock may become unfashionable and
obsolete, affecting the valuation of stock.
• Loan – there is a significant loan that requires to be repaid, leading to the risk of non-payment, working capital
issues and, ultimately, a going concern risk, affecting the whole financial statements.
Back to activity

Enquiry alone is not sufficient because the purpose of an audit is to provide an independent opinion on the
truth and fairness of the financial statements.
The auditors must form their own opinion by performing their own procedures. They cannot simply take the
client’s word for things.
All enquiries should be corroborated, i.e. there should be evidence gathered to support management’s
assertions.
Back to activity
1. Materiality is defined as an expression of the relative significance or importance of a particular

matter in the context of the financial statements as a whole. A matter is considered to be material if
its omission or misstatement would reasonably influence the economic decisions of the users of the
2. Directors’ remuneration – by nature this account can be material. Consequently, although a misstatement
in this account could be immaterial for the accounts as a whole, for that particular balance a small
misstatement could be considered material.
Accounting policies are another example of an item which is material in nature. If accounting policies are
inappropriate, then the whole of the financial statements could be materially misstated.
Back to activity
1. The company’s recent results mean that bank covenants will be breached: Incentive
2. There is a lack of controls over the sales process, with a lack of segregation of duties in the process:
Opportunity
3. Staff believe they are over-worked and underpaid: Rationalisation
4. Management are remunerated by bonuses based on meeting revenue targets: Incentive
Back to activity
Notes

Items requiring further investigation or additional audit procedures include:
1. Revenue for March 20X9 shows a significant dip compared to 20X8: this may indicate that revenue is
understated for March 20X9 and requires investigation.
2. Revenue for October 20X9 shows a significant peak compared to other months in 20X9 and to the
prior year when revenue was steady across the final quarter of the year: this may indicate that revenue
is overstated in October 20X9 or that revenue from November 20X9 has been incorrectly recorded in
October.
3. IT auditing and reporting revenue was relatively consistent (with a slight decline) between 20X6 and 20X8,
while the revenue for IT consultancy services was increasing consistently in 20X6 to 20X8. However both
showed significant jumps in terms of the proportion of revenue they made up in 20X9. This may indicate a
change in the nature of the services provided by ITSC or may indicate that revenue is misstated in these
areas.
4. Similarly, revenue from monitoring and maintenance services was relatively consistent (with a slight
decline) from 20X6 to 20X8 but made up a much smaller proportion of total revenue in 20X9. This may
indicate that monitoring and maintenance services revenue is understated or that other revenue streams
are overstated.
Back to activity
Notes

Systems and Controls
Contents
16.3 Overview 330
16.3.1 Audit Risk Model – Recap 330
16.3.2 Timing 331
16.4 Understanding and Documentation 331
16.4.1 The Impact of the Internal Control Components 332
16.4.2 Control Environment 332
16.4.3 Risk Assessment Process 333
16.4.4 Entity-Level Controls 334
16.5 Information Systems 334
16.6 Walkthroughs 335
16.6.1 Using Audit Data Analytics (‘ADA’) for Process Mining 335
16.7 Control Activities 338
16.7.1 Approach to Tests of Control 338
16.7.2 Writing a Test of Control 343
16.7.3 Testing Stock Counts 346
16.7.4 Evaluation of Results 347
16.7.5 Controls Reliance 347
16.8 Assessing ROMM 348
16.9 Audit Work Programmes 349
16.10 Summary 350

16. Audit Process: Systems and Controls
16.1 Introduction
Looking at the audit process diagram, the auditor is now at the third stage of the audit process – the systems and
controls analysis stage.
Risk Assessment
Systems
Substantive
Testing
Analysis
Internal control systems were covered in Modules 3, 4 and 5 from the entity’s perspective. In this module, we will
consider the impact that these systems and controls have on the auditor’s work.
1. explain how an auditor will perform a systems and control review;

2. describe audit data analytics and explain how they are applied throughout the audit process; and
3. explain how the auditor assesses and uses control risk in performing the audit.
Notes

16.3 Overview
This stage often commences prior to the year end, as systems and controls form part of understanding the entity,
as discussed in Module 15. This stage involves the following tasks:
• understanding and documentation of processes, systems and controls;

• walkthrough of systems;
• evaluation of the design of controls;
• tests of control;
• assessment of the risk of material misstatement (‘ROMM’); and
• production of audit programmes in response to risk.
The overall aim of this stage of the audit process is to determine the level of control risk in the entity and as such,
conclude on the ROMM in the financial statements and hence the level of substantive testing required at the final
stage of the audit.
16.3.1 Audit Risk Model – Recap
Activity 1
In Module 13, the audit risk model was introduced. Identify and define the components of the audit risk model.
Solution
Notes

16.3.2 Timing
On larger audit engagements, most of the work relating to systems and controls will be performed pre-year end
during the interim audit. The purpose of this is to spread the workload across the year to manage the staffing
requirements effectively.
On smaller engagements, an interim audit may not occur as it would not be cost effective. In such cases, most
systems and controls work will be performed post-year end, but in advance of the substantive testing stage.
16.4 Understanding and Documentation
Control risk is assessed by gaining an understanding of how effectively an entity controls its accounting systems
and its financial statement preparation process. This does not just focus on testing controls within specific
systems (e.g., payroll or sales), but requires an overall understanding and assessment of the entity’s entire
internal control system.
Activity 2
In Module 3, we identified and defined five components of internal control. Match the definitions of each of the
five components of an internal control system to the correct heading.
Components Definition
Control environment a) Companies use them to record financial transactions and non-financial data and to
maintain accountability for the related assets, liabilities and equity.
Risk assessment b) The overall attitude, awareness and actions of directors and management
process regarding control activities and their importance in the company.
Information systems c) This involves an ongoing assessment by management of the performance of

internal control systems.
Control activities d) The process by which business risks are identified and managed by the entity.
They should be carried out on a regular basis.
Monitoring of controls e) The policies and procedures that management put in place to ensure that their
directives are carried out.
Solution
To assist the auditor in their assessment of an entity’s systems and controls, ISA (UK) 315 Identifying and assessing
the risks of material misstatement identifies that the auditor must obtain and document an understanding of these
five internal control components to be able to conclude on the level of control risk.

16.4.1 The Impact of the Internal Control Components
The quality of each of the five components impacts the audit approach adopted by the auditor. In this section, we
consider the audit impact of each component.
Component Impact
Control environment • indicates the likelihood that control activities will operate effectively
Risk assessment • allows the auditor to follow up on business risks identified by the entity and to
process consider the impact of these business risks on the financial statements; and
• highlights risks which the entity has failed to detect, hence identifying possible
uncontrolled risks and weaknesses in the entity’s internal control system
Information systems • determines how the entity’s accounting records and financial statements are
produced; and
• helps to assess the quality of the information systems to determine the integrity
of the financial statements
Control activities • helps to assess whether control activities effectively mitigate the risks identified
and helps reduce the ROMM
Monitoring of controls • allows the auditor to consider the likelihood that control activities will continue to
operate effectively to reduce the ROMM
If any of these components of the internal control system are ineffective, this will increase control risk.
16.4.2 Control Environment
The control environment encompasses the management style, corporate culture and values shared by all
employees. It provides the background against which the various control activities operate.
The overall control environment includes such matters as the accuracy of the budget-setting process and the
presence of an internal audit function.
A strong control environment does not, by itself, ensure the effectiveness of the overall internal control system.
Notes

The control environment sets the tone of an organisation, influencing the control consciousness of its people.
Therefore, a corporate culture that is committed to ethical values and promotes ethical thinking should
influence the decisions and ethical choices of its employees and other stakeholders.
Example
Some examples of practices that indicate a strong control environment would be:
• each new employee receives a thorough induction;

• employees’ roles and responsibilities are clear;
• reporting lines are clear and are well communicated;
• clear procedures are documented and communicated, and non-compliance is deterred;
• employees are encouraged to behave ethically and in a professional manner; and
• an internal audit function exists.
In assessing the adequacy of the control environment, the auditor would gain an understanding of the above items
as well as collecting evidence to support the existence of the practices. This may include inspecting documentation,
observing practices taking place or enquiring of staff or management.
16.4.3 Risk Assessment Process
An entity must be able to identify its risks before it can control them. The risk assessment process covers the entity’s
process from identifying risks through to assessing their likelihood and impact. Where this process works effectively,
an entity is more likely to be aware of its risks and can therefore control them – reducing control risk for the auditor.
The auditor must understand the process in place to assess whether the entity’s risk assessment process is
effective.
Notes

16.4.4 Entity-Level Controls
As described in Module 3, a company will have a number of entity-level controls which will help establish the tone
and culture of the organisation. In assessing the control environment, risk assessment process and monitoring
of controls the auditor must gain an understanding of the entity-level controls in place. This can give the auditor
assurance that the information systems and control activities are likely to operate effectively. It is important, however,
that the auditor obtains evidence that entity-level controls not only exist but are actively used and understood by the
organisation.
Example
An example of an entity-level control would be a clear health and safety policy that is both in place and
followed by all employees, for example through training or regular communication. This would help mitigate
against the risk of accident or failure in safe working practices.
Therefore, the auditor may look to inspect a copy of the policy during their audit testing to confirm that it is
reasonable and make enquiries with employees to confirm that it is being used and that training is provided.
The testing of entity-level controls as well as the control environment and the risk assessment process will be
covered in more detail in TPS Assurance and Data.
16.5 Information Systems
The auditor must ensure that they gain a thorough understanding of the information systems in place at an entity
and should be able to see how transactions that impact the financial statements are generated. Understanding the
process also extends to how the process is controlled.
The auditor will gain an understanding of the information systems by:
• enquiries with the entity’s employees;

• inspection of the entity’s procedural and systems manuals;
• observation of the system in operation;
• inspection of the prior year audit file; and
• inspection of the prior year management letter (the letter to management suggesting control activity
improvements – as discussed in Module 14) to see whether any improvements were suggested and whether the
entity has implemented any of the recommendations.
Notes

The auditor must document their understanding of the information systems, including where control activities have
been identified.
Once documented, the auditor must corroborate their understanding of the information system with the entity,
commonly through discussion and ‘walkthroughs’.
16.6 Walkthroughs
Once a system has been documented, a walkthrough should be completed to confirm that the auditor’s
understanding of the process is correct.
Walkthrough: where the auditor selects one or more transactions relating to a specific system and follows
them through the system from initiation to settlement and reporting.
This may identify information flows or controls that were not included in the documentation. It may also identify areas
where controls are not operating, are missing or are ineffective.
Note: A walkthrough is not a test of control. It is a process to verify that the systems are operating as described by
the entity and to confirm the auditor’s understanding of the system.
Example
A walkthrough of a purchases system is being completed. In order to do this, a purchase transaction is

selected and the process is evidenced from start to finish, covering ordering the goods, receipt of the goods,
receipt and processing of the invoice and payment of the invoice. The auditor’s documentation of the process
and related controls are reviewed and confirmed for each stage of the purchases system.
16.6.1 Using Audit Data Analytics (‘ADA’) for Process Mining
Process mining is an ADA tool which allows a client’s process to be mapped where the data is available. This allows
the auditor to understand the key processes at the client as well as identify where deviations exist in the process. As
a result, process mining can be used in place of a walkthrough where the client has sufficient data available (this is
more likely in a sophisticated IT process as opposed to a manual process). The in-depth analysis can also allow the
auditor to identify risks of fraud within specific processes due to the override of controls. The example below shows a
basic example of a client’s purchasing process.
Notes

Example
Consider the overall The objective of the ADA is to identify any deficiencies within the
objective of the ADA and purchasing process, including the risk of controls being circumvented
how it will be achieved by employees by identifying any paths taken by transactions outside the
standard process flow.
Obtain and cleanse the Data was extracted from the client’s system by the audit team and did
data to be used in the not require any cleansing. The data included all transactions in relation
ADA to the purchase process, including non-financial data such as dates of
transactions, approvals of documents, who initiated transactions and
unique transaction identifiers.
Consider whether the The data has been checked for accuracy, completeness, validity and
data to be used is reliability by the audit team. No issues were identified.
Carry out the ADA The ADA was carried out successfully by the audit team. The output,
technique summarised below, highlighted a number of areas where processes had
not been performed in line with normal expectations.
Evaluate and report on The audit team reviewed the outputs of the ADA tool. It was noted that all
the result of the ADA controls had been bypassed on at least one occasion, but in many areas
these seemed to be isolated incidents. However, systematic issues were
identified when obtaining order approval of purchase requisitions and in
the value of payments for purchase invoices. The auditor identified that
further work is required to confirm the nature of the suspected ‘isolated’
incidents as well as understanding the nature and impact of the systematic
issues identified. The risk in relation to purchases, payables and cash
payments is increased as a result of the ADA.
Notes

Order requested by user department
(Purchase requisition created)
Missing order
approval from
user department
manager (501)
Order accepted by purchasing
department and sent to supplier
(Purchase order created)
Missing appropriate
purchasing
department
approval (2)
Order received by
warehouse (GRN created)
Order received
without
corresponding
purchase order (15)
Invoice received by
accounts department
Invoice accepted
without agreement
to GRN (68)
Invoice recorded in Invoice recorded
accounting system in accounts does
not agree to invoice
amount (9)
Pay invoice
Payment amount
not in agreement Amount recorded in
to corresponding accounts does not
invoice (98) Payment recorded in agree to payment
financial accounts amount (6)
The above visualisation shows the ordinary process for a transaction within the purchases process (shown by the
thick arrows). The dashed arrows represent where a bypass in the process or a control has taken place. The box
indicates the number of instances of the override of the system.
Notes

16.7 Control Activities
As described in Module 3, control activities are the policies and procedures that management put in place to ensure
that their directives are carried out.
At this stage, the auditor should understand the entity’s control activities. Effective control activities can reduce
control risk and, hence, the risk of material misstatement in the financial statements.
Therefore, the auditor’s aim is to be able to place reliance on the effectiveness of the control activities. This allows
the auditor to assess the control risk as low and, therefore, reduce the amount of substantive testing required.
16.7.1 Approach to Tests of Control
The auditor must perform three steps in relation to the entity’s control activities to determine whether they can be
relied upon:
• identify key controls;

• assess the design of key controls; and
• test whether key controls operated effectively throughout the year.
It is not necessary or efficient for an auditor to test every control the entity has in place.
Step 1: Identify key controls
Key control: a control that mitigates the ROMM and that the auditor intends to rely on.
The auditor identifies the key controls so that they can adopt an efficient approach by only testing those controls that
will reduce the risk of a material misstatement arising in the financial statements.
Step 2: Assess the design of key controls
Once key controls have been identified, the auditor will only wish to test controls that are designed effectively (i.e.,
the control’s design would allow the control to mitigate the corresponding risk).
When testing the design of a control activity, the auditor considers whether the procedure would be effective in
achieving its stated objectives.
Notes

Example
A restaurant has decided to put in a physical control over cash to detect when there is a theft from the till – a
CCTV camera.
Good design
The CCTV camera will be pointed at the till.
Poor design
The CCTV camera is pointed towards the front door.
In this example, the poorly designed control will not prevent cash being stolen so it is not achieving its
objective. The design is separate from the operation; the operation of the control would be that the camera
would have to be switched on and recording.
Step 3: Test operating effectiveness of key controls
A well-designed control will still be ineffective if it is not applied or used. The conclusion on whether an auditor can
rely on a control activity will ultimately come down to how well it works in practice. That will be ascertained by
testing the operation of the control activity.
Notes

Example
Control: lock on the door of the stock room (physical control) to restrict unauthorised access to inventories
and reduce the risk of theft.
Is it designed effectively?
• Are there any other doors to the stock room that aren’t locked?
• How many keys are there and who has them?
If the other door to the stock room has no lock, or the key is hung up for anyone to use, then the control will
never be effective in preventing access to the stock room.
Is it operating effectively?
Assuming the control is well designed, to test the operation of the control, we would check if the door is locked
in practice, and if there really is only one key in use.
Where controls are designed appropriately the auditor must perform test of controls to be able to conclude on
control risk.
Tests of controls: audit procedures performed by the auditor to determine whether the control activities
operated as documented throughout the period under review.
It is necessary to test the operation of key control activities throughout the financial period, not just at the year end,
because the financial statements will include transactions that have occurred throughout the financial year.
Techniques
Tests of control can involve:
• enquiring of staff to confirm the operation of a control activity;

• inspection of documents or evidence of management reviews;
• observing procedures and control activities being performed; and
• reperformance of procedures by the auditor.
When performing tests of controls, it is essential to test that the control was in operation throughout the whole
financial period under review, focusing on higher risk periods (e.g., periods where staff are on annual leave).
Notes

Technique Explanation Reliability Level Example
Enquiry Useful when it may be Low – staff can easily Control: The financial
hard to find specific manipulate the truth or controller chases aged debtors
source evidence to test claim that activities have by telephone monthly, but
a control activity. occurred. Enquiry alone is not keeps no written record of the
sufficient to test the operating calls.
effectiveness of controls.
Test of control: Enquire of the
financial controller regarding
the procedures followed, the
typical responses and any
significant issues noted.
Observation Useful when it may be Medium – staff are more likely Control: The financial
hard to find specific to perform a control effectively controller chases aged debtors
source evidence to test when being observed. by telephone on a monthly
a control activity. basis, but keeps no written
record of the calls.
Test of control: Observe

the control activity being
performed.
Inspection Source documents High – original documentation Control: The finance director
are inspected for will evidence how the control signs the payroll listing to
evidence of compliance was performed. authorise payment.
with authorisation
Test of control: Inspect the
procedures, evidence
payroll listing for evidence of
of review, and evidence
the finance director’s signature.
of matching with other
source documents.
This is a very common
technique in practice.
Re- The auditor might High – agreement between Control: Employees’

performance reperform a control how the auditor and client computers are password
activity to ensure it is performs a control indicate it is protected.
effective. performed effectively.
Test of control: The auditor
However, it is often not attempts to access an
possible to test a control employee’s computer without
through reperformance (e.g., knowing the password.
stamping an invoice as paid).

Selecting the appropriate technique
One technique alone is rarely sufficient due to the limitations of each testing technique.
Example
• As discussed in 16.4.4 a company may have a health and safety policy to help mitigate against the risk of
accidents. Inspection of the policy document is insufficient evidence that the control has actually operated
effectively during the period – only that it exists, not that it is communicated or followed. The auditor
should enquire of staff’s knowledge of the policies and observe the policies and related procedures being
applied.
• Inspection of a reconciliation is insufficient evidence that it has been performed correctly. The auditor
should also reperform the reconciliation.
Activity 3
For each control listed, taken from the purchases cycle (Module 4), select the most appropriate test of control.
You should consider each of the following:
• whether the test of control is effective in testing the control;

• whether the test of control is designed effectively;
• whether the testing technique is appropriate/ possible; and
• whether the testing technique is the most reliable.
Notes

Control Test of Control
Staff perform a a) E
nquire of warehouse staff as to the procedure for performing quantity and quality
quantity and quality checks and whether it is ever neglected
check upon receipt
b) O
bserve the warehouse staff performing a quantity and quality check on a random
of goods, with
sample of occasions throughout the year
agreement to the
purchase order c) Inspect the purchase order for goods despatched
Perform monthly a) Reperform a sample of supplier statement reconciliations from throughout the period
supplier statement and follow up on any differences noted
reconciliations and
b) Inspect a sample of supplier statement reconciliations
follow up on any
differences c) Observe a monthly supplier statement reconciliation being completed by staff
Invoices are matched a) D

iscuss the process for matching invoices to GRNs and whether it is performed
to GRNs before before invoices are processed
processing
b) Reperform the matching of GRNs to invoices
c) Inspect a sample of invoices and agree to evidence on the client’s system that they
were matched to GRNs before processing
Solution
16.7.2 Writing a Test of Control
It is important that the test of control clearly states what the auditor will do to test that the control operated effectively
throughout the period.
A well written test of control should contain each of the following:
• a testing technique (enquiry, observation, inspection or re-performance);

• the control activity being tested; and
• what is being checked.
Notes

Example
Control: GDNs are marked as ‘invoiced’ once invoiced, and the system will not allow two invoices to be
processed for the same GDN.
Test of control: For a sample of invoices, select the corresponding GDN and inspect (testing technique) for
evidence that (what is being checked) the corresponding GDN is marked as ‘invoiced’ and that the system will
not allow a further invoice to be raised (control).
Note: A test of control must involve the testing of a procedure which the entity has already performed.
Activity 4
Write a test of control for the following control activity, taken from phase 1 of the sales cycle (Module 4):
All new customers are subject to a credit check before being accepted.
Solution
Notes

Activity 5
Write a test of control for the each of the following controls taken from the payroll cycle (Module 5).
Control Test of control
Report run each month

of employees not paid
in consecutive months
to identify any possible
omissions
Final payroll run is signed

as authorised by the finance
director after agreeing to
supporting documentation
Payroll listing marked as

‘paid’ once payment made.
The system will not allow
payment to be processed
twice.
Solution
Notes

16.7.3 Testing Stock Counts
We saw in Module 5 that the stocktaking process is an important control that management has over the accuracy
of stock records. Where stock is material to the financial statements ISA (UK) 501 Audit evidence – specific
considerations for selected items requires the auditor to obtain sufficient, appropriate evidence with regards to its
existence and condition by attending the physical stock count (unless impractical).
If this stock count is performed at the year end, then the auditor can:
• confirm the integrity of the controls that management has in place over the systems to record stock quantities
and conditions;
• perform tests of control over the stock count; and
• perform substantive procedures over the completeness and existence of the stock balance (see Module 19).
The auditor will obtain an understanding of the procedures used by the organisation to carry out and control stock
counts. The auditor will also observe how the entity performs the stock count to check that procedures are being
followed and are in line with the design of the control activity.
An important test of control that the auditor will perform when attending the stock count is referred to as ‘test
counts’. Test counts involve the reperformance of the entity’s counts to determine whether the entity is counting
the quantities accurately.
Type of test count Floor-to-sheet Sheet-to-floor
Test of control Select a sample of stock items from the Select a sample of stock from the stock
warehouse floor and agree that they are listing and agree that they are held in the
included on the stock listing warehouse
Why? To check that all stock items in the To check that all stock items on the stock
warehouse are included in the stock records exist in the warehouse, and
records, and therefore, the records are therefore, that stock is not overstated
complete
Notes

16.7.4 Evaluation of Results
All errors found in tests of controls must be investigated. The value of the error is not important, as it is the
procedure being tested and not the amount of the transaction or balance.
If an error is found, it may be that the error can be localised to a particular period (e.g., if they only occurred when a
particular employee was on holiday). This will determine the conclusion on the effectiveness of the control.
Can the error be

localised?
YES NO
Control operated
Control has not
effectively for the
operated effectively
year except for the
throughout the year
period identified
16.7.5 Controls Reliance
At this stage, the auditor can decide on whether a ‘controls reliance’ approach can be adopted for the audit. This will
allow for an assessment of control risk.
Results of Tests of Control Control Approach Control Risk
Controls are designed well and Controls Reliance Low

operated effectively throughout
the year
Controls are designed ineffectively No Controls Reliance High

or not operating correctly
Notes

16.8 Assessing ROMM
At the end of the systems and controls analysis stage of the audit, the auditor must be able to conclude on
inherent risk and control risk, that is, ROMM. The level of the ROMM in the financial statements will determine the
level of detection risk – the higher the ROMM, the lower the detection risk and vice versa.
Remember from Module 13 that detection risk is the risk that the auditor’s procedures will not detect a material
misstatement that exists in the financial statements. It is the balancing figure in the audit risk equation, and the only
risk that the auditor can influence. The level of detection risk has a direct impact on the level of substantive testing
that the auditor must perform on the financial statements.
Activity 6
High detection risk – The auditor has concluded that ROMM is low, therefore, is willing to accept a higher
risk of not finding material misstatements in the financial statements.
What is the impact on the level of substantive testing that the auditor will perform?
Low detection risk – The auditor has concluded that ROMM is high, therefore, will only accept a low risk of
not finding material misstatements in the financial statements.
What is the impact on the level of substantive testing that the auditor will perform?
Solution
The level of detection risk and the consequential amount of substantive testing is a matter of auditor judgement, so
should be considered by the audit manager or someone with significant audit experience.
Notes

16.9 Audit Work Programmes
Once the detection risk has been established, the audit work programmes can be designed for substantive testing.
This will be considered in further detail in Modules 17 – 20.
earning Outcomes 1, 2 and 3: Explain how an auditor will perform a systems and control
L
review, how ADAs can be used within the audit process and how the auditor assesses and
uses control risk
The systems and controls analysis stage often commences prior to the year end and involves several steps.
These steps will result in the auditor finalising the ROMM for the engagement and, therefore, setting detection risk.
This will depend on whether a ‘controls reliance’ approach is adopted.
You should now be able to meet the first and third learning outcomes for this module. The second learning outcome
of the module was discussed in Module 15 and will be considered further in Modules 17 and 19.
Notes

16.10 Summary
The approach to systems and controls work can be summarised by the following diagram:
Understand and document

components of internal control
Understand and document

information systems
Perform walkthrough
Control activities Identify key controls
Assess control design
Test operation
Assess ROMM Evaluate results
Produce Audit Work Programme
Notes

The work undertaken on the entity’s systems and controls will allow the auditor to reach a conclusion on:
• the level of control risk at the entity;

• the level of the ROMM in the financial statements;
• the level of detection risk required to minimise audit risk; and
• the level of substantive testing required.
Notes

Audit risk is the product of three different components:
• Inherent risk;
• Control risk; and
• Detection risk.

= x x
AR IR CR DR
The susceptibility of The risk that the entity’s The risk that the
a financial statement controls will not prevent auditor’s procedures
account to a material or detect and correct a will not detect material
misstatement, material misstatement misstatements that
irrespective of related in the financial exist in the financial
internal controls statements statements
Back to activity
Notes

Components Definition
Control environment b) The overall attitude, awareness and actions of directors and management
regarding control activities and their importance in the company.
Risk assessment d) The process by which business risks are identified and managed by the entity.
process Risk assessments should be carried out on a regular basis.
Information systems a) Companies use them to record financial transactions and non-financial data and to
maintain accountability for the related assets, liabilities and equity.
Control activities e) The policies and procedures that management put in place to ensure that their
directives are carried out.
Monitoring of controls c) This involves an ongoing assessment by management of the performance of

internal control systems.
Back to activity
Notes

Staff perform a quantity and quality check upon b) Observe the warehouse staff performing a
receipt of goods, with agreement to the purchase quantity and quality check on random occasions
order throughout the year
Perform monthly supplier statement reconciliations a) Reperform a sample of supplier statement

and follow up on any differences reconciliations from throughout the period and
follow up on any differences noted
Invoices are matched to GRNs before processing c) Inspect a sample of invoices and agree to
evidence on the client’s system that they were
matched to GRNs before processing
Quantity/ quality check

• Enquiring of staff is generally considered to be the least reliable test of control technique and should be
used in conjunction with other controls
• Inspecting the purchase order would not test the control listed
Supplier statement reconciliations

• The inspection test of control gives no information about what is being inspected and therefore will not
identify whether the reconciliation has been completed correctly
• Reperforming the supplier statement reconciliation after it was completed is a better control than
observing as it would not give staff an opportunity to perform the reconciliation more effectively due to
being observed
Invoice and GRN matching

• Enquiring of staff is generally considered to be the least reliable test of control technique and should be
used in conjunction with other controls
• Reperforming matching would provide no information as to whether the control is operating effectively, as
it would not evidence that the client had done it
Back to activity
Notes

For a sample of new customers, inspect (testing technique) a copy of the credit check assessments (control)
for evidence that they were completed before customers were accepted (what is being checked).
Back to activity
Report run each month of employees not paid in For a sample of months, inspect the report run for
consecutive months to identify any possible omissions evidence that employees not paid in consecutive
months were followed up.
Final payroll run is signed as authorised by the For a sample of payroll runs during the year, inspect
finance director after agreeing to supporting the payroll run for evidence of the finance director’s
documentation authorisation signature.
Payroll listing marked as ‘paid’ once payment made. For a sample of paid payroll listings, inspect that
The system will not allow payment to be processed the payroll run has been marked as paid. Attempt to
twice. process payment again and confirm that the system
will not allow it.
Back to activity
High detection risk
Where the auditor is willing to accept a higher risk that material misstatements will be missed, this will result
in a lower level of substantive testing.
Low detection risk
Where the auditor is willing to accept a lower risk that material misstatements will be missed, this will result in
a higher level of substantive testing.
Back to activity
Notes

Module 17. Audit Process: Evidence
Contents
17.3 Audit Evidence 357
17.4 Assertions 358
17.4.1 What are Assertions? 358
17.4.2 Why use the Assertions 361
17.5 Sufficient, Appropriate Audit Evidence 362
17.5.1 Appropriateness 362
17.5.2 Sufficiency 368
17.6 Audit Data Analytics 370
17.6.1 Procedures to gain assurance over the reliability of data 371
17.6.2 Data subject to cleansing by the audit team 373
17.7 Collection of Audit Evidence 374
17.7.1 Selecting items to test 374
17.7.2 Evidence Collection Techniques 378
17.7.3 Substantive Testing Approaches and Use of Techniques 379
17.7.4 Substantive Testing versus Tests of Controls 379
17.7.5 Documenting Substantive Procedures 380
17.8 Substantive Analytical Procedures 381
17.8.1 Analytical Procedure Process and Techniques 382
17.8.2 Approach to Analytical Procedures 382
17.8.3 Using Audit Data Analytics to Perform Substantive Analytical Procedures 384
17.8.4 Practical Approach to Developing an Expectation/ Prediction 385
17.8.5 Reliability and Relevance of Substantive Analytical Procedures 386
17.8.6 Analytical Procedures – Exam-style Questions 387
17.9 Summary 391

17. Audit Process: Evidence
17.1 Introduction
Looking at the audit process diagram it can be seen that the auditor is now at the penultimate stage of the audit
process – the substantive testing stage.
Risk Assessment
Systems
Substantive
Testing
Analysis
1. explain the assertions and why they are required;

2. explain what is meant by sufficient, appropriate evidence and illustrate the factors to be considered in
determining whether sufficient, appropriate evidence has been obtained;
3. describe audit data analytics and explain how they are applied throughout the audit process;
4. explain the various techniques available to collect audit evidence; and
5. apply analytical techniques as a method of gathering audit evidence.
Achieving these outcomes will help you to meet the seventh and eighth learning outcomes for the course as per the
syllabus.
17.3 Audit Evidence
Module 13 introduced evidence as one of the fundamental concepts of auditing and explained the necessity of
gathering evidence to form an opinion. The nature, timing and extent of evidence gathered depends on the risk of
material misstatement (‘ROMM’).
Notes

Module 13 described three methods by which an auditor can gather audit evidence, two of which should be
completed before the substantive testing stage. Can you identify the three methods?
Solution
Once the ROMM has been concluded on, the auditor is able to determine the evidence that must be sought in
relation to the numbers within the financial statements. This type of testing is known as substantive testing.
Due to the inherent limitations in internal control (discussed in Module 3) the auditor must always perform some
substantive procedures.
17.4 Assertions
17.4.1 What are Assertions?
To be able to reach an overall opinion, the auditor needs to collect evidence in relation to the financial statements.
However, there are some practical problems related to assessing whether the financial statements give a true and
fair view:
• The overall audit objective is extremely wide. Consequently, there is a danger that the auditor might fail to
perform sufficient work to achieve the overall objective; and
• An audit must not only be done, it must be seen to be done. An auditor must be able to demonstrate
the thought processes behind the audit, if necessary, and show that the work performed was adequate and
conclusions drawn were soundly based.
Notes

Therefore, the auditor breaks down the overall audit objective to make it more manageable. In preparing true
and fair financial statements, management, implicitly or explicitly, makes assertions regarding the recognition,
measurement and presentation of those financial statements. Therefore, to ensure auditors are breaking down the
overall objective in a consistent manner, ISA (UK) 315 Identifying and assessing the risks of material misstatement
clarifies how this should be done. The auditing standard identifies and defines detailed objectives called ‘assertions’
for transactions and balances, including the related disclosures. The assertions allow the auditor to consider the
different types of potential misstatements that may occur.
To aid your understanding additional explanations have been provided.
Balances (Balance Sheet) Assertions:
Assertion Definition Explanation
Existence (‘E’) Balances exist and are genuine. Are the balances real? Do they genuinely
exist at that point in time?
Completeness Balances (and related disclosures) that Have any balances or disclosures been
(‘C’) should have been recorded have been omitted and is everything included that
recorded. should be?
Accuracy, Balances (and related disclosures) are Are the amounts correct and has the
valuation and recorded at appropriate amounts and in balance been accounted for in line with UK
allocation accordance with the accounting standards. GAAP/ IFRS?
(‘AVA’)
Classification Balances have been recorded in the proper Have any balances been recorded within the
(‘Cl’) accounts. wrong nominal ledger account, and ultimately
the wrong section of the financial statements?
Rights and The entity holds or controls the rights to Is the company required to pay for/
obligations assets, and liabilities are the obligations of recognise the liability? Is the entity entitled
(‘R&O’) the entity. to receive money for, or future value from,
the asset?
Presentation Balances are appropriately aggregated Are all balances fully disclosed in line with
(‘P’) or disaggregated and clearly described, accounting standards and company law,
and related disclosures are relevant and including any disaggregated information
understandable. required?
Notes

Transaction (P&L) Assertions:
Assertion Definition Explanation
Accuracy (‘A’) Amounts and other data relating to Are the amounts correct and has the
transactions (and related disclosures) have transaction been accounted for in line with
been recorded appropriately. UK GAAP/ IFRS?
Cut-off (‘CO’) Transactions and events have been Are all transactions recorded correctly pre
recorded in the correct accounting period. and post year end?
Occurrence Transactions and events that have been Did the transaction actually take place in the
(‘O’) recorded or disclosed have occurred and period and does the company have the right/
pertain to the entity. requirement to recognise the transaction?
Completeness All transactions and events (and related Have any transactions or disclosures been
(‘C’) disclosures) that should have been recorded omitted and is everything there that should
have been recorded. be?
Classification Transactions and events have been Are the transactions recorded in the correct
(‘Cl’) recorded in the proper accounts. profit and loss nominal ledger account, and
ultimately the correct section of the financial
statements?
Presentation Transactions are appropriately aggregated Are all transactions fully disclosed in line
(‘P’) or disaggregated and clearly described, with accounting standards and company
and related disclosures are relevant and law, including any disaggregated information
understandable. required?
Note: Occurrence is the equivalent to existence AND rights and obligations in the balance sheet. Balances exist as
at the year-end date, whereas transactions have occurred during the financial year.
The ISAs (UK) allow auditors to express the assertions differently (i.e., an auditor could combine Accuracy, Valuation
and Allocation and Accuracy into a ‘Valuation’ assertion) provided that all aspects of the assertions described in the
ISAs (UK) are covered. For the purposes of TC AR the assertions per the ISAs (UK) will be used.
Notes

17.4.2 Why use the Assertions
These assertions give the auditor:
1. a clearer definition of specific audit objectives – enabling the auditor to focus on key areas; and
2. a clearer demonstration of work done – the auditor can demonstrate that the audit has been performed in
accordance with the auditing standards and relevant company law.
Using Assertions
The auditor must give an opinion on the financial statements as a whole. The first step to help with this is to
decide whether each material balance, transaction and disclosure is correct. In order to make this decision the
auditor will check, for each material figure, that each of the assertions are achieved. If each assertion is ‘met’
for each material balance, transaction and disclosure this will help the auditor to form the overall opinion on the truth
and fairness of the financial statements.
Example
The auditor has identified that stock is a material balance in the financial statements, and will need to assess
whether the stock balance is accurate in order to decide whether the overall financial statements are true
and fair.
If the auditor can conclude that stock (a balance sheet account) is complete, that it exists, that the client
has the rights to the stock, that stock is valued correctly and presented and classified appropriately then the
auditor can conclude that the stock balance is correct in the financial statements.
Learning Outcome 1: Explain the assertions and why they are required
The ISA (UK) 315 defines assertions for balances and transactions:
• Balances: E, C, AVA, Cl, R&O, P

• Transactions: A, CO, O, C, Cl, P
Notes

The assertions are required as they give the auditor:
• a means of breaking down the wide overall audit objective;

• a clearer definition of specific audit objectives;
• a clearer demonstration of work done; and
• a means of checking each material balance, transaction and disclosure is correct.
17.5 Sufficient, Appropriate Audit Evidence
ISA (UK) 500 Audit evidence states that auditor must obtain sufficient, appropriate audit evidence on which to
base the audit opinion.
• Sufficiency – a measure of the quantity of evidence; and

• Appropriateness – a measure of the quality of evidence (that is, its relevance and reliability).
17.5.1 Appropriateness
Appropriateness is a measure of the quality of the audit evidence. The auditor will prefer higher quality audit
evidence as it provides a higher level of comfort and assurance.
17.5.1.1 Relevance
For evidence to be relevant it must satisfy one or more of the assertions.
Activity 2 – Recap
Identify the assertions for:
• balances; and
• transactions.
Notes

Solution
Activity 3
Consider whether the following audit test provides relevant assurance over the rights and obligations
assertion:
• The auditor selects a sample of motor vehicles from the fixed asset register and physically verifies them.
If not, can you propose a test that will be relevant in the testing of the rights and obligations assertion for
motor vehicles (i.e., a group of cars)?
Solution
Notes

17.5.1.2 Reliability
The reliability of evidence is affected by both its source and its nature.
Source
There are three sources of evidence:
• auditor generated;
• client generated; and
• third party/ externally generated.
Source of Evidence Explanation Example
Auditor generated Created by processes under the Physically counting petty cash or
auditor’s control inventories
Client generated Includes the accounting Board minutes

records, internal documents and
management representations,
which are all under the control of
the directors
Third party/ externally generated Evidence created by a party Bank statements

external from the client and auditor
Notes

The reliability (including the auditor’s ability to assess quality and the susceptibility to director manipulation) will vary
for each of these sources.
Source of Evidence Reliability Level Ability to assess Susceptibility to

quality Director Manipulation
Auditor generated Highest – least Highest – auditor can Lowest – auditor will not
susceptible to client easily assess the quality be influenced by director
manipulation (although of their own work (although can rely on
can rely on client client information which
information which may may be poor)
be poor)
Client generated Medium – the reliability Medium – the auditor Highest – open to
level will depend on the can perform tests of manipulation, especially
controls in place* control or integrity testing if under the direct
over evidence control of directors
Third party/ externally Varied – evidence Lowest – no means of Varied – evidence

generated from an independent verifying the processes from an independent
knowledgeable third producing the evidence third party is less open
party is more reliable and therefore its quality to manipulation than
than from a source evidence from a source
closely connected to the closely connected to the
audit client audit client
*The auditor cannot use client generated information as evidence unless they have obtained evidence regarding
the accuracy and completeness of the information (by testing the controls or performing an integrity check of the
information).
Notes

Nature
Evidence may vary in nature, but can be split into four categories:
1. Natural evidence – The auditor physically witnesses the event or asset. This is also known as
primary evidence.
2. Created evidence – Documentary evidence, for example, invoices, board minutes, letter from client’s
bank. This is also known as secondary evidence. The auditor should always use originals where
Reliability
possible to avoid tampering.
3. Rational argument – Neither the physical presence of something nor documentary evidence of it,
but instead evidence obtained through applying logic, for example, checking the reasonableness of a
depreciation figure by multiplying the cost of an asset by the appropriate rate of depreciation. This is
also known as circumstantial evidence.
4. Testimonial evidence – Spoken evidence, such as discussions with the client or an auditor’s expert.
Any verbal evidence would need to be documented by the auditor. This is also known as verbal
evidence.
In general, the reliability of evidence decreases as we go down the list. However, if the auditor was trying to
ascertain whether the client had the right to an asset, then the best possible evidence for this assertion would be
title deeds or equivalent, that is, it would take the created form. Natural evidence will not always be available and
therefore evidence of different natures is required during an audit.
Notes

Activity 4
Identify the source and nature of each of the following types of evidence:
1. Accounting records and other internal documents;

2. Physical observation;
3. Statements from third parties, for example, bank confirmation letters;
4. External documents, for example, supplier invoices;
5. Discussions with the client’s payroll team about the payroll process;
6. Trend analysis; and
7. Written statements by management (also known as ‘management representations’).
1.
2.
3.
4.
5.
6.
7.
Solution
Notes

Assessing the reliability of evidence in practical terms
The auditor must consider the reliability of each piece of evidence that they plan to obtain to assess whether or not
the audit procedures will provide appropriate evidence to support the account that is being tested.
Activity 5
Consider the reliability of the following evidence:
1. To confirm that management accounts are thoroughly discussed at the monthly board meeting, the auditor
enquires of three different attendees at the meeting to corroborate this; and
2. In testing cut-off of sales, the auditor has selected goods despatch note (‘GDN’) numbers before and after
the year end that they want to test to ensure that the sales are recorded in the correct period. The client
has provided photocopies of the GDNs selected by the audit team.
What would improve the reliability of the evidence gathered by these tests?
Solution
17.5.2 Sufficiency
It is important for the auditing profession that a balance is found between the amount of evidence required and the
cost effectiveness of obtaining the evidence. To aid with this, the audit areas with a higher ROMM will require a
higher level of evidence.
Notes

The best approach is to look for a balance of evidence (both source and nature) which is sufficient to enable
the auditor to meet the assertions. The auditor should, therefore, examine the consistency of the evidence from
different sources.
Principle of synergy: where evidence from two independent sources is consistent, the sum of the
assurance gained by the auditor is greater than the sum of the individual parts (2 + 2 = 5).
Principle of diminishing marginal effect: where evidence is obtained from one source only, further
consistent evidence from the same source will increase the total audit assurance by less than the sum
of the parts.
Examples
Using a Balance of Evidence (Synergy)
An auditor wishing to confirm a trade receivable balance could examine client generated evidence (invoices,
debtors ledger) and also external evidence (writing to the customer for confirmation of the balance). If they
agree, the auditor can be reasonably satisfied that the figures are fairly stated.
Using One Source (Diminishing Marginal Effect)
An auditor wishing to confirm that payments are adequately supported will verify a sample of payments with
the supporting documentation (e.g., invoices). Beyond a certain sample number, the assurance obtained from
checking additional items would not justify the effort involved in doing the work.
How to determine sufficiency
Sufficiency of audit evidence is a matter of judgement, and will depend, amongst other things, on:
• the level of materiality;

• the assessed ROMM of the figure being tested; and
• the sources and quality of available evidence.
The auditor will construct a programme of tests that will accumulate sufficient evidence to give the assurance
needed.
Notes

earning Outcome 2: Explain what is meant by sufficient, appropriate audit evidence and
L
illustrate the factors to be considered in determining whether sufficient, approriate evidence
has been obtained
The auditor is required to obtain sufficient and appropriate audit evidence, that is, enough relevant and reliable
evidence on which to base the audit opinion.
17.6 Audit Data Analytics
Audit data analytics (‘ADA’) were introduced in Module 15. In that module, a number of steps were discussed that
should be considered when planning, carrying out and evaluating the ADA. One of these was to consider whether
the data to be used is relevant and reliable.
As discussed above, data is relevant where it meets one or more of the assertions. Therefore, we will focus on the
concept of reliability when it comes to using ADAs.
The use of ADAs relies on data (often extracted from the client’s system). This data will primarily be accounting in
nature but may also be accompanied by non-accounting information such as dates, time stamps, staff numbers or
user information. This non-financial data may not be subject to the financial reporting controls that the auditor has
focussed on when performing the systems and controls review.
When obtaining and using data in an ADA the auditor must consider:
• the accuracy and completeness of the information; and

• whether the information is sufficiently precise and detailed for the auditor’s purpose.
Example
In Module 15, an example was provided where an ADA tool was used to perform fraud risk analysis. In this
example, the full general ledger was extracted from the client’s system.
In order to consider this data reliable, the auditor must gain assurance over its reliability, including the
accuracy, validity and completeness of the data. This will involve procedures and tests to provide this
assurance.
Notes

17.6.1 Procedures to gain assurance over the reliability of data
The procedures performed to gain assurance over the data will vary depending on the specific ADA being
performed. However, some examples of procedures are discussed below. Note, that these procedures may also be
used for audit procedures not using ADA.
Procedure Purpose
Agree opening balances to prior year signed financial The opening balances (i.e., the closing balances
statements in the prior year) would have been checked during
the prior year audit and therefore the auditor
should compare that the opening balances of any
extracted data in fact tie back to last year’s accurate
information.
Agree closing balances to financial statements being This is performed to ensure the data used in the ADA
audited ties to the financial statements on which the auditor is
giving an opinion.
Cast and cross-cast1 data Any information provided with totals or sub-totals
should be checked by the auditor to ensure the data
totals are accurate.
Agreeing that the total movement in a dataset To confirm that the data extracted from the client’s
consisting of journals is equal to the total movement in system is complete (no data is missing) and not
that account per the financial statements duplicated.
Testing IT General Controls or other controls around As with any other systems, if the client has strong
the production of data controls (both ITGCs and other) over the production of
data, the auditor has more assurance that the data is
reliable.
Considering the continuity of sequentially numbered Where documents are sequentially numbered,
documents reviewing this sequence may allow the auditor to
identify any incomplete datasets.
1. To cast data means to sum a column of data, to cross-cast means to sum a row of data.
Notes

Procedure Purpose
Considering the characteristics exhibited by data, Reviewing data sets for expected characteristics, for
such as dates or time stamps example transactions being posted during the working
week, may identify where data set is clearly unreliable
if such characteristics are not shown.
Performing sample checks of data lines to The auditor could vouch data information, such as
corroborated evidence dates of transactions or amounts, back to source
documents such as contracts, goods despatch notes
or supplier statements on a sample basis to obtain
assurance over its reliability.
Review data for unusual characteristics such The auditor can perform analysis of datasets to
as duplicates, missing fields or information in identify where data is unreliable as it contains unusual
inappropriate formats or unexpected characteristics.
Agreeing batch totals to the client’s IT systems The auditor may agree data on a total basis back to
the client’s system to confirm that it is accurate and
complete. For example, the auditor may agree the
number of journals posted to revenue from extracted
data back to the number of journals in the client’s
system.
Notes

Example
Above, we discussed an example of an ADA tool used to perform fraud risk analysis. To perform this ADA the
full general ledger was extracted from the client’s system by the audit team. The following procedures were
then performed over the reliability of the data before the ADA technique was carried out:
• Opening balances on all balance sheet accounts agreed to the prior year signed financial statements
• Opening balances on profit and loss accounts confirmed as zero
• Closing balances on all accounts agreed to the draft financial statements
• A check was performed on each account that the opening balance plus the net effect of all journals
through the account equalled the closing balance
• As all journals posted in the client’s system are sequentially pre-numbered, the auditor confirmed that
there were no omissions or duplicates in the sequence
• ITGCs were tested by the audit team and confirmed to be well-designed and to be operating effectively
• A review of all journals was performed to identify whether any unbalanced journals were included in the
data set
• Cash journals were agreed to the client’s bank statements to confirm the validity and accuracy of
transaction to a third party source of evidence
Following the above procedures, the audit team were satisfied that the data was reliable and the ADA
technique was carried out.
17.6.2 Data subject to cleansing by the audit team
As mentioned in Module 15, data extracted from a client’s system may require cleansing before it can be inputted
into the ADA tool.
To ensure that the data remains reliable, the auditor must put in place checks and controls over the cleansing
process.
This will likely involve controls such as the batch controls, review of unusual characteristics and agreement of
opening balances, closing balances and movements to the financial statements discussed above.
Notes

Example
A client’s system may generate output data with a date field formatted in the style 21 December 20X9.
Cleansing the data could involve reformatting the date field to show the date as 21/12/X9, the required format
for input into the ADA tool.
In order to confirm that the dates remain accurate following the data cleanse the auditor may check the
number of transaction in each month pre and post cleansing. If the total of transactions in each month is
the same before and after the cleanse, this provides some assurance that the data is still reliable. This is an
example of using a batch control.
The auditor must consider the reliability of any data to be used when performing ADAs.
The third learning outcome for this module was introduced in Modules 15 and 16, and will be considered further
in Module 19.
17.7 Collection of Audit Evidence
17.7.1 Selecting items to test
The auditor must obtain sufficient, appropriate evidence on which to base their audit opinion. Consequently, the
auditor must choose appropriate means to select items for testing.
These include:
1. selecting the entire population (100% examination);

2. selecting specific items based on judgement (e.g., items of a high value or that are assessed as higher risk); and
3. audit sampling.
The auditor may use one or a combination of the above means to test a population.
Notes

Sampling: testing less than 100% of the population, on a statistical or non-statistical basis, such that all
sampling units have a chance of selection, in order to give the auditor a reasonable basis on which to draw
conclusions about the entire population.
Sampling units: the individual items making up a population. They may be physical items, such as sales
invoices or debtors’ balances, or monetary units (i.e., £1).
The decision regarding the selection of approach will be determined by:
1. The characteristics For example, the population may be made up of a handful of large items or a large
of the population number of similar, smaller items.
2. The ROMM Generally, higher risk areas require more testing. If the ROMM is higher, the auditor
will set detection risk lower, resulting in more work being performed to mitigate the
higher expectation of misstatement.
3. The audit efficiency If the auditor has sophisticated computer programs to perform simple repetitive tasks,
of the approach sample sizes may be able to be increased.
Often a combination of methods will be used.
Examples
1. When testing property, plant and equipment (‘PPE’) additions, if there have only been two additions in the
year then it may be efficient to test the entire population (i.e., both additions).
2. When testing sales, if there are some sales which are more complex, perhaps involving discounts for bulk
orders, or which have been processed by a junior member of staff who appears to have made consistent
errors, then these particular items may be selected for testing using auditor judgement.
3. When testing the remaining sales population, if there is a high volume of very similar transactions (in
terms of size, nature and risk), it may be more efficient to pick a random sample of transactions to test,
either by picking, say, every tenth item, or by using sampling software to generate a random sample.
Notes

Sample selection methods
When selecting items to test using sampling, the auditor has several methods available to them, some of which are
explained in the table below.
Method Explanation
Random Items are selected on a random basis through random number generators.
selection
Monetary A type of value-weighted selection in which the sample size, selection and evaluation results
unit sampling in a conclusion in monetary amounts. Monetary units (i.e., £1) would be selected from the
(‘MUS’) total population and then the auditor would select the items (such as individual invoices) that
contain those monetary units. This results in the effort being directed to larger value items
which can result in smaller sample sizes.
Haphazard The auditor selects the sample with no structured technique but would nonetheless avoid
selection conscious bias or predictability to ensure all items have a chance of selection. This is a form
of non-statistical sampling.
The impact of statistics, including selecting samples through statistical means, is considered further in Module 18.
Extrapolating a sample
When audit sampling is used and the procedures for every item sampled are satisfied, then the auditor will conclude
that the assertion is achieved for the entire population.
If errors have been found, the auditor should investigate the reason for them. ‘One-off’ errors should be identified,
leaving the auditor to project the remaining sample error onto the population as a whole – called ‘extrapolation’.
Extrapolation is possible only where items have been selected using an appropriate method. The projected error
should then be compared to materiality levels to determine whether an adjustment is required.
Notes

Example
The auditor has selected a sample using an appropriate method. The details are below.
Details: Results:
Population Count 50 items Items misstated 4
Population Value £50,000 Value of error in sample £15,000
Sample Count 10 items
Sample Value £30,000
Extrapolation:
% error in the sample = £15k/£30k
= 50%
% error applied to population = 50% * £50k
= £25,000
Activity 6
The auditor has selected a sample using an appropriate method. Calculate the extrapolated error:
Details: Results:
Population Count 100 items Items misstated 6
Population Value £160,000 Value of error in sample £15,000
Sample Count 20 items
Sample Value £75,000
Notes

Extrapolation:
% error in the sample =
% error applied to population =
Solution
17.7.2 Evidence Collection Techniques
Auditors can collect evidence in a variety of ways. ISA (UK) 500 lists the following techniques that can be used for
collecting evidence:
• Inspection of records and documents or tangible assets; I CARE

• Confirmation from a third party;
• Analytical procedures;
• Recalculation by the auditor to check mathematical accuracy;
• Enquiry of client staff;
• Observation of a process or procedure (i.e., a control); and
• Reperformance of a process or procedure (i.e., a control).
Some of these evidence collection methods are more appropriate at particular points in the audit:
Test of Controls Substantive Testing

Confirmation
Observation Inspection of Analytical

documents Procedures
Re-performance Enquiry Inspection of assets
Recalculation
Notes

17.7.3 Substantive Testing Approaches and Use of Techniques
Types of Substantive Testing Approaches
Substantive testing is performed to detect material misstatements at the assertion level and can be broken
down into:
• substantive analytical procedures (testing the total population); and

• tests of details (selecting specific items within the population for testing).
Analytical procedures were introduced in Module 15 but will be revisited in Section 17.8 as a substantive procedure.
Tests of details will be covered in Modules 19 and 20.
17.7.4 Substantive Testing versus Tests of Controls
A test of control is a test of something the client has already done during the year, whereas a substantive
procedure is the auditor’s own test of whether a number in the financial statements is correct at the year end.
Tests of Controls
Audit evidence from tests of controls is obtained through testing what someone else at the client has already done
and provides evidence that the client’s procedures prevent or detect and correct misstatements.
Example
• Observing audit committee meetings (that the client holds);

• Inspecting bank reconciliations (that the client has already completed) to ensure they are performed
correctly and appropriately reviewed; and
• Re-performing a sample of supplier statement reconciliations (that the client has already completed).
Tests of controls are commonly performed during the financial year and examine procedures performed by the
client rather than year-end figures. It gives comfort over the accounting records that are being maintained through
the year by looking at the processes the client has in place.
Substantive Testing
Substantive procedures are the procedures that the auditor undertakes to detect possible misstatements that may
exist in the financial statements, that is, testing the numbers at the year end.
Notes

Example
• Agree fixed asset additions from the fixed asset register (‘FAR’) to invoices;
• Perform a debtors circularisation (confirmation from customers of their balance) to ensure year-end
debtors exist; and
• Agree the year-end bank balance to a bank confirmation letter.
17.7.5 Documenting Substantive Procedures
The substantive procedures due to be performed on a particular financial statement account in response to the
ROMM on the account are documented in an audit work programme.
These should be prepared by someone of appropriate seniority and experience (e.g., the audit senior or manager)
to provide assurance that the audit work programme will be designed to obtain sufficient, appropriate evidence over
the account. Audit work programmes can only be produced after the ROMM has been established, as this allows the
auditor to determine the nature, extent and timing of substantive procedures that needs to be performed in order to
keep audit risk acceptably low.
A typical audit work programme should include, as a minimum:
• the client name;

• the client year-end date;
• a title of the work programme;
• a description of the substantive procedures required in sufficient detail for whoever is going to perform the
test to understand them;
• the assertions met by each substantive procedure;
• initials of the audit staff member who completed the substantive procedure;
• the date the substantive procedure was completed; and
• a work paper (‘WP’) reference to where the substantive procedure work was completed.
Notes

A basic format of an audit work programme is as follows:
Client name: XYZ Limited

Year-end date: 31 March 20X1
Work programme: Cash and cash equivalents
No. Test procedure Assertion(s) Initials Date WP Ref
1. Agree the year-end Completeness, existence, rights &

bank balance to a obligations, accuracy, valuation &
bank confirmation allocation, classification
letter
2.
17.8 Substantive Analytical Procedures
What are analytical procedures and when must they be used during the audit process?
Solution
The term ‘substantive analytical procedures’ is when analytical procedures are used to identify a material
misstatement at the assertion level and therefore the process for performing the analytical procedure is more robust.
This, therefore, must involve the creation of a stronger expectation and a high level of corroboration for differences
identified. Additionally, more reliable analytical procedure techniques should be used.
Notes

17.8.1 Analytical Procedure Process and Techniques
Substantive analytical procedures involve reviewing the figures in the financial statements and comparing them to
other possible sources such as last year’s figures, industry statistics or pre-calculated expected figures. The figures
can be compared in absolute terms, or as ratios or percentages.
17.8.2 Approach to Analytical Procedures
Performing analytical procedures involves several steps:
1. The auditor must form an expectation of the balance being tested based on knowledge of the entity during
the financial year, and then must identify the level of deviation that they are willing to accept between the
expectation and the actual figure;
2. The expected balance should be compared to the actual figure and any differences identified;
3. Differences that exceed the acceptable level of deviation must be investigated and substantiated (consider if
the expectation is inaccurate or if the financial statement figure contains a misstatement); and
4. Conclude whether the figure is correct, whether a material misstatement has been identified or whether a new
area of ROMM has been highlighted. The auditor will consider what further steps are therefore required.
As discussed in Module 15, there are five analytical procedure techniques:
• Comparison;
• Ratio analysis; Planning
• Trend analysis; and Substantive testing
Reasonableness tests, trend analysis and large and unusual items review are considered to be more robust
techniques and are more commonly used during substantive testing.
Reasonableness tests
Reasonableness tests: using the information available to develop a model or formula to calculate the
expected balance.
These commonly involve information that is independent of the accounting records and the finance department
(such as the mileage records of company vehicles) or information that has been subjected to independent audit
Notes

(such as circulation figures for a magazine). Therefore, the evidence obtained using reasonableness tests can be
of high quality and, at its most accurate, will constitute a proof in total if the actual figure is proven to be free from
material misstatement.
A reasonableness test can become quite complicated depending on the circumstances and the account balance
being considered.
It is essential that all components of any reasonableness model developed are themselves backed up by available
evidence.
Trend analysis
Trend analysis: looking at the changes in an account balance over a number of periods.
It is often useful to analyse this type of information graphically. An unusual trend would indicate an area of higher
inherent risk. Most commonly, trend analysis would be used for the accounts from the statement of profit or loss,
such as sales/ revenue.
Large and unusual items review
Large and unusual items review: review of the contents of a general ledger account for items that appear
unusual by nature or size.
The auditor should have an expectation of the transactions that should occur in each account in the general ledger
and therefore what would be considered a large or an unusual item.
Notes

Examples
Reasonableness Test
Reasonableness tests are frequently used to test depreciation and payroll balances. For example, the
expectation for payroll costs might be:
• average staff head count x (prior year average salary + inflation increase).
Trend Analysis
The auditor might expect a seasonal trend in sales, particularly for a retail business. For example:
• Revenue may be higher for toy stores in the lead up to Christmas than at any other time of the year or ice
cream sales for a seller will be higher in the summer months.
Large and Unusual Items Review
The auditor could review the debtors ledger when testing debtors looking for large or unusual balances.
For example:
• Credit balances may represent an overpayment or an incorrect posting; or

• Overdue balances may indicate the need for an allowance for doubtful debts.
17.8.3 Using Audit Data Analytics to Perform Substantive Analytical Procedures
Substantive analytical procedures can be performed manually, using computer assisted audit techniques or using
audit data analytics (‘ADA’).
Notes

Examples
When performing a depreciation reasonableness test, the auditor may perform the calculation using a
spreadsheet programme such as Excel, with the auditor performing the calculations using the client’s
information and their own calculations.
Alternatively, a pre-populated spreadsheet may be available to the auditor (as developed by the audit firm)
into which client information (such as asset useful lives and values) can be inputted and the depreciation
reasonableness test performed by pre-determined formulae within the spreadsheet.
Lastly, the audit firm may have available a sophisticated ADA tool that can be tailored to the client and which
can produce a depreciation reasonableness calculation from client accounting information extracted from the
client’s system such as a general ledger download and the client’s opening and closing fixed asset registers.
Learning Outcome 4: Explain the various techniques available to collect audit evidence
The auditor must choose an appropriate method to obtain sufficient, appropriate evidence. This may involve audit
sampling.
ISA (UK) 500 sets out a number of techniques which can be used to collect audit
I CARE
evidence, of which inspection, enquiry, confirmation, recalculation and analytical
procedures are commonly used as substantive testing techniques.
You should now be able to meet the fourth learning outcome for this module.
17.8.4 Practical Approach to Developing an Expectation/ Prediction
In order for analytical procedures to be meaningful, the auditor must develop an expectation of the results.
For example, the auditor expects revenue to grow by 20% as management have advised that a new product has
been launched by the company in the current year.
When using analytical procedures, the auditor cannot obtain sufficient evidence by simply looking at the actual
number or ratio. This actual number or ratio must be compared to an expectation and the auditor then uses their
professional judgement to determine if the actual number is fairly stated.
Notes

The main sources of information used when building an expectation are:
• management accounts;
• prior year information with adjustments for current year situations;
• known interaction between financial data, for example, finance costs and the loans payable balance;
• known interaction between financial and non-financial data, for example, payroll costs and staff numbers; and
• discussions with management.
The integrity of the underlying data used to determine the expectation must be considered to ensure the validity of
the expectation and, hence, the reliability of the test.
17.8.5 Reliability and Relevance of Substantive Analytical Procedures
Where the auditor has developed a valid expectation, based on their understanding of the entity, reasonableness
tests, trend analysis and large and unusual items reviews are techniques that can provide strong reliable substantive
evidence over the validity of the financial statements.
This type of detailed review can be regarded as a substantive procedure as it can provide the auditor with evidence
over:
Balances Transactions
Completeness Completeness
Existence Occurrence
Accuracy, valuation and allocation Cut-off
Classification Accuracy
Classification
i.e., all of the transactions assertions excluding presentation and four of the balances assertions – excluding rights
and obligations and presentation.
Notes

17.8.6 Analytical Procedures – Exam-style Questions
This section will take you through an approach to a common style of exam question that involves using your
knowledge of analytical procedures.
Example
The following information has been obtained during the audit of WashGo Ltd, a company that owns
laundrettes throughout several cities:
Number of shops Cash sales
20X1 32 1,382,400
20X2 27 1,050,900
Identify which ONE of the following would explain the level of cash sales for 20X2:
a) The five shops sold had very poor sales in 20X1 compared to the others
b) The 20X1 accounting period was only 11 months long
c) Customers have been lost during 20X2 due to increased competition
d) WashGo Ltd stopped making any sales on credit at the beginning of 20X2
Substantive Analytical Question Approach:
1. Form an Expectation
Consider the information available in the question to determine what basis should be used to generate the
expectation.
The question has asked for an explanation of the level of the cash sales figure in 20X2. The information provided
shows the number of shops and total cash sales for 20X1 and 20X2. Therefore, to create an expectation we can use
20X1 information.
Notes

In order to create a meaningful comparison year on year, it is common that a basic calculation/ ratio will need to be
determined. Here, this will be the average sales per shop:
20X1 average cash sales / shop 43,200
20X2 average cash sales / shop 38,922
2. Compare the Expectation to the Actual
Consider whether the actual 20X2 figure is greater or smaller than expected.
The average cash sales per shop have decreased from 20X1 to 20X2.
3. Investigate and Substantiate Differences
You will be provided with possible explanations for the movements. Always work through each in turn and consider
whether each provides a plausible explanation for the difference (i.e., does it explain the movement identified at step 2?)
Option Y/N Expectation if statement was true
(a) N If the five shops sold had experienced comparatively poor sales, the expectation would
be that the cash sales per shop would increase in 20X2, which has not occurred.
(b) N If the 20X1 accounting period was only 11 months, the auditor would expect sales from
11 months to be less than sales from 12 months, and hence the cash sales per shop in
20X1 would be lower. Again, this is not the case.
(c) Y If WashGo has lost customers during 20X2 due to competition, this would be in line
with the drop in cash sales.
(d) N Ceasing credit sales should not have a direct impact on a laundrette as the majority
of sales would be expected to be cash sales. We are only given the cash sales figure
year on year to compare, so this cannot be the explanation for the fall in cash sales in
20X2.
Note: if you are struggling to assess if a statement is plausible, consider substituting numbers into the calculation
from step 1 to assess the impact that a statement would have on the calculation/ ratio.
Notes

4. Conclude
Which option is the correct answer?
Options A, B and D do not explain the fall in cash sales. Therefore option C is the correct answer.
Approach Comment:
The answer to this question has been obtained by comparing the average cash sales per shop figure in 20X1 and
20X2. In practice, however, it would be usual to calculate the total expected cash sales figure at the substantive
testing phase as the auditor is looking to detect material misstatements. Through calculating the total, the auditor
could then quantify whether the drop in cash sales in 20X2 was material. This approach is used in practice as
it allows for a direct comparison of the actual total deviation from expectation – this can then be compared to
materiality for the account. Where materiality is exceeded then the auditor must consider what further audit
procedures must be performed, for example, design of further substantive procedures, enquiry of management or
recording a misstatement.
Activity 8
1. As part of the substantive analytical procedures on the statement of profit or loss of Drive Plus Ltd, the
auditor gets the following results:
Hire car charges Fuel expense claims
£ £
20X1 90,000 18,000
20X2 130,000 20,000
Identify which ONE of the following explanations might explain the 20X2 figures:
a) Hire car charges for 20X2 are not complete

b) The journeys done in the hire cars in 20X2 each day are longer than in 20X1
c) The company has negotiated a cheaper rate on the hire cars in 20X2
d) Some garage repairs have been classified as hire car charges in the accounts in 20X2
Notes

2. The auditor carries out the following analytical procedure when auditing a restaurant:
No of diners in one random month Annual turnover
20X1 1,500 725,400
20X2 1,600 871,212
Identify which ONE of the following explanations might explain the 20X2 figures:
a) Due to health reasons fewer people are choosing to have dessert in 20X2
b) The month chosen for 20X1 was unusually quiet
c) The number of diners for 20X2 has been understated
d) Annual turnover for 20X2 has been understated
Solution
Learning Outcome 5: Apply analytical techniques as a method of gathering audit evidence
Analytical techniques can be a useful substantive procedure. The analytical procedure techniques commonly used
as a substantive procedure are reasonableness tests, trend analysis and large and unusual items review.
When attempting a substantive analytical procedures question in an exam the four-step approach should be
followed.
You should now be able to meet the fifth learning outcome for this module.

17.9 Summary
Assertions
Detailed assertions are required to focus the work of the auditor and to clearly demonstrate the work performed.
The assertions are:
Existence Accuracy
Completeness Cut-off
Accuracy, valuation and allocation Occurrence
Classification Completeness
Rights and obligations Classification
Presentation Presentation
Notes

Sufficient, Appropriate Evidence
Audit Evidence
Sufficient Appropriate
Quantity Relevance Reliability
Assertions Source Nature
Audit data analytics
The auditor must consider the relevance and reliability of data to be used in ADA tools.
There are a number of example procedures the auditor may perform in order to gain assurance over the reliability of
a dataset.
Collection of audit evidence
Audit sampling is used by auditors to ensure an efficient and effective audit. Means of selecting items to test include:
1. selecting the entire population (100% examination);

2. selecting specific items based on judgement; and
3. audit sampling.
The decision regarding the selection of approach will be determined by:
• the characteristics of the population;

• the ROMM; and
• audit efficiency.
Notes

Testing techniques:
Technique Used for tests of Used for substantive

I CARE
controls? procedures?
Inspection of records or documents Yes Yes
Inspection of tangible assets No Yes
Confirmation from a third party No Yes
Analytical procedures No Yes
Recalculation by the auditor to check mathematical accuracy No Yes
Enquiry of client staff Yes Yes
Re-performance of controls Yes No
Observation of a control Yes No
Substantive Analytical Procedures
The auditor can choose to use analytical procedures when performing substantive testing.
The analytical procedure techniques are commonly used as follows:
• Comparison;
• Ratio analysis; Planning
• Trend analysis; and Substantive testing
The steps for performing substantive analytical procedures are:
1. Form an expectation
2. Compare the expectation to actual
3. Investigate and substantiate differences
4. Conclude
Notes

In practice there are three methods by which the auditor gathers evidence:
• Understanding the entity and the overall control environment – this provides evidence on the
susceptibility of the financial statements to misstatement in the first place. This evidence is gathered
predominantly at the planning stage of the audit;
• Testing the controls of the entity – good controls reduce the risk that the figures in the financial
statements are incorrect. This evidence is gathered at the systems and controls stage of the audit; and
• Testing the numbers in the financial statements. This is called substantive testing. This evidence is
gathered at the substantive testing and completion stages of the audit, which take place after the year end.
Back to activity
Existence Accuracy
Completeness Cut-off
Accuracy, valuation and allocation Occurrence
Classification Completeness
Rights and obligations Classification
Backs to activity
Notes

An entity may have cars in the car park which are physically there. However, they do not necessarily own the
cars as they may belong to staff, and therefore the entity does not have rights to the benefits from the cars.
Consequently, simply physically verifying the cars will not provide relevant evidence for the auditor when
testing the rights and obligations assertion.
Potential tests:
• Inspect the vehicle ownership/ purchase documents for each vehicle to ensure that they are in the client’s
name (hence the client has title over the vehicles);
• Inspect the purchase invoices for each of the vehicles to ensure that they are in the client’s name; and
• Inspect the client’s board minutes to confirm that title for these vehicles has passed to the client.
Back to activity
1. Accounting records and other internal documents – Created, Client Generated

2. Physical observation – Natural, Auditor Generated
3. Statements from third parties, for example, bank confirmation letters – Created, Third Party Generated
4. External documents (e.g. supplier invoices) – Created, Third Party Generated
5. Discussions with the client’s payroll team about the payroll process – Testimonial, Client Generated
6. Trend analysis – Rational Argument, Auditor Generated
7. Written statements by management – Created, Client Generated
Back to activity
Notes

Potential improvements in the evidence gathering:
1. Enquiry as a source of audit evidence is less reliable as it is open to manipulation by the individuals
concerned. They may over-emphasise the extent of review performed on the management accounts
or may believe that it is an effective process, when in fact it is not. It would produce more reliable
evidence if the auditor were to attend a board meeting and personally observe the level of analysis of the
management accounts and the knowledge demonstrated by the directors when assessing whether this
review is effective; and
2. Photocopied documents may be altered or manipulated by management prior to being provided to the
auditor. Obtaining the original document would provide more reliable evidence.
Back to activity
Extrapolation:
% error in the sample = £15,000/£75,000
= 20%
% error applied to population = 20% * £160,000
= £32,000
Back to activity
Analytical procedures involve the analysis of significant ratios and trends to identify consistencies and
predicted patterns or significant fluctuations and unexpected relationships, and the resulting investigations.
By identifying whether the figures are in line with the expectations of the auditor, the auditor can identify
areas which appear unusual, perhaps indicating a misstatement and a higher ROMM. They must be used at
the planning stage of the audit (risk assessment procedure) and when forming an overall conclusion on the
consistency of the financial statements (completion procedure). The auditor can choose to use them as a
substantive procedure.
Back to activity

1. Drive Plus Ltd
1. Form an expectation:
We would expect the ratio of hire charges to fuel expense in 20X2 to be consistent with the prior year ratio per
the information provided.
The ratio of hire car charges to fuel expenses was 5:1/ 20% in 20X1 and is 6.5:1/ 15% in 20X2.
2. Compare the expectation to the actual balance:
The ratio of hire car charges to fuel has increased from 20X1 to 20X2, with fuel accounting for a smaller
proportion of hire car charges.
3. Investigate and substantiate differences:
A – If 20X2 hire car charges are not complete, this means that £130,000 is too low. If it were to increase, the
ratio would increase further and therefore this does not explain the difference.
B – If journeys were longer in 20X2 we would expect fuel charges to make up a higher proportion of hire car
charges compared to 20X1. This is not a valid explanation.
C – If hire car charges are lower than the previous year, in 20X2 we would expect fuel charges to increase
proportionately. This is not a valid explanation.
D – If repairs have been included in error, then £130,000 is overstated. This would explain why fuel expenses
make up a smaller proportion than expected.
Hint: If you struggled with understanding movements in the ratio/ percentages used, try plugging in
numbers to see how the ratio would move. i.e., for statement D: If £130,000 is overstated then, say, the
correct amount for hire car charges should be £100,000, then the impact on the ratio/ % would be 5:1 (20%)
which is in line with 20X1.
4. Conclude: The correct answer is D.
Notes

2. Restaurant
1. Form an expectation:
We expect the average turnover per diner in 20X2 to be consistent with the average turnover in 20X1. The
average turnover per diner in 20X1 was £40.30 compared to £45.38 in 20X2.
2. Compare the expectation to the actual balance:
The average turnover per diner has increased from 20X1 to 20X2.
3. Investigate and substantiate difference:
A – If customers were choosing not to have dessert, we would expect average spend per customer to
decrease from 20X1. This is not a valid explanation.
B – If it was an unusually quiet month, this would suggest that 1,500 is too low. If this increased, the average
spend per customer would decrease, causing an even larger difference. This is not a valid explanation.
C – This implies that 1,600 is too low. If this was to increase, this would decrease the average spend per
customer in 20X2 which could explain the difference.
D – This implies that annual revenue is too low in 20X2. If this were to increase, average spend per customer
would increase further. This is not a valid explanation.
4. Conclude: The correct answer is C.
Back to activity
Notes

Module 18. Audit Process: The Use
of Statistics
Contents
18.3 Mean, median, mode, standard deviation and outliers 400
18.3.1 Definitions 401
18.4 Benford’s Law 402
18.4.1 Using Benford’s Law in the Audit Process 404
18.5 Regression Analysis 405
18.6 Correlation 408
18.7 Statistics in the sample selection process 410
18.7.1 Statistical sampling 410
18.7.2 Random seeds 411
18.8 Summary 412

18. Audit Process: The Use of Statistics
18.1 Introduction
This module provides a brief introduction to some areas of statistics that may appear during the audit process. The
concepts introduced here are at a basic level, and can become a lot more complex in practice.
You will not be required to calculate any statistics for the purpose of the Assurance and Reporting course. You will
only be expected to understand the use of the statistics during the audit process.
1. explain the use of statistics in the audit process.
Achieving this outcome will help you to meet the seventh learning outcome for the course as per the syllabus.
18.3 Mean, median, mode, standard deviation and outliers
It is likely that you will have come across some, if not all, of the terms in this section in your previous studies.
However, a basic understanding of them may be relevant for an auditor when understanding a data analytics
visualisation produced during the audit process.
Notes

18.3.1 Definitions
Mean: The average of a numerical dataset calculated by summing the values in a population and dividing by the
number of items in the data set. It is often denoted by the Greek symbol µ.
Median: A measure of the central point in a dataset. The numerical dataset is arranged in ascending order and
the middle value is taken as the median.
Mode: The most frequently occurring number found in a numerical dataset.
Standard deviation: A measure of the dispersion of a numerical dataset (that is how wide the data set is spread
from the mean) showing the average distance between the values of the data in the set and the mean. It is often
denoted by the Greek symbol σ. A dataset with a wider spread would have a higher standard deviation than a
dataset with a narrower spread.
Outlier: In statistics, an outlier is a data point that significantly differs from the other data points in a dataset. In
an audit data analytics visual this may indicate that information is misstated as it differs from the remainder of
the population.
Notes

Example 1
The auditor has obtained the client’s year end trade receivables ledger as shown below:
First digits of all journal entries (Example 2)
30,000
25,000
20,000
10,000
5,000
Reid
Douglas
Kerr
McKellar
Winter
Cameron
Norman
Hall
Miller
Pentland
Millar
Young
Hodgson
Tollan
Poole
Foster
Cunnane
Gemmill
Saini
Devaney
Martin
Lamb
McKenzie
Riley
Sutherland
Cloke
Hopkinson
Allison
The relevant descriptive statistics for this dataset are as follows:
Mean 3,300
Median 1,781
Mode 2,000
Standard Deviation 5,647
18.4 Benford’s Law
Benford’s law is named after Frank Benford who stated it in a 1983 paper titled The law of anomalous numbers.
Benford’s law is a probability distribution for the likelihood of the first digit in a set of numbers (i.e., the number 1 at
the start of 10,345). It found that the first digit in numbers appearing in many natural datasets are arranged in such
a way that the number 1 is the most common leading number, followed by 2, 3 and so on successively up to 9. The
law can also be applied to some extent to the second and third digits in numbers.1
1. Note that Benford’s law is appropriate for large datasets and therefore the population size should be taken into consideration before applying
Benford’s law in the audit process. In small populations the trend may not show due to the size of the population.

The probability distribution can be visualised as:
Benford’s Law
35%
30%
25%
20%
15%
10%
5%
0%
1 2 3 4 5 6 7 8 9
Example 2
To demonstrate this probability distribution in real, natural data, a random open source dataset was
accessed: population statistics from the World2. This showed populations within subregions of countries
across the world from 2010 to 2016. Whilst not a perfect illustration, the visualisation below offers a good real-
life example of Benford’s Law. As the first digit value increases, the recurrence of that number as a first digit
decreases. This trend holds for all seven years of the available data.
Population by region data
700
600
500
400
300
200
100
0
1 2 3 4 5 6 7 8 9
2010 2011 2012 2013 2014 2015 2016
2. World Bank Group. (2019). World Bank Subnational Population Database, 2000-2016. [data collection]. 2nd Edition. UK Data Service. SN:
7958, http://doi.org/10.5257/wb/spd/2018-10

18.4.1 Using Benford’s Law in the Audit Process
As Benford’s law appears as a pattern in naturally occurring datasets, it can be used to identify where anomalies
(including incidents of fraud) appear in a data set. This would allow the auditor to identify an increase to the risk of
misstatement in relation to error or fraud during the audit process.
Example 3
A data analytics tool can analyse a full dataset of journals and chart the pattern of the first digits within the
population. Two examples of outputs are illustrated below.

35%
30%
25%
20%
15%
10%
5%
0%
1 2 3 4 5 6 7 8 9
If the auditor was presented with the above illustration this would not highlight any irregularities in the data
based on Benford’s law.
30%
25%
20%
15%
10%
5%
0%
1 2 3 4 5 6 7 8 9
As a contrast, if the data presented the above trend, this would indicate to the auditor that there may
be anomalies in the data as this trend does not follow the expected Benford’s law and therefore further
investigation is required by the auditor. There may be a valid explanation for this diversion from the probability
distribution (due to the nature of the client’s business for example) or it may indicate that fraudulent or
erroneous journals have been posted in the period.

18.5 Regression Analysis
Regression analysis is a technique that can be used to perform analytical review through audit data analytics tools.
Regression analysis is a statistical method for estimating the relationship among variables based on past
relationships. Regression analysis includes many techniques, but ultimately is looking to understand the relationship
between a dependent variable and an independent variable.
Dependent variable: The variable that you are trying to understand or predict. This will be the account that is
being audited.
Independent variable: A variable that may have an impact on your dependent variable.
Example 4
For example, a company that sells ice lollies may expect a relationship to exist between the weather and ice
lolly sales. However, there may be other factors such as the occurrence of bank or summer holidays that have
an impact on the sales.
Therefore, regression analysis can be used to statistically investigate the effect of the independent variables
(temperature, holiday dates) on the dependent variables (the number of sales made).
Therefore, the auditor could perform regression analysis on monthly sales against reported temperatures to
identify whether sales appears to be overstated or understated.
Once the variables have been selected, data must be obtained. This may be from the client’s financial or non-
financial data from the client’s system or may be from an independent source such as exchange rates. This would
include historical information in order to understand the historical relationship between the variables, allowing the
historical trend to be compared to the current year financial statements. The variables would then be plotted on a
scatter chart and a ‘line’ drawn through the middle of all the data points (See Example 5).
This ‘line’ is called the regression line and is statistically determined. You will not be asked to calculate or plot a
regression line in the Assurance and Reporting exam.
Notes

Once the historical regression line has been determined, it can be used to compare to current year data. Where
outliers appear in the data, this may indicate a misstatement in the dependent variable being audited (such as sales
being overstated or cost of sales being understated).
Example 5
You are the auditor of Happy Cakes Ltd (‘Happy’). Happy sell cupcakes from a number of stores across
Edinburgh. As part of the analytical procedures performed on the audit, the auditor planned to use regression
analysis in relation to revenue. Based on previous years’ audits, the auditor is aware that there is a
relationship between flour purchased in a month and sales in a month. The auditor’s audit data analytics tool
prepared a regression analysis mapping this historic relationship, shown below for years 20X6 to 20X9. In this
analysis, the data being audited is the annual revenue (the dependent variable) and the flour purchased is the
independent variable.
Flour quantities purchased were corroborated to third party supplier statements and are deemed reliable and
relevant. Revenue information was extracted from the client’s general ledger and is also considered reliable
and complete.
The relationship shows that the more flour purchased in a month, the higher the monthly sales.
Monthly flour purchases vs. sales

20X6 - 20X8
54,000
52,000
50,000
Revenue (£)
48,000
46,000
44,000
42,000
40,000
360 410 430 450 470 490 510 530
Flour purchased (kg)
During the audit of the 20X9 financial statements, the auditor obtained the same information for the current
year: monthly flour purchases and revenue. The audit data analytics tool prepared a visualisation showing this
year’s data mapped against the historic regression line (shown below).

Monthly flour purchases vs. sales
20X9
54,000
52,000
50,000
Revenue (£)
48,000
46,000
44,000
42,000
40,000
360 410 430 450 470 490 510 530
Flour purchased (kg)
By reviewing this year’s data against the historic trend, the auditor identified two months in 20X9 that did not
show the same relationship between flour purchased and revenue. Further investigation showed that the
‘outliers’ were for June and December 20X9.
In June, the quantity of flour purchased was proportionately higher, compared to revenue, than the expected
historic trend. This may be due to a mistake in production that resulted in much of that flour being wasted,
and therefore fewer cakes were available to be sold in June. Alternatively, this may indicate that revenue is
understated in June.
In December, the revenue was proportionately higher, compared to flour purchased than the expected, historic
trend. This may be due to a new range of cupcakes sold at a higher price being launched in December or may
indicate that revenue is overstated in that month.
Both months would be further investigated by the auditor and further audit evidence gathered to corroborate
the figure or to identify a misstatement in revenue.
Note that this relationship between flour purchased and revenue can be referred to as a ‘correlation’.
Correlation is discussed further below.

18.6 Correlation
Correlation is another statistical technique that may be used in the audit process. It can show whether two variables
(such as flour purchased and revenue as above) are related and the strength of this relationship.
Correlation: a statistical association or relationship between two variables.
There are different types of statistical techniques available to assess correlation, but (where a linear relationship
exists) commonly a correlation coefficient is calculated between +1 and -1. The closer the coefficient is to +/-1 the
closer the two variables are related – a coefficient of close to 0 indicates that no relationship exists. A correlation
coefficient of +1 indicates a positive correlation (i.e., the higher the temperature the higher the sales of bathing suits)
and a correlation coefficient of -1 indicates an inverse relationship (i.e., the higher the temperature the lower the
sales of ski jackets).
It is important to note that correlation does not necessarily imply causation. Two figures may appear to be correlated
but one does not necessarily cause the other.
For example, there is likely a correlation between Christmas tree sales and sales of mulled wine. However, the sale
of a mulled wine does not necessarily cause the sale of a Christmas tree. It is more likely that another variable, such
as the weather or Christmas holidays, is more likely the cause.
Example 6
The auditor on Chart and Graphs Ltd (‘CG’) is performing substantive analytical procedures in relation to
revenue and trade receivables. Charts and Graphs provide data analytic services to a range of clients who are
offered 30-day credit terms.
Based on their understanding of the entity, the auditor expects a correlation to exist between revenue and
trade receivables.
The auditor confirmed a linear relationship exists and therefore used an audit data analytics tool to calculate
the correlation coefficient as well as presenting the relationship in a graph visualisation. The outputs are
shown below:
Notes

Revenue and Trade Receivable Values (£)
200,000
180,000
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Trades Receivables Revenue
The correlation coefficient is 0.96.
The results of this analysis confirm the auditor’s understanding of revenue and trade receivables. There is
a strong positive correlation (the coefficient is close to +1) between revenue and trade receivables which is
expected given that the entity makes sales on credit, and so a month with increased sales would show a large
trade receivables balance as these would not likely be paid until the following month (30 days following the
invoice date).
This, alongside other procedures that the auditor would perform, would provide assurance that trade
receivables and revenue are not misstated.
Notes

18.7 Statistics in the sample selection process
Sampling during the audit process was discussed in Module 17. The module gave examples of types of sample
selection methods: random selection, monetary unit sampling and haphazard selection.
Broadly, sampling selection methods can be categorised as either statistical or non-statistical. Monetary unit
sampling is an example of statistical sampling whereas haphazard sampling is an example of non-statistical
sampling.
18.7.1 Statistical sampling
Statistical sampling is defined in ISA (UK) 530 Audit sampling.
Statistical sampling: An approach to audit sampling that has the following characteristics:
i. Random selection of the sample items; and

ii. The use of probability theory to evaluate sample results, including the measurement of sampling risk.
A sampling approach that does not have the characteristics (i) and (ii) is considered non-statistical sampling.
In statistical sampling, sample items are selected in a way that each sampling unit has a known probability of
being selected.
Advantages of statistical sampling include:
• It can allow the auditor to select a more targeted and efficient sample;
• It allows a measure of the sufficiency of the audit evidence obtained;
• The use of statistics can reduce the risk that differences in audit judgement (which drives non-statistical
sampling) result in significant differences in sample sizes selected by different auditors; and
• It allows for errors identified in the sample to be quantified and extrapolated to the full population (as shown in
Module 17).
Disadvantages of statistical sampling include:
• Where data is not available in electronic format, statistical sampling may not be an efficient way of obtaining an
appropriate sample; and
• Statistical sampling requires additional expertise within the audit team, or software provided by the audit firm, to
obtain a sample.
Notes

18.7.2 Random seeds
Random seed: the starting point when generating a random sample.
When computers generate a random number or a random sample, it’s not truly random as it relies on complex
formula along with a unique core number (the random seed) to generate the sample.
Random seeds are often themselves produced using a random number generator to ensure that the auditor has not
influenced the sample by choosing the starting point.
In order to allow for the reperformance of an audit procedure for the purpose of review, some firms have audit
software that generates the random seed based on specific criteria. The criteria may include the date or time of day
for example.
As the criteria are known and fixed for that audit procedure (including the seed), this means audit software will
produce the same sample every time the same criteria are input into the software. Therefore, the auditor cannot
manipulate the sample selected as it can be reperformed by the reviewer using the same criteria and seed number.
Learning Outcome 1: Explain the use of statistics in the audit process
Statistics can be used throughout the audit process, including:
• Mean, median, mode, standard deviation and outliers;

• Benford’s law;
• Regression analysis;
• Correlation; and
• Statistics in the sample selection process.
You should now be able to meet the learning outcome for this module.
Notes

18.8 Summary
Mean, median, mode, standard deviation and outliers
There are some basic statistical concepts that may be useful when performing auditor procedures. These are the
mean, median, mode, standard deviation and outliers.
Benford’s law
Benford’s law is a probability distribution for the likelihood of the first digit in a set of numbers (i.e., the number 1 at
the start of 10,345).
The probability distribution can be visualised as:
Benford’s Law
35%
30%
25%
20%
15%
10%
5%
0%
1 2 3 4 5 6 7 8 9
Regression analysis
Regression analysis is a technique that can be used to perform analytical review through audit data analytics tools.
Regression analysis is a statistical method for estimating the relationship among variables based on past
relationships. It can be used to compare historic trends in the relationship between two variables, to identify where
current year data may be misstated as it does not show the historic relationship.
Correlation
Correlation statistics can show whether two variables (such as flour purchased and revenue as above) are related
and the strength of this relationship.
Notes

Commonly a correlation coefficient is calculated between +1 and -1. The closer the coefficient is to +/-1 the closer
the two variables are related. A coefficient of close to 0 indicates that no relationship exists. A correlation coefficient
of +1 indicates a positive correlation and a correlation coefficient of -1 indicates an inverse relationship.
Statistics in the sample selection process
Statistical sampling is an approach to audit sampling that has the following characteristics:
i. Random selection of the sample items; and
ii. The use of probability theory to evaluate sample results, including the measurement of sampling risk.
There are advantages and disadvantages to using statistical sample selection methods.
Notes

Substantive Testing – Part One
Contents
19.3 Substantive Testing 416
19.4 Testing the Financial Statements 417
19.4.1 Selecting the Type of Substantive Procedure 417
19.4.2 Approach to Tests of Detail 417
19.4.3 Source Evidence – Invoices/ Calculations/ Further Documents 419
19.5 Substantive Procedures 419
19.5.1 Assertion Definitions 420
19.5.2 Writing Substantive Procedures 421
19.5.3 Completeness or Existence/ Occurrence Testing 423
19.5.4 Decreasing Items – Exceptions to the Directional Testing Rule 427
19.5.5 Using Goods Received Notes and Goods Despatch Notes in Substantive Testing 429
19.5.6 Assertions Tested by Substantive Analytical Procedures 430
19.6 Balance Sheet Accounts 433
19.6.1 Cash and Bank 433
19.6.2 Fixed Assets 437
19.6.3 Trade Debtors 440
19.6.4 Stock 444
19.6.5 Trade Creditors 448
19.7 Audit Data Analytics and Substantive Testing of the Statement of Financial Position 451
19.8 Summary 456
Appendix – XYZ Ltd Cash and Bank Information 469

19. Audit Process: Substantive Testing – Part One
19.1 Introduction
We are still in the substantive testing stage of the audit. In this module we will introduce the theory of substantive
testing before focusing on substantive testing of balances.
Risk Assessment
Systems
Substantive
Testing
Analysis
1. select which balances assertions are tested by a particular procedure;

2. select a relevant audit procedure for a given balances assertion;
3. explain common substantive procedures for testing balances; and
4. describe audit data analytics and explain how they are applied throughout the audit process.
Achieving these learning outcomes will enable you to meet the seventh and eighth learning outcomes from the
overall syllabus.
Notes

19.3 Substantive Testing
Substantive testing: involves performing audit procedures that are designed to detect material
misstatements at the assertion level.
We know from Module 17 that the auditor must obtain sufficient, appropriate evidence to be able to express an audit
opinion on the truth and fairness of the financial statements (‘F/S’). Evidence can be gained over the controls within
a company, but there are limitations to controls (as seen in Module 3), and consequently the auditor must perform at
least some substantive testing on every statutory audit.
Substantive testing is predominantly performed on the year-end financial statements and underlying records.
Consequently, it is mainly performed post year end when the year-end figures have been produced by the client. The
auditor will need to perform an audit visit to undertake the work and this visit is commonly described as the final audit.
This module will introduce the general approach to substantive testing for the financial statements and some of the
substantive procedures the auditor can perform to test the balance sheet (‘B/S’). The profit and loss account (‘P&L’)
and disclosure notes in the financial statements will be covered in more detail in Module 20. The focus will be on
some of the most common financial statement headings.
Balance sheet/ Statement of financial position:
• Cash and bank;

• Fixed assets/ Property, plant and equipment;
• Trade debtors/ Trade receivables;
• Stock/ Inventories; and
• Trade creditors/ Trade payables.
Profit and loss account/ Statement of profit or loss (Module 20):
• Sales/ Revenue;
• Purchases and other expenses; and
• Payroll expense.
The examples of substantive procedures in these modules are not a finite list of all the tests that could be performed
during an audit.
Notes

In practice, an audit work programme would be produced for each material financial statement heading which
would be tailored to the specific risks and circumstances at the client. For the purposes of the TC Assurance and
Reporting course, the key skill you must develop is an understanding of what the assertions are and how these
can be practically applied to the audit, in the form of a substantive procedure, as well as an understanding of the
common substantive procedures used in the audit process.
19.4 Testing the Financial Statements
19.4.1 Selecting the Type of Substantive Procedure
Modules 15 and 16 explained how inherent risk and control risk are assessed and how this impacts on the level of
detection risk. The level of detection risk will drive the nature, timing and extent of the substantive procedures performed.
Module 17 identified that there are two types of substantive procedure:
• Substantive analytical procedures (testing the whole population at once); and

• Tests of detail (selecting specific items within the population for testing).
In Module 17, the approach to substantive analytical procedures was addressed. The approach to tests of detail will
be discussed in this module and Module 20.
19.4.2 Approach to Tests of Detail
Ultimately, the objective of the auditor is to give an opinion on the truth and fairness of the financial statements.
However, neither the financial statements nor the trial balance (‘TB’) contain sufficient information to allow the auditor
to select samples for testing.
TC Financial Accounting introduced the basic stages in the production of the financial statements. This process can
allow the auditor to work back from the financial statements to the supporting documentation:
Financial statements
Trial balance (‘TB’)/ Nominal Ledger (‘NL’)
Sub-ledgers/ Supporting schedules
Source evidence/ Documentation
Notes

It is, therefore, necessary for the auditor to use the sub-ledgers and supporting schedules to select items for
testing (i.e., the sample). In order to ensure that these ledgers and schedules are representative of the financial
statements the auditor will need to check that:
1. The sub-ledgers/ supporting schedules agree to the TB; and

2. The trial balance agrees to the financial statements.
For the purpose of Assurance and Reporting you can assume that the sub-ledgers and supporting schedules agree
to the TB and financial statements. Therefore, by testing the sub-ledger you are testing the financial statement
number.
Example – Fixed Assets
Step 1: Reconcile the F/S to the TB
The net book value (‘NBV’) of fixed assets on the balance sheet is £7,433,437.
Within the TB, there are accounts for both the cost and accumulated depreciation for each category of fixed
asset (e.g., property).
An extract from the TB of the fixed asset accounts is shown below.
NL code Description Balance
200001001 Property – cost 10,468,345 Dr
200001002 Plant and equipment – cost 4,857,947 Dr
200001003 Motor vehicles – cost 359,478 Dr
200002001 Property – acc dep’n 5,498,867 Cr
200002002 Plant and equipment – acc dep’n 2,687,498 Cr
200002003 Motor vehicles – acc dep’n 65,968 Cr
The total cost less accumulated depreciation is agreed as £7,433,437 (i.e., it is reconciled to the balance
sheet without issue).
Notes

Step 2: Reconcile the TB to the Sub-Ledger
When auditing fixed assets the auditor will request a copy of the fixed asset register (sub-ledger). The closing
cost and accumulated depreciation of all assets by category on the fixed asset register will be compared to the
relevant line item in the trial balance.
Step 3: Test the Sub-Ledger
Once the auditor has agreed that the sub-ledger represents what is included in the trial balance (Step 2), they
will use the fixed asset register to select a sample of items to test.
Step 4: Perform tests of detail
With the sample now selected, the auditor performs the tests of detail by agreeing the sampled item to
relevant supporting documentation. The auditor will then conclude on the outcome of the procedure.
19.4.3 Source Evidence – Invoices/ Calculations/ Further Documents
After items are selected for testing from the sub-ledger or supporting schedule the next piece of information is the
source evidence, that is the information that corroborates and supports the sample selected to test.
Source evidence can include:
• Sales and purchase invoices;

• Goods despatch notes (‘GDN’) and Goods received notes (‘GRN’);
• Bank statements;
• Calculations (of depreciation, accruals or prepayments);
• Board minutes;
• Fixed assets; and
• Stock.
19.5 Substantive Procedures
The auditor must design substantive procedures to meet each of the assertions for every material account in the
Notes

19.5.1 Assertion Definitions
Activity 1 – Recap of Module 17
Match the assertions for transactions and balances to the correct description.
Assertion Description
Existence 1. All transactions and balances (and related disclosures) that should
have been recorded have been recorded.
Completeness 2. Transactions and events have been recorded in the correct

accounting period.
Rights and obligations 3. Amounts and other data relating to transactions (and related
disclosures) have been appropriately recorded.
Accuracy, valuation and allocation 4. All balances exist and are genuine.
Occurrence 5. All transactions and events recorded took place and pertain to the
entity.
Accuracy 6. The entity holds or controls the rights to assets and liabilities are the
obligations of the entity.
Cut-off 7. Balances (and related disclosures) are recorded at appropriate

amounts in accordance with the accounting standards.
Classification 8. Transactions and balances are appropriately aggregated or

disaggregated and clearly described, and related disclosures are
relevant and understandable.
Presentation 9. Transactions and balances have been recorded in the proper

accounts.
Solution
Notes

19.5.2 Writing Substantive Procedures
It is important that a substantive audit procedure is clearly written so that any member of the audit team is able to
understand what procedures must be performed for any particular account.
Consider the following test:
• Ensure fixed asset additions are correctly accounted for.
This is too vague as it does not say how the test should be performed and what the objective of the test is.
When writing a test, the following elements should be included:
Verb A testing technique. For example, recalculate, inspect, enquire.
Population What population the sample For example, a sample of debtors over 90 days old. There is no
is being selected from need to state the sample size.
Source What evidence you want For example, agree outstanding debtors to post year-end cash
the sample to be agreed to. receipts recorded in the bank statements.
Evidence
Activity What is actually being For example, agree additions to invoices to confirm the
looked for? invoice is made out to the client, descriptions match, the date
of acquisition matches the fixed asset register, the invoiced
amount agrees and includes any relevant duty or shipping costs.
Notes

Activity 2
Using the four elements discussed, write a substantive procedure to test the accuracy, valuation and allocation
of a sample of motor vehicles purchased in the year.
Solution
Activity 3
Identify which ONE of the following procedures designed to test the rights and obligations assertion for a trade
debtor is the most appropriately written.
a) Select a sample of debtors from the debtors ledger and ensure that the company has the right to recognise
the debtor.
b) Select a sample of invoices from the debtors ledger and agree to the customer contract and GDN to check
genuine sales took place and that the company has the right to invoice the customer.
c) Agree debtors to the contract.
Solution
Notes

19.5.3 Completeness or Existence/ Occurrence Testing
It can often be difficult to identify whether a substantive procedure is testing completeness or existence/
occurrence. In this section, we will introduce two alternative approaches to differentiating between the assertions in
an exam.
The Missing Method
If you are trying to determine whether a test provides evidence over either completeness or existence/ occurrence,
one approach to use is following the ‘Missing Method’. This ultimately involves considering what if something is
missing.
This approach involves considering the following:
What is the effect on the financial statement account if the item that you are agreeing your sample to does
not exist/ is missing?
So firstly, work out what would be ‘missing’ and then consider what impact this would have on the financial statement
account.
Effect on financial statement account Assertion being tested
Too small/ understated Completeness
Too big/ overstated Existence/ Occurrence
Note: the effect on the financial statements that you need to consider will always be the effect on the financial
statement amount for that account (e.g.., would the trade debtors figure be too big or too small).
Example – Trade Debtors
Whilst testing trade debtors, the auditor selects a sample of debtors from the debtors ledger and agrees them
to the actual sales invoices to check the sale is genuine.
Which assertion does this substantive procedure assess?
Notes

Let’s review:
Debtors Ledger £ Invoice A

Auditor agrees
Debtor A X debtors ledger
Invoice B
Debtor B X entries to
Debtor C X Sample sales invoices
Debtor D X Invoice C
Etc.
? No Invoice for
Debtor D found
Total XXXX
As we selected our sample from the debtors ledger, then the thing that would be ‘missing’ is the actual invoice. If no
invoice can be found for Debtor D, does this mean that the debtors ledger (and, therefore, the financial statement
figure) is too big or too small?
As there is no supporting documentation for Debtor D (i.e., a sales invoice), it can be assumed that the sale has not
actually taken place and should not have been recorded, therefore no corresponding debtor should be recorded. The
debtors ledger (and, therefore, the financial statement figure) is too big, that is, overstated. Consequently, this is a
test for the existence of trade debtors.
You can always, in the AR exam, assume that the source evidence is correct. Therefore, when, under the missing
method, an invoice is ‘missing’, the implication is that the invoice was never produced as no sale took place and
therefore any entries in the debtors ledger are inappropriate – not that the invoice has been lost or can’t be found.
You should ensure that you are comfortable with the Missing Method for identifying between completeness and
existence/ occurrence. The method can be used whenever you are selecting between the existence/ occurrence
assertion or the completeness assertion.
There is a second method that can be used to help distinguish between completeness and existence/ occurrence.
Using the Directional Testing Method can act as a check on whether you have applied the Missing Method
correctly.
Notes

Directional Testing Method
Completeness or existence/ occurrence procedures are sometimes referred to as directional tests, as testing usually
requires tracing from a document or asset to another document or asset.
As a rule of thumb if we can correctly identify the direction of our testing we can confirm whether the assertion being
tested is completeness or existence/ occurrence. This will involve testing from document/ asset to ledger or from
ledger to document/ asset. This is illustrated as follows:
Completeness
Starting Point Direction of testing Agreed to
Source evidence Ledger £

Invoice A Invoice A X
Existence/ Occurrence
Starting Point Direction of testing Agreed to
Ledger £ Source evidence

Invoice A X Invoice A
Note: There are many exceptions to this general rule that will be considered in Section 19.5.4
Notes

Activity 4
Identify which assertions the following procedures are testing:
1. When testing fixed assets, the auditor selects a sample of assets from the fixed asset register and
physically verifies them;
2. When testing debtors, the auditor selects a sample of sales invoices and agrees them to the debtors
ledger;
3. When testing stock, the auditor selects a sample of physical goods and agrees that they are included on
the stock listing; and
4. When testing costs of sales, the auditor selects a sample of costs from the cost of sales listing and
agrees them to the invoice.
Solution
Notes

19.5.4 Decreasing Items – Exceptions to the Directional Testing Rule
As highlighted, there are exceptions to the directional testing rule. To establish these, firstly consider the impact the
source evidence being tested has on the financial statement balance total. Items will then be categorised as either
increasing or decreasing.
Examples
Increasing items include:
• Invoices (an invoiced raised would increase the trade debtors and sales figures and a supplier invoice
received would increase trade creditors and expenses);
• Fixed asset additions (a new asset purchase increases the NBV of fixed assets);
• Payments and receipts when testing the P&L (a payment indicates that expenses have increased, and
receipts indicate that sales have increased); and
• Physical assets (an asset increases the NBV of fixed assets).
As explained, recording each of these would result in the financial statement number increasing.
Decreasing items include:
• Credit notes (a credit note raised would decrease the trade debtors and sales figures and a supplier credit
note received would decrease trade creditors and expenses); and
• Fixed asset disposals (the disposal of an asset decreases the NBV of fixed assets).
• Payments and receipts when testing debtors and creditors (a payment indicates that creditors have
decreased, and receipts indicate that debtors have decreased)
Recording these items would result in the financial statement balance decreasing.
Where we have decreasing items, we will have to reverse the directional testing rule. There is no impact to the
missing method – you should still consider the impact of an item being missing on the financial statement numbers.
Notes

Example – Credit Notes
When testing trade creditors, the auditor selects a sample of credit notes received from suppliers that relate to
invoices processed before the year end and agrees them to the creditors ledger.
Missing Method
The credit notes relate to pre-year-end invoices but have not been recorded in the creditors ledger before the
year-end, that is, the creditors ledger entry is missing. Therefore, at present the creditors ledger is overstated
as the ledger is still recognising the trade creditor as requiring full payment at the year end when the credit
note received has cancelled the requirement to make this payment.
This is, therefore, a test for existence of trade creditors.
Directional testing approach
We are testing from the document to the ledger. You might automatically assume this to be completeness,
however, a credit note decreases our trade creditors balance. Therefore, as we must reverse our approach,
this is existence.
Activity 5
You are testing fixed asset disposals. Write a procedure to meet the completeness assertion for fixed assets.
Solution
Notes

19.5.5 Using Goods Received Notes and Goods Despatch Notes in Substantive Testing
GRNs and GDNs are produced to record the movement of stock items to and from the client.
• GRNs are raised to indicate that goods have been received and, therefore, that a purchase has been made
or to indicate that goods have been returned from a customer and, therefore, a sale has been cancelled; and
• GDNs are raised to indicate that goods have been despatched and, therefore, that a sale has been made or
to indicate that goods are being returned to a supplier and, therefore, a purchase can be cancelled.
GRNs and GDNs can provide assurance over the completeness and existence of invoices (provided that controls
are effective as these are client generated documents) at the substantive testing stage. Use of these documents
provides further assurance that movement of goods has taken place and are seen as more reliable than checking
directly to purchase/ sales invoices.
Activity 6
You are testing trade debtors. You select a sample of GDNs and inspect the corresponding sales invoices to
ensure that they have been recorded on the debtors ledger. Which assertion is being tested?
Solution
Notes

19.5.6 Assertions Tested by Substantive Analytical Procedures
In Module 17, it was highlighted that substantive analytical procedures can provide the auditor with evidence over:
Existence Occurrence
Accuracy, valuation and allocation Cut-off
Classification
All assertions except rights and obligations and presentation can be addressed through substantive analytical
procedures. However, there are exceptions when the wording of a test is designed to be assertion specific.
Example – Substantive Analytical Procedures
1. When testing trade debtors, the auditor obtains the debtors ledger and performs a large and unusual
items review; and
2. When testing fixed assets, the auditor reviews the fixed asset register for evidence of items that have
been capitalised in error (e.g., repairs and maintenance charges which should be recorded as an
expense and not as a fixed asset).
Which assertions is each of the above testing?
Notes

Solution to Example
1. The test is not specific to one assertion as unusual items could be caused by:
• Trade debtors being included in error (i.e., overstated) – E;

• Trade debtors being omitted in error (i.e., understated) – C;
• Items incorrectly being classified as trade debtors – Cl; or
• Items being included that are valued incorrectly – AVA.
Therefore, this test is for completeness, existence, classification and accuracy, valuation and allocation.
2. Review of fixed asset register for evidence of P&L items being capitalised in error:
• This test is also an unusual items review. However, it is specific to assertions as it has clearly identified
what constitutes an ‘unusual item’ – an item that has been capitalised in error (i.e., an item that has been
classified as an asset that is actually a P&L expense). Therefore, the analytical procedure is testing
classification.
Exam Tips
When considering which assertion a substantive procedure meets, assume the following:
• The sub-ledgers (e.g., debtors ledger) reconcile to the nominal ledger/ TB and, therefore, the financial
statements.
• Invoices, credit notes, GRNs, GDNs, board minutes, etc. are all source evidence and, therefore, correct.
When differentiating between completeness and existence/ occurrence tests, use the missing method. When
you identify a substantive analytical procedure, consider if it is general or whether more thought needs to
be given to the assertions tested.
Notes

Activity 7
Identify which assertions the following procedures are testing:
1. When testing sales, the auditor agrees a sample of sales on the sales listing to the bank statements to
agree the sale took place;
2. When testing trade creditors, the auditor selects a sample of purchase invoices recorded in the creditors
ledger and agrees them to GRNs;
3. When testing payroll, the auditor selects a sample of employee contracts and agrees that the employee is
included on the payroll listing; and
4. When testing trade debtors, the auditor selects a sample of credit notes relating to sales made pre-year
end and agrees the debtor is not on the debtors ledger.
Hint: read the tests very carefully and underline/ highlight key words to help you.
Solution
The remaining sections in this module will go through some of the main balance sheet accounts, explaining the
common procedures for these accounts, and will provide some example tests of detail which could be carried out to
test each of the assertions.
Note that in the following section the presentation assertion will not be considered as it will be addressed in Module 20.
Notes

19.6 Balance Sheet Accounts
19.6.1 Cash and Bank
There are several standard audit procedures for auditing cash and bank. These procedures apply to bank overdrafts
(i.e., current liabilities) as well as asset balances.
Key substantive procedures
There are two key substantive procedures performed on all bank accounts:
1. Testing the bank reconciliation for the account; and

2. Testing the bank confirmation letter for the account.
Bank reconciliation
The accounting procedures for bank reconciliations are covered in the TC Financial Accounting course. Bank
reconciliations should be prepared by the client regularly (i.e., weekly or monthly). The auditor will use the bank
reconciliation prepared by the client in order to perform a key substantive procedure.
The auditor should obtain the year-end bank reconciliation and complete the following audit tests:
• Agree the bank balance per the reconciliation to the bank statements and bank letter (see below);
• Agree the nominal ledger balance per the reconciliation to the nominal ledger;
• Cast the reconciliation; and
• Obtain supporting evidence for a sample of the reconciling items on the bank reconciliation (e.g., agree
unpresented cheques to post-year-end bank statements).
Testing the bank reconciliation tests all balance sheet assertions except presentation.
Bank confirmation letter
The bank confirmation letter (‘bank letter’) is a third-party confirmation used alongside the bank reconciliation testing.
The testing involves the auditor obtaining a letter directly from the client’s bank confirming the value of all bank
accounts, overdrafts and loans held at the requested date (i.e., year-end date).
The auditor should follow the following steps when performing the test:
• A bank letter should be obtained from each of the banks with which the client holds accounts;
• The client will have to give the bank permission to provide this information to the auditor; and
Notes

• The auditor need only provide the details of one bank account, asking the bank to provide details of all
accounts held in the name of the client (this allows for completeness testing also). The bank should also include
information on accounts which have been closed during the year.
The bank letter will then confirm:
• details of all bank accounts and the balances on the accounts at the requested date; and
• details of any bank facilities such as overdrafts or bank loans along with details of any security the bank holds
over client assets for these facilities.
The bank letter is a third-party confirmation and gives assurance over all balance sheet assertions for cash and
bank except presentation.
Other common procedures
Some other common procedures for cash and bank include:
Test Assertions
Physical verification of material cash balances counted by the auditor at the balance sheet date E, AVA
(‘cash count’).
Foreign currency rates independently verified, and translations recalculated. AVA
Notes

Activity 8
The appendix to this module contains information that can be used to perform the audit procedures for cash
and bank for XYZ Ltd (‘XYZ’).
Using the example tests provided below, audit the cash and bank balance for the year ended 31 October 20X4.
XYZ Ltd
Balance sheet
As at 31 October 20X4 (Extracts)
Current assets
Bank 23,419
Current liabilities
Bank overdraft (5,000)
Note: The purpose of this activity is to illustrate the theory of the tests of detail covered. It is not representative
of the format or standard of the final exam.
Notes

Audit test Assertions Issues found
Standard test C, E, AVA,

Cl
Check that the trial balance figure agrees to the financial statements
Bank reconciliation C, E, AVA,

R&O, Cl
Obtain the year-end bank reconciliation(s) and perform the following
procedures:
1. Agree the ‘balance per the bank statements’ to the bank

statements
2. Agree the ‘balance per the nominal ledger’ to the trial balance
3. Check mathematical accuracy of reconciliation (casting)
4. Where available, obtain supporting documentation for reconciling
items to ensure that they are genuine and relate to the period
5. Obtain evidence that reconciling items were cleared post year end
by agreeing to post-year-end bank statements
Bank letter C, E, AVA,

R&O, Cl
1. Check that all bank accounts are included on the bank letter(s)
and that there are no bank accounts on the bank letter(s) that are
missing from the client records
2. Agree the balance to the bank reconciliation(s)
3. Confirm that bank accounts are in the name of the company
Foreign Exchange AVA
Recalculate the translation of any foreign currency balances and agree

that the exchange rates used by the client are reasonable by agreeing
to an external source (e.g., the Financial Newspaper).
Solution
Notes

19.6.2 Fixed Assets
The auditor is testing the fixed asset balance in the financial statements (i.e., the NBV). This figure will be based on
the fixed asset cost less accumulated depreciation. These are two separate accounts in the nominal ledger.
Details of fixed assets held by a company should be contained in the Fixed Asset Register (‘FAR’). All additions
(purchases), disposals, revaluations and depreciation will be recorded here. The cost (or value) and accumulated
depreciation should be identifiable for every asset.
When an asset is disposed of, whether it is sold or scrapped, it should be removed from the FAR. The FAR should
be regularly reconciled to the nominal ledger.
As mentioned at Section 19.4.2, we can assume that the FAR agrees to the TB and that the TB agrees to the
Financial Statements. Therefore, the auditor will test the FAR to assess whether the balance in the financial
statements is accurate.
Activity 9
Discuss the answers to the following questions:
1. Identify what transactions impact the fixed asset balance in the financial statements; and
2. For each type of transaction:
a) identify what supporting evidence could be used to back up the fixed asset balance; and
b) identify what errors are likely to occur with this transaction.
Note: Consider not only errors, but also examples where the company may want to improve their net assets
position. Do not consider the presentation for the purpose of this activity.
Notes

Transactions Evidence Possible Errors
Solution
Notes

Activity 10
From the transactions, supporting evidence and issues identified in the previous activity, the audit senior has
prepared the tests for the fixed assets audit work programme.
However, the audit senior has been called into a meeting with the manager before completing the programme.
Fill in the missing assertions tested for the remaining procedures.
Test Assertions tested
Fixed assets test – general
Agree closing balance per FAR to TB and then draft financial statements. C, E, AVA, Cl
Agree opening balance on fixed asset ledger to prior year audited financial statements. C, E, R&O, AVA, Cl
Cast fixed asset schedule to check for mathematical accuracy. C, E, AVA
Inspect the FAR for evidence of repairs and maintenance charges capitalised in error.
Inspect the breakdown of the repairs and maintenance expense account for possible
misallocation of assets/ items expensed in error.
Select a sample of assets from the FAR and physically verify them to check they are
genuine.
Select a sample of assets from the client’s premises and agree these to the FAR to
check they have been recorded.
Select a sample of assets from the FAR and agree title deeds to ensure the company
does have title to assets.
Additions
Select a sample of additions from the FAR and trace to purchase invoice and bank
statements to agree the cost of the asset.
Notes

Inspect board minutes for evidence of additions and agree to the FAR to ensure they
have been recorded.
Select a sample of additions from the FAR and agree the client name to purchase
invoice.
Disposals
Select a sample of disposals from the FAR and trace to sales invoice, trade-in/
scrapping invoice and bank statements to check the asset was disposed of and the
amounts recorded are accurate.
Inspect board minutes for evidence of disposals during the year and agree these have
been removed from the FAR.
Recalculate a sample of disposals to agree they have been accounted for correctly. AVA
Depreciation
Review the depreciation policy for appropriateness in line with accounting standards. AVA
Perform a reasonableness test on the depreciation expense – calculate an expectation AVA

of the depreciation expense of each fixed asset category based on the client’s
depreciation policy and compare to actual.
Revaluation
Select a sample of revaluations from the FAR and agree to the independent valuation
report to check amounts have been recorded correctly.
Solution
19.6.3 Trade Debtors

The trade debtors balance in the financial statements is the net balance of the trade debtors less any allowance
for doubtful debt. The breakdown of the trade debtors figure is supported by the debtors ledger, which gives a
breakdown per customer of the outstanding balance.
The debtors ledger is often ‘aged’. Normally invoices will be classified as aged 0-30 days, 31-60 days, 61-90 days
and over 90 days old. This aids in the assessment of the provision for doubtful debts.
Notes

Example
XYZ Ltd
Trade Debtors
As at 31 October 20X4 (Extracts)
Trade debtors per financial statements 44,445
Balance per debtors ledger 45,690
Allowance for doubtful debts (1,245)
Net 44,445
Total debtors ledger Current debts 31-60 days 61-90 days 91+ days
£ £ £ £ £
45,690 44,147 596 600 347
There are three key substantive procedures performed on trade debtors:
1. Performing a debtors circularisation;

2. Performing subsequent cash testing; and
3. Testing the allowance for doubtful debts.
Debtors circularisation
One of the most common ways to obtain assurance over the debtors ledger is to perform a debtors circularisation.
Notes

A debtors circularisation involves writing to a sample of customers to request that they provide confirmation of
the balance that they owe at the year end.
Debtors circularisation requests will require either positive or negative confirmation.
Positive confirmation: a request for debtors to reply to confirm the balance.
Negative confirmation: a request for debtors to reply only if they disagree with the balance.
Negative confirmations provide a lower level of assurance than positive confirmations, as the lack of a reply from
the customer may indicate other circumstances, rather than actually agreeing with the balance. For example, the
customer may forget to respond.
The process for a debtors circularisation is:
1. The auditor will prepare the circularisation, including the debtor’s year-end balance;
2. The client will print off/ create the confirmation on their own headed paper (as the client has the relationship
with the customer);
3. The auditor posts/ emails the confirmation and requests the debtor to confirm directly to the auditor; and
4. Any non-responses should be followed up with a second letter/ email or phone call.
It is important that the auditor controls the process to avoid the risk of the confirmations being tampered with by the
client.
The debtors circularisation will primarily provide evidence over the existence, classification and rights and
obligations assertions for the trade debtor balance.
A circularisation provides little assurance over completeness as it is less likely that customers will highlight invoices
that are missing from the balance they owe than items that are included that they disagree with. Additionally, little
assurance is gained over accuracy, valuation and allocation as circularising does not provide any information over
the customer’s ability to pay or provide confirmation that they intend to, only the original amount of the debt.
Subsequent cash testing
Another key audit procedure commonly used when testing debtors is called subsequent cash testing (also referred
to as post-year-end or after-date cash testing). This involves selecting a sample of trade debtors and checking for
related cash receipts in the client’s post year-end bank statements.
Agreeing year-end debtors to cash received after the year-end date provides assurance over existence, rights and
obligations and accuracy, valuation and allocation.
Notes

If the payment is received after the year end, then the debtor must have existed at year end, and the company must
have had the rights and obligations to the cash balance. Also, by checking how much cash was received we have
comfort over the accuracy, valuation and allocation of the amount.
Allowance for doubtful debts
The auditor must also consider the adequacy of the provision for doubtful debts when considering accuracy,
valuation and allocation of trade debtors as the allowance adjusts the value of the trade debtors.
Procedures to test the allowance for doubtful debts are considered in the TPS Assurance and Data course.
Activity 11
The following tests are examples of other procedures that could be performed on a sample of trade debtors.
Identify which assertions are being tested by the following procedures:
1. Select a sample of pre-year-end GDNs and inspect the invoice recorded on the debtors ledger to check
that the trade debtor was recorded pre-year end;
2. Select a sample of trade debtors from the debtors ledger and inspect the customer contract/ order to
check for customer’s agreement for the sale;
3. For a sample of invoices, selected from the debtors ledger, agree the invoice value to approved price lists;
4. Select a sample of trade debtors and inspect the customer contracts to check that discounts have been
applied correctly; and
5. Select a sample of credit notes processed during the year and agree them to the debtors ledger to check
they have been recorded.
Solution
Notes

19.6.4 Stock
Stock is usually a significant account in a manufacturing or retail client. A company calculates the year-end stock
balance by counting the quantity of each type of stock item (normally recorded on stock sheets before updating in
the company’s stock listing/sub-ledger), and then multiplying this by the value of each item.
The stock listing (i.e., the sub-ledger) will show:
• the quantity of each stock item; and

• the value of each stock item – at the lower of cost or net realisable value (‘NRV’).
Therefore, the two main areas to auditing stock are:
• auditing the quantity of each stock item; and

• auditing the value of the stock item.
There are three key substantive procedures performed on stock:
1. Following up tests performed at the stock count;

Quantity
2. Cut-off testing; and
3. Cost vs. NRV testing Value
Testing quantity
Stock counts
Stock counts are a key control over stock. As discussed in Module 16, the auditor will attend the stock count and
reperform test counts from floor-to-sheet and sheet-to-floor. As part of the year-end audit the auditor may follow up
on these test counts.
By agreeing the quantity of items selected and confirmed during test counts to the company’s final stock records,
the auditor can gain assurance over the completeness and existence of the year-end stock balance. These follow
up procedures are classified as substantive procedures provided the sample sizes that the auditor selects are
sufficiently large to reduce the sampling risk to an acceptable level.
Notes

Cut-off testing
Although cut-off is an income statement assertion, it is also relevant to a number of balance sheet accounts,
including stock. Cut-off testing ascertains whether the client has accounted for transactions close to the year end
correctly. Cut-off is an area where misstatements are frequently identified and, therefore, is a higher risk area for
auditors. Cut-off tests on stock can also be co-ordinated with cut-off testing on debtors, creditors, sales and cost of
sales to improve the efficiency of the audit, as the auditor should consider both sides of the double entry.
The auditor will select a sample of goods received notes (‘GRNs’) and goods despatch notes (‘GDNs’) close to the
year end. The auditor will then check that each transaction has been accounted for in the correct period.
Sales and cost of sales transactions, stock, trade debtors and trade creditors are all affected by cut-off testing. Cut-
off testing meets the cut-off assertion in the statement of profit or loss and addresses the completeness and
existence assertions for balance sheet items.
There are four different scenarios to consider:
Year end
Before After
Purchases
GRN GRN
Included in? Included in?

• Creditors  • Creditors 
• Stock  • Stock 
Before After
GDN GDN
Included in? Included in?

Sales
• Sales  • Sales 
• Debtors  • Debtors 
• Stock  • Stock 
• COS  • COS 
 = included at year end

 = excluded at year end
Notes

Example
The auditor of Random Bits and Bobs Ltd (‘RBB’) is performing cut off testing as part of the year end
substantive testing. The year-end of RBB is 31 December 20X8. Included in the sample selected of Goods
Despatch Notes (‘GDNs’) and Goods Received Notes (‘GRNs’) were the following documents:
GDN 168596 GDN 185643

Date: 29 December 20X8 Date: 3 January 20X9
Order Ref: 246781 Order Ref: 126701
Customer Ref: 246 Customer Ref: 126
Item: 3RXT67 Item: 3RRT63

Quantity: 500 Quantity: 300
GRN 156963 GRN 106593

Date: 23 December 20X8 Date: 5 January 20X9
Order Ref: 154863 Order Ref: 56196
Supplier Ref: 154 Supplier Ref: 56
Item: 4HYU4 Item: 7HUY98

Quantity: 250 Quantity: 569
Additionally, the auditor obtained RBB’s trade debtors ledger, stock listing and trade creditors ledger. Extracts
are included below.
Stock Listing as at 31 December 20X8
Item Quantity Value
3RRT63 300 £597
4HYU4 250 £22,250
The auditor confirmed that items despatched pre-year end and items received post-year end were excluded
from the ledger. The items despatched post-year end and received pre-year end were confirmed as included
on the listing.
Notes

Trade Debtors Ledger as at 31 December 20X8
Customer Number Order Ref Value
126 126699 £6,396
126 126700 £716
246 246780 £56,489
246 246781 £31,150
The auditor confirmed that a debtor was recorded for the GDN dated pre-year end but not the post-year end
GDN.
Trade Creditors Ledger as at 31 December 20X8
Supplier Number Order Ref Value
154 154863 £22,250
56 56194 £76,596
The auditor confirmed that a creditor was recorded for the GRN dated pre-year end but not the post-year end GRN.
Testing value
Cost vs. NRV Testing
Auditing the accuracy, valuation and allocation assertion of stock requires assessing whether stock is carried at
an appropriate amount, in line with accounting standards. Accounting standards state that stock should be valued
at the lower of cost and net realisable value (‘NRV’). Most companies record and hold stock at cost and then
perform separate reviews to establish whether the NRV is lower, therefore, assessing the need for a write down (as
discussed in TC Financial Accounting).
As stock should be carried at the lower of cost and NRV, there are two components to be tested by the auditor:
1. Agree that the cost of stock is accurately recorded through agreement to purchase invoices; and
2. Review NRV and compare to cost (see below).
Whilst gaining an understanding of the client, the auditor should be alert to any situations that could lead to the NRV
being lower than the cost of a particular stock item.

Examples
The risks of NRV being lower than cost may arise from:
• a reduction in sales volumes, requiring stock prices to be reduced in order to sell items;
• the quality of stock being poor or faulty;
• stock becoming obsolete (e.g., a new technology has replaced it); or
• damaged stock requiring a write down.
1. Substantive analytical procedures
Common substantive analytical procedures applied to stock balances include looking at stock turnover or stock
days. These measures look at how quickly a company sells its stock. Where these ratios indicate that stock is slow-
moving, it may indicate that the company is struggling to find a buyer for the goods and consequently the NRV may
be lower than the cost – this is an issue with accuracy, valuation and allocation.
2. Tests of detail
The auditor can perform tests of detail to obtain evidence over the cost (e.g., purchase invoice) and the NRV (e.g.,
sales price).
Example
The auditor selects a sample of items from the year-end stock listing and agrees the cost of these items to
purchase invoices and compares this to the sales price (NRV) per the post-year-end sales invoices. This
identification and comparison of cost and NRV is a test for the accuracy, valuation and allocation assertion.
19.6.5 Trade Creditors
The trade creditors balance in the financial statements is represented by the trade creditors balance in the nominal
ledger. The breakdown of the trade creditors figure is provided by the creditors ledger, which gives a breakdown of
the outstanding balances per supplier.
Trade creditors can be an area of significant risk for the auditor as a company may understate liabilities (intentionally
or in error). Further, it is harder to identify items that are not there (i.e., gain assurance that creditors are complete)
than it is to prove that a listed item is genuine (i.e., that it exists).
Notes

Consequently, a key risk over trade creditors is the completeness assertion.
There are three key substantive procedures performed on trade creditors:
1. Perform creditors circularisations;

2. Supplier statement reconciliations; and
3. Search for unrecorded liabilities.
Creditor circularisations
It is possible to circularise creditors as with trade debtors. This, often time-consuming, procedure may not be
necessary if the suppliers of the company issue frequent supplier statements (see below).
If performed, creditor circularisations provide assurance over completeness, existence, accuracy, valuation and
allocation, classification and rights and obligations.
Supplier statement reconciliations
A supplier statement is often sent by the supplier to a customer to summarise the outstanding balance due at a point
in time, commonly the end of a month. This will show the outstanding balance brought forward together with any new
invoices set off against any payments received from the customer.
If supplier statements are available (which will depend on the client), the auditor should select a sample of these and
review the supplier statement reconciliations performed by the client between the statement and the creditors ledger.
Expected reconciling items include goods received but not yet invoiced and payments made but not yet cashed. The
reconciliation would be tested in a similar way to a bank reconciliation.
Supplier statement reconciliations provide evidence over completeness, existence, classification, accuracy,
valuation and allocation and rights and obligations of the liability.
Search for unrecorded liabilities
As a key risk for trade creditors is completeness, it is important to perform testing with the aim of identifying any
unrecorded liabilities (i.e., trade creditors being understated). An important test is, therefore, to select a sample of
items that indicate a liability should exist at the balance sheet date.
Notes

The testing includes:
• selecting a sample of post-year-end cash payments from the post-year-end bank statements and checking that
a trade creditor existed at the year end; and
• selecting a sample of invoices received or processed after the year end and check if they relate to goods or
services received pre-year end and that a creditor existed at the year end.
A search for unrecorded liabilities provides evidence over the completeness of trade creditors.
Activity 12
You are testing trade creditors and have identified that your client does not receive supplier statements.
For each of the alternative substantive procedures listed below in relation to trade creditors, identify which
assertion(s) is/ are being tested.
1. Select a sample of credit notes recorded in the creditors ledger and inspect the actual credit note received
from the supplier to check that the return is genuine.
2. Select a sample of post-year-end GRNs and inspect the year-end creditors ledger to check that they are
excluded from trade creditors (this is a more difficult example so take care).
3. Calculate creditors’ days and compare to the prior year, budgeted and industry-average figures.
Solution
Notes

earning Outcomes 1, 2 and 3: Select which balances assertions are tested by a particular
L
procedure, select a relevant audit procedure for a given balances assertion and explain
common substantive procedures for testing balances.
When testing for completeness/ existence the Missing Method and Directional Testing Method can be used to
identify which assertion is being tested.
You should now be able to meet the first, second and third learning outcomes for this module.
19.7 Audit Data Analytics and Substantive Testing of the Statement of Financial
Position
Similar to other stages of the audit, auditors are increasingly using audit data analytics (‘ADA’) to perform substantive
procedures.
Example
Consider the overall The objective of the ADA is to identify any material misstatements within
objective of the ADA and trade debtors, including gaining assurance over all assertions (except
how it will be achieved presentation) for trade debtors.
Obtain and cleanse the data Data was extracted from the client’s system by the audit team and did not
to be used in the ADA require any cleansing. The year end trade debtors data included customer
balances broken down by invoice including the invoice number, customer
reference code and invoice date. Monthly and prior year trade debtors
data was also obtained from the client’s system.
Consider whether the data The data has been checked for accuracy, completeness, validity and
to be used is relevant and reliability by the audit team. No issues were identified.
reliable
Carry out the ADA technique The ADA was carried out successfully by the audit team. The output,
summarised below, allowed the auditor to identify areas where further
investigation was required or gain assurance that trade debtors was fairly
stated.
Evaluate and report on the The audit team reviewed the outputs of the ADA tool. See Activity 13 for
result of the ADA the relevant findings.

Top 10 Customers
Top 10 Customers
20X7 20X6
Hodgson 28,115 Douglas 10,621
Douglas 14,057 Young 4,873
Norman 3,561 Winter 3,708
Hall 2,905 Pentland 2,008
Young 2,437 Hodgson 1,928
Pentland 2,000 Tollan 1,812
Poole 1,781 Cunnane 1,532
Foster 1,218 Foster 1,157
Cunnane 750 McKenzie 643
McKenzie 656 Cloke 547
Trade Debtors Ageing
Total 0-30 30-60 60-90 90+
20X7 93,715 57,166 25,303 8,434 2,812
61% 27% 9% 3%
20X6 62,477 46,858 7,497 7,497 625
75% 12% 12% 1%
Notes

Unusual Balances Detected
Credit Balances
Cameron -5,215
Miller -20
Round Sum Amounts
Pentland 2,000
Allison 500
No Customer Reference
- 400
- 320
- 89
- 364
- 150
Trade Debtors Journal Analysis
The outputs below show analysis of all journals posted to trade debtors during the year, including where the other
side of the journal is posted.
The first output shows the credit side of all entries which have been debited to the trade debtors account. The output
therefore shows that 92% of journals debited to trade debtors were credited to the revenue account (Dr Trade
Debtors, Cr Revenue).
Notes

Dr Trade Receivables Journals
2% 1%
5%
Revenue
Accrued Income
Other Income
Miscellaneous
92%
The second output shows the equivalent information for all journals credited to the trade debtors account.
Cr Trade Receivables Journals
3% 2%
15%
Bank and cash
Credit Notes
SPL – Bad Debt Expense
Miscellaneous
80%

Activity 13
Discuss any findings from the above outputs in relation to trade debtors.
Note: The purpose of this activity is to illustrate the theory of the tests of detail covered. It is not representative
of the format or standard of the final exam.
Solution
ADAs can be used to perform substantive procedures for the statement of financial position.
You should now be able to meet the fourth learning outcome for this module, having considered it in this module
as well as Modules 15, 16, and 17.
Notes

19.8 Summary
The detailed assertions for balances are as follows:
• Existence;
• Completeness;
• Accuracy, valuation and allocation;
• Classification;
• Rights and obligations; and
• Presentation.
There are a number of key substantive procedures that are commonly used by auditors. These are detailed below:
Financial Statement Account Test Primary Assertions
Cash and Bank Bank reconciliation C, E, AVA, R&O, Cl
Cash and Bank Bank confirmation letter C, E, AVA, R&O, Cl
Trade Debtors Debtors circularisation E, R&O, Cl
Trade Debtors Subsequent cash testing AVA, E, R&O
Trade Debtors Testing the allowance for doubtful debt AVA
Stock Stock count follow up C, E
Stock Cut-off testing C, E
Stock Cost vs. NRV testing AVA
Trade creditors Creditors circularisation C, E, AVA, R&O, Cl
Trade creditors Supplier statement reconciliations C, E, AVA, R&O, Cl
Trade creditors Search for unrecorded liabilities C
Similar to other stages of the audit, auditors are increasingly using audit data analytics (‘ADA’) to perform substantive
procedures.
You should now be able to meet all learning outcomes for this module. If you are not able to do so, go back and re-
read the relevant section.
Notes

Assertion Description options
Existence 4. All balances exist and are genuine.
Completeness 1. All transactions and balances (and related disclosures) that should have been
recorded have been recorded.
Rights and obligations 6. The entity holds or controls the rights to assets and liabilities are the
obligations of the entity.
Accuracy, valuation and 7. Balances (and related disclosures) are recorded at appropriate amounts in
allocation accordance with the accounting standards.
Occurrence 5. All transactions and events recorded took place and pertain to the entity.
Accuracy 3. Amounts and other data relating to transactions (and related disclosures)
have been appropriately recorded.
Cut-off 2. Transactions and events have been recorded in the correct accounting period.
Classification 9. Transactions and balances have been recorded in the proper accounts.
Presentation 8. Transactions and balances are appropriately aggregated or disaggregated

and clearly described, and related disclosures are relevant and understandable.
Back to Activity
Below is an example of a test for accuracy, valuation and allocation of motor vehicles. This may be different
from the test you have written and is provided as an example only.
For a sample of motor vehicles selected from the fixed asset register (population), inspect (verb) the purchase
invoice (evidence) and agree the price paid per the invoice to the fixed asset register (activity).
Back to Activity
Notes

Answer: b)
a) Select a sample of debtors from the debtors The test doesn’t specifically state HOW to ensure
ledger and ensure that the company has the right the company has the right to recognise – there is no
to recognise the debtor. activity.
b) Select a sample of invoices from the debtors The test contains all the elements needed and
ledger and agree to the customer contract and clearly explains how to ensure genuine sales took
GDN to check genuine sales took place and place.
that the company has the right to invoice the
customer.
c) Agree debtors to the contract. The test is too vague and does not include a sample,
population or a detailed activity.
Back to Activity
Notes

1. When testing fixed assets, the auditor selects a sample of assets from the fixed asset register and
physically verifies them.
• The missing method is that the auditor would not be able to physically verify the sample of assets
selected if they were missing. This would mean that the fixed asset register is overstated (as an
asset included on the register doesn’t exist), consequently this is a test for existence.
• The directional testing here is from ledger (fixed asset register) to asset which would indicate an
existence test.
2. When testing debtors, the auditor selects a sample of sales invoices and agrees them to the debtors
ledger.
• The missing method is that the auditor would not be able to agree the sales invoices to entries on
the debtors ledger if the entries were missing from the ledger. This would mean that the debtors
ledger is understated (no debtor is shown for a genuine invoice), consequently this is a test for
completeness.
• The directional testing here is from invoice to ledger which would indicate a completeness test.
3. When testing stock, the auditor selects a sample of physical goods and agrees they are included on the
stock listing.
• The missing method means that the stock items would be missing from the stock listing. This would
mean the stock listing is understated and so this is a test for completeness.
• The directional testing is from asset to ledger and therefore is a test for completeness.
4. When testing cost of sales, the auditor selects a sample of costs from the cost of sales listing and agrees
them to the invoice.
• The missing method means that the auditor would be unable to find the invoices, and therefore
the costs on the listing are not genuine and so the ledger is overstated. This is therefore a test for
occurrence.
• The direction here is from ledger to document and is therefore a test for occurrence.
Back to Activity
Notes

Below is an example of a procedure that could be performed to test for the completeness of fixed assets in
relation to disposals. This may be different from your own procedure and is provided as an example.
Select a sample of fixed assets disposals from the fixed asset register and inspect supporting documentation
(i.e., scrapping documents or sales invoice) to check that the disposal is genuine.
• The missing method is that the auditor is unable to find any supporting documentation to support the
disposal and therefore the fixed asset register is understated (as the asset has been removed from the
FAR despite not being disposed of) – this is therefore a completeness test.
• The direction of testing is from ledger to document. As a disposal is a decreasing item, we must reverse
the directional testing rule and therefore this is a completeness test.
Back to Activity
When testing trade debtors, the auditor selects a sample of GDNs and agrees them to sales invoices to check
that the sale was invoiced, and therefore included in the debtors ledger.
The sample is the GDNs and therefore we know they exist. Therefore, the thing that could be missing are the
sales invoices from being recorded on the debtors ledger. The financial statement impact is therefore that
debtors are understated as no debtor has been raised despite goods being despatched. This is, therefore, a
test for completeness of trade debtors.
From a directional testing perspective, the GDN is the document and is an increasing item as the GDN
indicates that a debtor should be recorded, increasing the trade debtors figure. Therefore, the test is an
increasing item from document to ledger – a completeness test.
Back to Activity
Notes

When testing sales, the auditor agrees a sample of sales on the sales listing to the bank statement to agree
the sale took place
• The sample is from the sales listing, therefore it is the entry in the bank statement that could be missing. If
there is no entry in the bank statement, this suggests that the sale is not genuine and therefore the sales
listing is overstated. This is therefore a test for occurrence.
• Ledger to document, increasing item therefore test for occurrence.
When testing trade creditors, the auditor selects a sample of purchase invoices recorded in the creditors
ledger and agrees them to GRNs
• The sample is the invoice that has been recorded in the ledger, and therefore the GRNs could be
missing. If no GRN exists then the invoices recorded are incorrect, and the creditors ledger is overstated.
Therefore, this is a test for existence.
• The direction is ledger to document. Test for existence.
When testing payroll, the auditor selects a sample of employee contracts and agrees that the employee is
included on the payroll listing
• Sample is the physical contract and therefore, it is the employee’s entry on the payroll listing that could be
missing. Therefore, the listing would be understated. This is a test for completeness.
• Sample is from document to ledger and contracts are increasing items. Therefore, this is a test for
completeness.
When testing trade debtors, the auditor selects a sample of credit notes relating to sales made pre-year end
and agrees the debtor is not on the debtors ledger
• The sample is the physical credit notes, therefore, it is the entries in the debtors ledger that would be
missing. If credit notes are not included in the ledger then debtors are overstated. This is a test for
existence.
• Document to ledger, as credit notes are reducing items direction should be reversed. This is a test for
existence.
Back to Activity
Notes

Audit test Assertion Issues found
Standard tests C, E, AVA, Cl Total per TB for Dr balances = £22,116 but

figure per financial statements = £23,419 so
Check that the trial balance figure agrees to
there is a difference of £1,303.
the financial statements
Bank reconciliation C, E, AVA, R&O, 1. No issues noted.

Cl 2. The BSB deposit account cash book
Obtain the year-end bank reconciliation(s)
figure per the reconciliation does
and perform the following procedures:
not agree to the trial balance, there
1. Agree the ‘balance per the bank is a difference of £150 (£20,938 vs.
statement’ to the bank statement(s) £21,088).
2. Agree the ‘balance per the nominal 3. No issues noted.
ledger’ to the trial balance 4. There is a reconciling item in the BSB
3. Check mathematical accuracy of deposit account of £45 which has no
reconciliation (casting) supporting documentation. (It may be
4. Where available, obtain supporting that the reconciliation has incorrectly
documentation for reconciling items to recognised interest received at the start
ensure that they are genuine and relate of the following month).
to the period 5. Cheque for £157 has not cleared
5. Obtain evidence that reconciling items the bank statement by the end of
were cleared post year end by agreeing November.
to post-year-end bank statements
Bank letter C, E, AVA, R&O, 1. No issues noted.

Cl 2. The BSB deposit account balance of
1. Check that all bank accounts are
included on the bank letter(s) and £21,050 does not agree to the bank
that there are no bank accounts on letter amount of £21,088 (difference
the bank letter(s) that are missing of £38).
from the client records 3. No issues noted.
2. Agree the balance to the bank
reconciliation(s)
3. Confirm that bank accounts are in the
name of the company
Foreign Exchange AVA The rates used to translate foreign currency

balances are in line with the Financial
Recalculate the translation of any foreign
Newspaper exchange rates, so no issues
currency balances and ensure that the
noted.
exchange rates used by the client are
reasonable by agreeing to an external
source (e.g., the Financial Newspaper)
Back to Activity

Transactions Evidence Possible Errors
Additions • Purchase invoice • Additions included in error (items do not exist) - E

• Contract • Additions fail to be recorded (FAR is not complete) - C
• Lease • Additions not included at the correct value (FAR not valued
documentation correctly) - AVA
• Title deeds • Additions are expensed in error - Cl
• Bank statements • Short-term or low-value leases are included on the FAR (client
• Board minutes does not have rights to the asset) - R&O
Disposals • Board minutes • Disposals have been omitted from the FAR (the FAR is
• Disposal form overstated and items do not exist) – E
• Sales invoice • Disposals included in error (the FAR is understated and
• Scrappage therefore not complete) - C
document • Disposals recorded as a sale in error - Cl
• Bank statements • Disposals are accounted for incorrectly (FAR not valued
correctly) - AVA
Depreciation • Deprecation • Depreciation policy is not appropriate (FAR valued incorrectly)

policy - AVA
• Depreciation • Depreciation calculations performed incorrectly (FAR valued
calculation incorrectly) - AVA
Revaluations • Valuation report • FAR revaluation does not agree to revaluation report (FAR
(internal or valued incorrectly) - AVA
external to client) • Revaluation calculations/ assumptions inappropriate (FAR
• Revaluation valued incorrectly) - AVA
calculation and
assumptions
Back to Activity
Notes

Fixed assets test - general
Agree closing balance per FAR to TB and then draft financial statements. C, E, AVA, Cl
Agree opening balance on fixed asset ledger to prior year audited C, E, R&O, AVA, Cl
Cast fixed asset schedule to check for mathematical accuracy. C, E, AVA
Inspect the FAR for evidence of repairs and maintenance charges Cl

capitalised in error.
Inspect the breakdown of the repairs and maintenance expense account Cl

for possible misallocation of assets/ items expensed in error.
Select a sample of assets from the FAR and physically verify them. E
Select a sample of assets from the client’s premises and agree these to C
the FAR to check they have been recorded.
Select a sample of assets from the FAR and agree title deeds to ensure R&O (Note: the test is only
the company does have title to assets. considering whether the company
holds the title of the asset and
is not considering the accuracy
of the amounts recorded when
comparing to purchase invoices/
loan documentation. Therefore,
AVA is not suitable for this test).
Additions
Select a sample of additions from the fixed asset register and trace to E, AVA
purchase invoice and bank statement to agree the cost of the asset.
Inspect board minutes for evidence of additions and agree to FAR to C

ensure they have been recorded.
Notes

Select a sample of additions from the FAR and agree client name to R&O
purchase invoice.
Disposals
Select a sample of disposals from the FAR and trace to sales invoice, C, AVA
trade-in/ scrapping invoice and bank statement to check the asset was
disposed of and the amounts recorded are accurate.
Inspect board minutes for evidence of disposals during the year and agree E
they have been removed from the FAR.
Recalculate a sample of disposals to agree they have been accounted for AVA
correctly.
Depreciation
Review the depreciation policy for appropriateness in line with accounting AVA
standards.
Perform a reasonableness test on the depreciation expense – calculate AVA

an expectation of the depreciation expense of each fixed asset category
based on the client’s depreciation policy and compare to actual.
Revaluation
Select a sample of revaluations from the FAR and agree to the AVA
independent valuation report to check amounts have been recorded
correctly.
Back to Activity
Notes

Select a sample of pre-year-end GDNs and inspect the invoice recorded on the debtors ledger to check that
the trade debtor was recorded pre-year end:
• Missing item would be the invoice on the ledger, therefore the ledger would be understated. This is a test
for completeness.
• A pre-year-end GDN is an increasing item, document to ledger. This is a test for completeness.
Select a sample of trade debtors from the debtors ledger and inspect the customer contract/ order to check for
the customer’s agreement of the sale:
• Procedure is looking to confirm that an order/ contract is in place between the two parties and therefore
the entity has the rights to the debtor. This is a test for rights and obligations.
For a sample of invoices, selected from the debtors ledger, agree the invoice value to approved price lists:
• This procedure is specifically testing that the invoice value is correct and is, therefore, a test for accuracy,
valuation and allocation.
Select a sample of trade debtors and inspect the customer contracts to check that discounts have been
applied correctly:
• This test is focusing specifically on discounts being correct (i.e., debtors are valued correctly) and
therefore is a test for accuracy, valuation and allocation.
Select a sample of credit notes processed during the year and agree them to the debtors ledger to check they
have been recorded:
• The sample is the credit notes, and therefore it is the debtors ledger entry that could be missing. This
would result in the ledger being overstated. This is a test for existence.
• Document to ledger, decreasing item. This is a test for existence.
Back to Activity
Notes

Select a sample of credit notes recorded in the creditors ledger and inspect the actual credit note received
from the supplier to check that the return is genuine.
• The missing item would be the actual credit note. Therefore, the creditors ledger is understated. This is a
completeness test.
• Ledger to document, decreasing item. Completeness test.
Select a sample of post-year-end GRNs and inspect the year-end creditors ledger to check that they are
excluded from trade creditors.
• The missing item in this case is a little more difficult. We are ensuring that the GRNs are excluded.
Therefore, what is ‘missing’ would be that the exclusion of the GRN is missing, therefore the creditor
balance would be in the ledger when it shouldn’t be. This would mean that creditors are overstated, so this
is a test for existence.
• Document to ledger, this is treated as a decreasing item as it should NOT be included. Therefore, existence
test.
Calculate creditors’ days and compare to the prior year, budgeted and industry-average figures.
• Completeness, existence, accuracy, valuation and allocation, classification (this is a type of

analytical procedure, and remember that general analytical procedures test all B/S assertions except
rights and obligations and presentation).
Back to Activity
Notes

The below findings would require further investigation by the auditor:
• The top 10 year end receivables have changed year on year, with Hodgson in 20X7 being the largest year end
balance (significantly more than any customer in the prior year) and several new customers being included in
the top 10 in 20X7.
• The ageing of trade debtors appears to be declining, with only 61% of debt categorised as current and the
proportion of debt over 90 days increasing to 3% compared to 1% in the prior year.
• Two credit balances have been identified on the trade debtors ledger which should be reclassified as
creditors.
• Unusual entries including round sum amounts and lack of customer references have been identified.
• A number of miscellaneous journal entries have been posted against trade debtors.
• During the year, 3% of trade debtor credit journals were in relation to bad debt write offs.
• A significant number of credit notes were posted against trade debtors during the year.
Back to Activity
Notes

Appendix – XYZ Ltd Cash and Bank Information
Section 1: Trial Balance Extract
XYZ Ltd
Extract from the trial balance at 31 October 20X4
Dr Cr
01000002 BSB deposit a/c GBP 21,088
01000003 BGB current a/c EUR 1,028
01000005 BBB current a/c GBP 5,000
Note 1:
BSB – Big Scottish Bank

BGB – Big Global Bank
BBB – Big British Bank
Section 2: Bank Confirmation Letters
BIG SCOTTISH BANK
The Auditor,
The Address
20 November 20X4
Dear Auditor,
Re: Bank Request for XYZ Ltd Balances as at 31 October 20X4
As requested, please find enclosed the details of the accounts in the name of XYZ Ltd at our bank.
GBP deposit account: £21,088 Cr
Yours sincerely,
The Banker
Notes

BIG BRITISH BANK
The Auditor,
The Address
18 November 20X4
Dear Auditor,
GBP current account 1: £nil

GBP current account 2: £5,000 Dr
Yours sincerely,
The Banker
BIG GLOBAL BANK
The Auditor,
The Address
26 November 20X4
Dear Auditor,
EUR current account: €1,203 Cr
Yours sincerely,
The Banker
Notes

Section 3: Foreign Currency Rates Extract
Financial Newspaper
31 October 20X4
Exchange rates
GBP to USD £1.00:$1.25

GBP to EUR £1.00:€1.17
GBP to YEN £1.00:¥138.00
Section 4: Bank Reconciliations
BGB bank reconciliation as at 31 October 20X4
Current account
€ £
Balance per bank statement 1,203 1,028
Add: Lodgements not yet credited - -
Less: Cheques not yet presented - -
Balance per nominal ledger 1,203 1,028
Notes

BSB bank reconciliation as at 31 October 20X4
Deposit account
Balance per bank statement 21,050
Add: Lodgements not yet credited 45
Less: Cheques not yet presented (157)
Balance per nominal ledger 20,938
BBB bank reconciliation as at 31 October 20X4
Current account
Balance per bank statement (5,000)
Add: Lodgements not yet credited -
Less: Cheques not yet presented -
Balance per nominal ledger (5,000)
Notes

Section 5: Support Documentation
Cheque 0050078
Payable to: Suppliers Are Us Ltd
For the amount of: One Hundred and Fifty-Seven Pounds only
Date: 30 October 20X4
Signed: C/O XYZ Ltd
Section 6: Bank Statements
BSB Bank Statement (deposit account) for November 20X4 (extract)
Date Dr Cr Balance
Balance brought forward 31/10/X4 21,050 21,050 CR
01/11/X4 Interest for Oct X4 38 21,088 CR
22/11/X4 Customer ABC receipt 950 22,038 CR
01/12/X4 Interest for Nov X4 45 22,083 CR
BGB EUR Bank Statement (current account) for November 20X4 (extract)
Date Dr Cr Balance
Balance brought forward 31/10/X4 1,203 1,203 CR
05/11/X4 Deposit 600 1,803 CR
BBB Bank Statement (current account) for November 20X4 (extract)
Date Dr Cr Balance
Balance brought forward 31/10/X4 5,000 5,000 DR
Notes

Substantive Testing – Part Two
Contents
20.3 Substantive Testing 475
20.4 Testing Transaction Assertions 476
20.4.1 Approach to Substantive Testing of the Profit and Loss 476
20.5 Testing Transactions 480
20.5.1 Sales and Other Income 480
20.5.2 Expenses 482
20.5.3 Payroll Expense 483
20.6 Testing Presentation 485
20.7 Summary 487

20. Audit Process: Substantive Testing – Part Two
20.1 Introduction
We are still in the substantive stage of the audit. In this module we will focus on substantive testing of transactions
and disclosures.
Risk Assessment
Systems
Substantive
Testing
Analysis
1. select which transactions assertions are tested by a particular procedure;

2. select a relevant audit procedure for a given transactions assertion; and
3. explain common substantive procedures for testing transactions.
Achieving these learning outcomes will enable you to meet the seventh and eighth learning outcomes from the
overall syllabus.
20.3 Substantive Testing
In Module 19, the theory behind substantive testing was introduced as well as some of the substantive procedures
the auditor can perform to test the balance sheet (‘B/S’). In this module, we will focus on substantive procedures for
the statement of profit or loss. The focus will be on the most common financial statement headings:
• Sales/ Revenue;
• Expenses; and
We will also address the presentation assertion in Section 20.6, as there is a key common procedure used by
auditors to meet this assertion, which is applicable for both balances and transactions.
Notes

The examples of substantive procedures in these modules are not a finite list of all the tests that could be performed
during an audit.
20.4 Testing Transaction Assertions
Activity 1
Match each of the transaction assertions to the balances assertions equivalent. Note that cut-off has not been
included as there are no direct equivalents.
Balances Assertion Transactions Assertion
Existence and Rights and Obligations Completeness
Completeness Presentation
Presentation Classification
Accuracy, Valuation and Allocation Occurrence
Solution
20.4.1 Approach to Substantive Testing of the Profit and Loss
There is often a significant volume of transactions through an entity’s profit and loss during the year. Therefore, it is
unlikely to be efficient (or possible) for an auditor to gain sufficient, appropriate audit evidence through tests of detail
in the profit and loss. Therefore, the auditor will usually gain much of the assurance over the statement of profit or
loss from tests of control.
Notes

However, due to the limitations of controls, some level of substantive testing is always required. Where a controls
reliance approach is possible, it is common for the key substantive procedure on the profit and loss to be substantive
analytical procedures.
Substantive analytical procedures
Substantive analytical procedures allow the auditor to adopt an effective approach by testing the full population in
one substantive procedure.
Substantive analytical procedures will likely be performed over significant accounts, which are commonly:
• Sales;
• Cost of sales;
• Depreciation expense; and
As with the balance sheet, the assertions that substantive analytical procedures provide evidence over for the profit
and loss will depend on the test. As a general rule, substantive analytical procedures will provide evidence over
completeness, occurrence, accuracy, cut-off and classification. However, students should be able to identify
where the wording of the test provides evidence over specific assertions.
Examples of substantive analytical procedures in relation to the statement of profit or loss include:
• A reasonableness test to assess the validity of the payroll expense – provides evidence over completeness,
occurrence, accuracy, cut-off and classification;
• A trend analysis of the sales figure on a month-by-month basis, compared to the equivalent data in the prior year
or budget. This data could be disaggregated further by store or product. Trend analysis provides evidence over
completeness, occurrence, accuracy, cut-off and classification;
• A large and unusual items review will test completeness, occurrence, accuracy, cut-off and classification.
However, a large and unusual items review looking specifically for capital items expensed in error will only test
classification, as no assurance is gained over the other assertions.
If you are not familiar with any of these types of substantive analytical procedures, then you should re-visit
Modules 15 and 17.
Notes

Example
The below information has been extracted from the fixed asset register (‘FAR’) in relation to the population of
motor vehicles for the year ended 31 December 20X5:
20X5 20X4
£ £
Cost 1,500,600 Dr 1,140,600 Dr
Accumulated depreciation 920,300 Cr 670,400 Cr
Net book value 580,300 Dr 470,200 Dr
The following additional information has been obtained through the audit procedures performed over the fixed
asset balance:
• The depreciation expense per the FAR is £309,900;

• The depreciation policy for motor vehicles is to depreciate using the straight-line method over the useful
life of five years (i.e., 20%);
• A full year’s depreciation is charged in the year of purchase and none in the year of disposal;
• The residual values of motor vehicles on the FAR as at 31 December 20X5 totalled £40,000;
• The cost of fully depreciated assets on the FAR as at 31 December 20X4 totalled £79,000;
• Additions during the year to 31 December 20X5 were £420,000; and
• Disposals during the year to 31 December 20X5 were £60,000. All assets disposed of were fully
depreciated.
Notes

Based on this information, an auditor would create an expectation for the 20X5 depreciation expense:
Cost (31 December 20X4) 1,140,600
Residual values (40,000)
Fully depreciated assets (79,000)
Additions 420,000
Disposals (60,000)
1,381,600
x 20%
Depreciation expense 276,320
The auditor would then compare the expectation to the actual depreciation of £309,900 which shows us
that there is a variance from expectation of £33,580.
The next step would be for the auditor to investigate the variance and corroborate it with additional audit
evidence, before concluding on whether or not assurance over each of the relevant assertions had been
gained satisfactorily. In practice the reasonableness test may be completed by an audit data analytics tool.
Note: You would not be expected to perform this detailed a depreciation calculation in the final exam. It is included
as an illustration only.
Possible errors identified by analytical procedures
When performing analytical procedures, an auditor may identify that the profit and loss account appears too high or
too low (i.e., over or understated). This may be due to:
• Account appears too high (i.e., overstated) because of duplicate or false transactions being recorded or credit
notes being omitted - occurrence;
• Account appears too low (i.e., understated), because transactions have been omitted or credit notes have been
duplicated, for example a purchase invoice was misplaced and, therefore, not recorded - completeness;
Notes

• Account appears either high or low because the figures have been miscalculated or recorded at the wrong
amount (e.g., a transposition error) - accuracy;
• Account appears too high or low because transactions have been included in error due to being classified
incorrectly (e.g., grant income included in sales) - classification; and
• Account appears too high or low because sales have been recorded in the incorrect period (e.g., post year-end
sales included in the current year’s sales) - cut-off.
20.5 Testing Transactions
20.5.1 Sales and Other Income
One of the key areas that an auditor will focus on is sales. In some organisations there may also be other income
such as interest income or grant income.
It is common that a key risk with income is that it is overstated. This could be due to transactions being:
• Overstated due to fictitious sales, or sales included in error – occurrence;

• Inaccurate due to miscalculated or incorrectly recorded sales – accuracy; or
• Inflated due to sales from the next financial period incorrectly being included in the current year – cut-off.
There are two key substantive procedures performed on revenue:
1. Substantive analytical procedures (discussed above); and

2. Cut-off testing.
Cut-off testing was discussed in Module 19.
Notes

Activity 2
The following substantive procedures are examples of procedures performed over the sales figure:
1. Perform detailed trend analysis of sales by sales outlet, product and groups of customers or by individual
customers – compare current year figures with prior year and budget;
2. Select a sample of invoices from the sales listing and recalculate the invoiced amount, agreeing price to
the approved sales price list and to customer contracts to check discounts are correctly applied and check
sales have been coded to the correct general ledger account;
3. Perform analytical procedures to compare the current year sales against prior year or budget by total,
geographical area, product and month; and
4. Agree a sample of sales from the sales listing to invoices to ensure that sales have been recorded net of VAT,
that the calculations are correct, and that the VAT portion has been correctly recorded in the VAT account.
For each of the procedures above, identify which transactions assertion or assertions is/ are being tested.
Solution
Notes

20.5.2 Expenses
Expenses cover various types of expenditure that an entity may incur as part of its operations. This can include the
cost of inventory for generating the sales as well as other general expenses incurred by the business, e.g., rent and
rates or insurance expense. Depreciation is also recognised here as well as the balance sheet, as the depreciation
expense needs to be allocated to the profit and loss account.
In contrast to income, the main risk of expenses is often understatement. Therefore, completeness is commonly a
higher ROMM transaction assertion. Additionally, cut-off and accuracy are often high risk as well.
Activity 3
Discuss why completeness, cut-off and accuracy are likely to be considered as higher risk assertions by the
auditor.
Solution
There are two key substantive procedures performed on all expense accounts:
1. Substantive analytical procedures; and

2. Cut-off testing.
Both of these tests have been discussed above.
The following substantive procedures are examples of tests performed over expenses.
Notes

Assertion(s)
1. Select a sample of purchase invoices from the cost of sales listing and confirm Classification
they have been allocated to the correct expense account.
2. Perform analytical review of the cost of sales expense comparing the Classification,
level of current year cost of sales to prior year expenses (by total, product, Occurrence, Cut-
geographical area, month etc.). Investigate any unusual differences. off, Accuracy and
Completeness
3. Select a sample of expenses and agree to the invoice to check the invoice is Occurrence
addressed to the company.
4. Recalculate the depreciation charge, ensuring that it has been properly Accuracy
calculated in accordance with the accounting policy.
5. Perform cut-off testing on the cost of sales account – select a sample of pre Cut-Off
year-end and post year-end GRNs and ensure that they are recorded in the
correct period.
6. Select a sample of post-year-end purchase invoices and check that any Completeness
expenses relating to the current year have been recognised in the current year.
20.5.3 Payroll Expense
After cost of sales, payroll is often the next most significant expense for a company. The payroll expense may
include salaries, wages, commissions, bonuses and employee benefits.
There are three key substantive procedures performed over the payroll expense:
1. Substantive analytical procedures;

2. Payroll reconciliation testing; and
3. Joiners and leavers testing.
The payroll reconciliation and joiners and leavers testing will be discussed below.
Notes

Payroll reconciliation testing
Similar to other reconciliations discussed in Module 19, the payroll reconciliation is a reconciliation performed
between the payroll listing (sub-ledger) and the payroll expense account in the nominal ledger (‘NL’) to check the
figures in the nominal ledger are accurate.
The reconciliation itself should be performed by the client regularly. The auditor will use the payroll reconciliation to
perform a key substantive procedure.
The auditor should obtain the year-end payroll reconciliation and complete the following tests of detail:
• Cast the reconciliation to check the mathematical accuracy;

• Agree the payroll listing total per the reconciliation to the actual detailed payroll listings for the year (which will
agree to amounts paid through the bank statements);
• Agree the payroll nominal ledger expense per the reconciliation to the nominal ledger;
• Obtain supporting evidence for a sample of the reconciling items on the payroll reconciliation. For example, check
that any accruals for staff costs yet to be paid agree to the accruals schedule for the current or previous year.
Testing the payroll reconciliation tests all transaction assertions, except presentation.
Joiners and leavers testing
The final test that is commonly performed by the audit team in relation to payroll is around staff who join and leave
the organisation in the period. This is primarily to ensure that joiners and leavers have been dealt with correctly.
Testing for joiners checks that only genuine new staff are included in the payroll and testing leavers checks that
leavers do not continue to be paid after leaving the organisation.
The auditor will select a sample of joiners from the payroll listing and check they are genuine by agreement to
supporting documentation such as contracts, human resource (‘HR’) records and new joiner forms. A sample of
leavers will be selected from the HR records and checked to ensure the leaver did not continue to be included
on the payroll listing after their leaving date.
Testing a sample of joiners from the listing will test the occurrence assertion whilst leaver testing will also test the
occurrence assertion.
These tests could each be performed in the opposite direction to test completeness. However, there is a greater
risk of fraud in this area potentially due to the inclusion of fictitious employees, or the failure to remove those who
have left. As such, occurrence is the key risk factor when testing joiners and leavers.
Notes

Activity 4
1. Identify which ONE of the following tests would test for completeness of the payroll expense in the
financial statements:
a) Select a sample of personnel files and agree the employees’ inclusion in the payroll listing
b) Select a sample of employees from the payroll listing and recalculate their deductions
c) Select a sample of payments from the bank statements and agree them to payroll listing to confirm
amounts
d) Select a sample of timesheets from before and after the year-end date and agree they are recorded
in the correct accounting period
2. Design a substantive procedure to test the occurrence assertion of the payroll expense.
Solution
20.6 Testing Presentation
Alongside a specific assertion for presentation, several assertions refer to the related disclosures for transactions
or balances. When giving an opinion on the truth and fairness of the financial statements, the auditor must audit
the notes to the financial statements as well as the primary financial statements. There are a lot of detailed rules in
accounting standards and in company legislation regarding the necessary disclosures, consequently, it is important
that that the auditor performs procedures to check that these requirements have been met.
When testing the presentation of a set of financial statements, there is one key procedure that the auditor will use: a
disclosure checklist.
Notes

Disclosure checklist
For every account in the financial statements the auditor has to check that all matters have been presented and
disclosed in accordance with the Companies Act 2006 and the applicable accounting standards.
For most auditors, this will be achieved by completing a disclosure checklist that details all the disclosure
requirements for a UK company. Each checklist performed will be specifically tailored to the set of financial
statements being audited.
A senior member of the engagement team should perform the disclosure checklist and check that all relevant items
have been disclosed in the financial statements correctly.
Note: Completion of a disclosure checklist does not guarantee that the financial statements show a true and fair view
– this is still a matter of professional judgement.
Example
Examples of items which will be covered by completing the disclosure checklist include:
• Cost and accumulated depreciation are shown for each category of fixed assets as a note to the balance
sheet;
• If property has been revalued during the year, the basis of valuation, use of an independent expert and
the date of the valuation are disclosed;
• The stock valuation policy is disclosed and stock is appropriately categorised into raw materials, work in
progress and finished goods; and
• Amounts due after more than one year are separately identified in the financial statements.
Completing a disclosure checklist will meet the presentation assertion for both transactions and balances.
earning outcomes 1, 2 and 3: Select which transactions assertions are tested by a particular
L
procedure, select a relevant audit procedure for a given transaction assertion and explain
common substantive procedures for testing transactions.
You should now be able to meet the first, second and third learning outcomes for this module.
Notes

20.7 Summary
The detailed assertions for transactions are as follows:
• Accuracy;
• Cut-off;
• Occurrence;
• Completeness;
• Classification; and
• Presentation.
There are a number of key substantive procedures that are commonly used by auditors. These are detailed below:
Financial Statement Account Test Assertions
P&L - All Substantive analytical procedures Varies
Sales/ Expenses Cut-off testing CO
Payroll Payroll reconciliation O, C, Cl, CO, A
Payroll Joiners and leavers testing O, C
Disclosures Disclosure Checklist Presentation
You should now be able to meet all learning outcomes for this module. If you are not able to do so, go back and re-
read the relevant section.
Notes

Balances Assertion P&L Assertion
Existence and Right and Obligations Occurrence
Accuracy, Valuation and Allocation Accuracy
Classification Classification
Back to Activity
1. Perform detailed trend analysis of sales by sales outlet, product and groups of customers or by individual
customers – compare current year figures with prior year and budget.
• Completeness, occurrence, accuracy, cut-off and classification
2. Select a sample of invoices from the sales listing and recalculate the invoiced amount, agreeing price
to the approved sales price list and to customer contracts to ensure discounts are correctly applied and
ensure sales have been coded to the correct general ledger account.
• Accuracy, classification
3. Perform analytical procedures to compare the current year sales against prior year or budget by total,
geographical area, product and month.
• Completeness, occurrence, accuracy, cut-off and classification
4. Agree a sample of sales from the sales listing to invoices to ensure that sales have been recorded net of VAT,
that the calculations are accurate, and that the VAT portion has been correctly recorded in the VAT account.
• Accuracy, classification
Back to Activity
Notes

In general, organisations aim to achieve high profits, sustained by a strong net assets position.
Therefore, organisations may feel the incentive or pressure to falsely understate expenses in order to increase
profits.
Organisations may understate expenses by failing to record expenses, recording expenses at a lower value
than is correct or by recording expenses in the following period. Therefore, completeness, accuracy and cut-
off are commonly considered to be higher risk assertions for expense accounts.
Back to Activity
1. Answer: a)
i. Completeness
ii. Accuracy
iii. Accuracy
iv. Cut-off
2. Below is an example of a procedure for occurrence of the payroll expense. It may be different from the
test that you have included and is included as an illustration.
Select a sample of staff from the payroll listing and inspect corresponding timesheets to ensure that work
was completed by the staff member.
Back to Activity
Notes

Completion
Contents
21.1.1 Which Stage? 491
21.3 Overview 492
21.4 Materiality 492
21.4.1 Materiality at completion 492
21.4.2 Evaluating audit evidence 493
21.4.3 Evaluating unadjusted misstatements 493
21.5 Going Concern 495
21.6 Overall Analytical Review of Financial Statements 499
21.7 Subsequent Events 499
21.8 Management Representation Letters 501
21.9 Summary 503

21. Audit Process: Completion
21.1 Introduction
21.1.1 Which Stage?
Risk Assessment
Systems
Substantive
Testing
Analysis
The aim of the completion stage is to generate sufficient, appropriate evidence to enable the auditor to express
an opinion over the truth and fairness of the financial statements. However, prior to release of the audit report,
the auditor must evaluate the evidence collected by performing a number of completion and review procedures.
These procedures are required by the ISAs (UK) and are performed so that the opinion can be justified by the work
performed.
1. explain the key stages of completion in an audit engagement.
Achieving this outcome will help you to meet the seventh learning outcome for the course as per the syllabus.
Notes

21.3 Overview
The auditor is now at the final stage of the audit process – the completion stage. This stage commences after the
year end and involves the following tasks:
1. Materiality recalculation and assessment of

misstatements
2. Going concern assessment

See Module 21
3. Overall analytical review of financial statements
4. Subsequent events review
5. Management representation letters
6. Engagement and client management See Module 14
7. Audit report issued See Module 22
21.4 Materiality
As discussed in Module 13, materiality is defined as an expression of the relative significance or importance of a
particular matter in the context of the financial statements as a whole.
21.4.1 Materiality at completion
During the planning stage, overall materiality was calculated based on an estimate of the final financial statement
figures (i.e., using numbers from the prior year, annualised actuals or budgets). Prior to issuing the audit report, the
auditor must recalculate the materiality threshold based on the final version of the financial statements. This is our
materiality at the completion stage and is called reporting materiality.
Reporting materiality: the final overall materiality level calculated at the completion stage using the
finalised financial statement numbers.
This recalculation may give a very different level of materiality from that calculated at planning, and hence may result
in the audit team performing additional tests of controls or substantive testing to ensure that the evidence collected is
sufficient and appropriate.
Notes

At the completion stage materiality is used to:
1. evaluate whether sufficient, appropriate evidence has been gathered; and

2. evaluate the effect of unadjusted misstatements identified by the auditor.
21.4.2 Evaluating audit evidence
On completion of the substantive testing stage, the auditor must review all of the audit evidence collected and the
results gained and assess whether sufficient, appropriate audit evidence has been gained over all of the material
figures in the financial statements, according to reporting materiality.
The auditor must consider each material account, what the inherent and control risks associated with that account
are and, therefore, whether sufficient, appropriate audit evidence has been collected to bring the detection risk down
to an acceptable level.
21.4.3 Evaluating unadjusted misstatements
ISA (UK) 450 Evaluation of misstatements identified during the audit provides guidance on the auditor’s evaluation
of unadjusted misstatements. If the auditor has found any misstatements during substantive testing, these should be
reported to the entity (unless clearly trivial, based on the auditor’s professional judgement).
The summary of audit misstatements (‘SAM’): a summary document containing all misstatements (adjusted
and unadjusted) identified throughout the audit, other than those considered to be clearly trivial.
Material misstatements
All material misstatements should be adjusted for by the entity, otherwise the financial statements will not give a
true and fair view and the audit opinion may need to be modified.
Immaterial misstatements
Any immaterial errors may be corrected at the discretion of the entity. However, the sum of all immaterial
misstatements should be considered with reference to materiality. If, in aggregate, the total of all immaterial
misstatements was above materiality then there would be a material misstatement and the audit opinion may need
to be modified.
An example summary of audit misstatements is shown over the page.
Notes

Example
Wolfpack Ltd
Year end: 30 September 20X2
Summary of audit misstatements
Financial Statement Account Dr Cr Material Adjusted
£ £
1 P&L – administrative expenses 100,000 N N
Fixed assets – accumulated 100,000

depreciation
being adjustment to apply depreciation policy consistently
2 P&L – sales 625,333 Y Y
Trade debtors 625,333
being October 20X2 sales incorrectly included in current year
3 P&L – administrative expenses 214,000 Y Y
Trade and other creditors 214,000
being correction for unrecorded liabilities
Summary and Conclusion
Adjusted differences in P&L 839,333 Dr Unadjusted differences

are judged to be
Unadjusted differences in P&L 100,000 Dr
immaterial
Adjusted differences in net assets 839,333 Cr
Unadjusted differences in net assets 100,000 Cr
Note: Reporting materiality for Wolfpack Ltd is £205,000.
Notes

21.5 Going Concern
ISA (UK) 570 Going concern contains guidance in relation to going concern.
Activity 1
The going concern basis of accounting is a fundamental principle in preparing financial statements.
Describe what is meant by a company being a going concern and how this impacts the approach to preparing
Solution
Notes

Responsibilities in relation to going concern
ISA (UK) 570 outlines an auditor’s responsibilities in relation to going concern, which are compared to the
responsibilities of the directors in the below table:
Directors Auditor
Responsible for: Responsible for:
• preparing the financial statements and, therefore, • obtaining sufficient, appropriate audit
for making an assessment as to whether or not evidence regarding, and concluding on, the
the entity is a going concern and preparing the appropriateness of management’s use of the
financial statements accordingly; going concern basis of accounting; and
• disclosing any material uncertainties in relation to • concluding on whether a material uncertainty
going concern if they exist; and exists about the entity’s ability to continue as a
• disclosing if the company has not prepared the going concern.
financial statements on a going concern basis of
In meeting these responsibilities, the auditor will
accounting.
evaluate the directors’ assessment of the entity’s
ability to continue as a going concern throughout
the audit process including performing an evaluation
immediately prior to the signing of the audit report.
Material uncertainty: a material matter whose outcome depends on future actions or events not under the
direct control of the entity that may affect, or cast significant doubt over, the going concern status of the entity.
Notes

Impact on the audit
There are a number of possible outcomes when the auditor is considering going concern:
Outcome Impact
The auditor judges that the entity has applied the Providing that there have been no other issues and no
going concern principle correctly and no material material misstatements detected during the audit, the
uncertainties exist. financial statements give a true and fair view.
The auditor judges that the entity has not applied the The financial statements do not show a true and
going concern principle correctly. fair view.
The auditor judges that a material uncertainty exists This should be disclosed in the financial statements
in relation to going concern (e.g., the entity is in the so that the shareholders are made aware.
middle of a court case, which – if they lose – may put
If disclosed appropriately, the auditor can conclude
them out of business).
that the financial statements show a true and fair
view. If disclosed inadequately, or omitted, the
financial statements do not show a true and fair
view.
Notes

Activity 2
You are at the completion stage of three audit engagements and the following issues have been identified:
• Company A: One of the company’s major customers has gone into liquidation.
• Company B: This Company produces 50 different products. Management have closed down an
insignificant production line in the company halting the production of Product X in response to poor sales
of this product.
• Company C: This Company needs to obtain financing in the form of a bank loan to achieve its business
objectives. Due to the market downturn, lenders have become more risk averse in their approach to
providing finance and are demanding more stringent criteria be agreed before a loan is provided. The
outcome of the bank’s decision is pending.
Consider the issues at these entities and determine whether you think there are any going concern issues
present.
Solution
Notes

21.6 Overall Analytical Review of Financial Statements
ISA (UK) 520 Analytical procedures states that the auditor must carry out analytical procedures during completion to
determine whether the financial statements as a whole are consistent with the auditor’s understanding of the entity.
The auditor must be satisfied that there are no obvious inconsistencies in the final version of the financial
statements and that the evidence gathered is sufficient and appropriate to meet the assertions, in order to confirm
the overall audit opinion.
The results of these final analytical procedures should be supported by the evidence collated during the course
of the audit and the results should be cross-referenced to the relevant sections of the audit file. Any unusual
or unexpected results should be investigated and corroborated by obtaining additional evidence to ensure that
sufficient, appropriate audit evidence is obtained.
Example
During the audit, different members of the audit team perform audit procedures on particular items such
as fixed assets, cash and bank and trade debtors. In testing these sections substantive procedures will be
performed.
The overall analytical review allows one member of the team an opportunity to check the financial statements
as a whole make sense and the explanations within each area tie together. For example, whether the
explanation for additional loans to finance the expansion of the business ties in with an increase in property,
plant and equipment and a reduction in cash and cash equivalents balance.
21.7 Subsequent Events
ISA (UK) 560 Subsequent events requires the auditor to be alert for any events occurring after the year-end date.
This is because these subsequent events may affect the truth and fairness of the financial statements. Assessing
whether items after the year-end date require to be reflected, through adjustment or disclosure, in the financial
statements will be considered in both TPS Financial Reporting and TPS Assurance and Data.
Notes

Example
Hockey Stix Ltd have a year-end date of 30 September 20X2. You are performing the subsequent events
review in December 20X2.
Included within trade debtors is a material customer balance of £200,000. Following some months of cash
flow difficulties, in November 20X2 the customer becomes insolvent and is unable to settle the debt.
Even though the customer became insolvent after the year end, the cash flow difficulties existed at the year
end and therefore an adjustment should be made to record the bad debt expense and write off the trade
debtor.
Responsibilities in relation to subsequent events
The responsibilities for subsequent events differ between the directors and the auditor:
Directors Auditor
To undertake the subsequent events review and Perform procedures designed to obtain sufficient,
reflect any necessary adjustments or disclosures appropriate audit evidence that all events up to the
as part of their preparation of the financial statements. date of the audit report that require adjustment or
disclosure have been identified and appropriately
reflected in the financial statements.
The auditor’s procedures will include:
• obtaining an understanding of any procedures management has established to identify subsequent events;
• enquiring of management and those charged with governance as to whether any subsequent events have
occurred which may impact the financial statements;
• reviewing the minutes of all shareholder and board meetings;
• reviewing post year-end management accounts;
• requesting details of pending litigation from the company lawyers; and
• obtaining written representations from management regarding subsequent events (see Section 21.8).
If the auditor becomes aware of events that materially affect the financial statements, they should consider whether
such events are properly accounted for and adequately disclosed in the financial statements.
If the auditor does not consider disclosure to be adequate, then the accounts are materially misstated and do not
give a true and fair view.
Notes

21.8 Management Representation Letters
ISA (UK) 580 Written representations, requires the auditor to obtain written statements that management and, where
applicable, those charged with governance1 have fulfilled their responsibilities for the preparation of the financial
statements and for providing information to the auditor and to support any other audit evidence relevant to the financial
statements if deemed necessary by the auditor or the ISAs (UK). There are three main areas requiring representation:
1. Audit evidence that those charged with governance acknowledge their collective responsibility for the
preparation of the financial statements, have fulfilled their responsibilities and provided necessary information
to the auditor. The directors’ responsibilities in relation to the financial statements include:
• responsibility for the preparation of the financial statements;
• responsibility for making all records and information available to the auditor; and
• that all transactions have been recorded and are reflected in the financial statements.
The management representation letter would contain an acknowledgement by those charged with governance
of these responsibilities.
2. Required representations by other ISAs (UK). A number of ISAs (UK) require specific representations to be
required by the auditor. For example:
• ISA (UK) 560 Subsequent events: management confirms that adjustment or disclosure has been made for
any relevant subsequent events; and
• ISA (UK) 450 Evaluation of misstatements identified during the audit: management confirm that they believe
that the effects of the uncorrected misstatements identified by the auditor during the audit are immaterial,
both individually and in aggregate.
3. Representations to support other audit evidence obtained during the audit of the financial statements. Any
specific matters relevant to the engagement may also be included in written representations. For example,
where management intent is required to support the valuation of an asset.
Management representation letters (from management, to auditors) are not a substitute for other available audit
evidence. If other evidence casts doubt on management representations, these should be investigated.
Written representations from management will often be in relation to matters material to the financial statements
when other sufficient, appropriate audit evidence cannot reasonably be expected to exist.
Commonly, additional representations are sought where the only evidence that has been obtained is oral. This is
because the possibility of misunderstanding is reduced when oral representations are confirmed in writing.
1 ISA (UK) 580 refers to “management” being those responsible for the preparation of the financial statements and with knowledge of the
matters concerned. In the UK, those charged with governance are responsible for the preparation of the financial statements. In this course,
we will use both terms when referring to representation letters.

Example
During final meetings with the directors of Entity XYZ Ltd, the directors stated their intention to continue a
product line which they had previously planned to discontinue.
Evidence gathered to date includes the review of board minutes, which state the intention to discontinue
operations.
Management representations are, therefore, required to provide written evidence over the contrary oral
evidence recently acquired.
Timing
The management representation letter should be dated as at the date of the audit report and obtained immediately
before the audit report is signed as it forms part of the evidence on which the audit opinion is based.
Learning Outcome 1: Explain the key stages of completion in an audit engagement
The aim of the completion stage is to generate sufficient, appropriate evidence to enable the auditor to express an
opinion over the truth and fairness of the financial statements.
You should now be able to meet the first learning outcome of the module.
Notes

21.9 Summary
Before the auditor begins to prepare the audit report, it is important that sufficient, appropriate evidence on which to
base the opinion has been collected.
Materiality
At completion, the auditor will:
• calculate reporting materiality based on the final financial statement figures;

• evaluate whether sufficient, appropriate evidence has been gathered; and
• evaluate the effect of unadjusted misstatements identified by the auditor.
Going Concern
At completion, the auditor will:
• evaluate the directors’ assessment of the entity’s ability to continue as a going concern, including whether any
material uncertainties exist; and
• consider the impact of this evaluation on the audit report.
Overall Analytical Review
At completion, the auditor will carry out analytical procedures to determine:
• whether the financial statements as a whole as are consistent with the auditor’s understanding of the entity; and
• that there are no obvious inconsistencies between the final version of the financial statements and the evidence
gathered.
Subsequent Events
At completion, the auditor will perform procedures designed to obtain evidence that all events up to the date of the
audit report that require adjustment or disclosure have been identified and reflected in the financial statements.
Management Representation Letters
At completion, the auditor will obtain written representations:
• that those charged with governance acknowledge their collective responsibilities;

• required by other ISAs (UK); and
• to support other audit evidence.
Notes

Financial statements are usually prepared on a going concern basis, that is, the company is expected to
continue for the foreseeable future. If a company is not a going concern, then the company’s value is limited to
the resale or salvage value of its assets. If a company is a going concern, the company may have additional
value due to the income-earning potential of its on-going business.
Back to Activity
Company A – loss of a major customer
There is a potential going concern risk in this company concerning current and future contracts with the
customer.
• Current contracts: there is a risk of the customer defaulting on existing debts. Where these balances are
significant, the company could suffer acute cash flow difficulties due to the loss of planned income.
• Future contracts: If Company A is dependent on this customer for its business continuity, the loss of the
customer will result in insufficient orders and, consequently, income to cover the company’s expenses
going forward. This could be overcome if Company A can negotiate contracts with other customers to
replace the income stream from the customer that has been lost.
Unless Company A has a contingency plan to support the business through the loss of this customer, it is
likely that the loss of this customer will call into question the going concern status of Company A.
Company B – cessation of production and sales of Product X
It is unlikely that there are going concern issues evident here as it is only one (insignificant) product line that
has been discontinued. The factory is still operational and producing the remaining 49 products within the
entity’s product range. The product also appeared to be selling badly.
If the product had, in fact, made up a significant proportion of the sales for the company, then this could have
resulted in a potential going concern issue.
Company C – financing requirement
This would be a matter of judgement but will raise a potential going concern issue if it is likely that the
company cannot obtain financing and the objectives are fundamental to the future viability of the company.
This may be judged to be a material uncertainty in relation to going concern. The auditor can obtain
independent third-party evidence directly from the lender and review correspondence from the bank that
is held by the entity. The auditor must make an independent assessment of the intentions of the bank and
consider the implications for the entity. If there is doubt over the going concern status this should be disclosed
by the directors in the accounts as a material uncertainty relating to going concern (assuming the auditor is
satisfied with the basis of accounts preparation).
Back to Activity

Reporting
Contents
22.1.1 Which Stage? 506
22.3 Overview of the Completion Stage 507
22.4 Contents of the Audit Report 507
22.4.1 Audit report example 509
22.5 The Audit Opinion 514
22.6 Modified Audit Opinions 515
22.6.1 Types of modified audit opinions 515
22.6.2 Nature of matter giving rise to the modification 515
22.6.3 Effect on the financial statements 517
22.6.4 Choosing the correct opinion 518
22.6.5 Explaining modified audit opinions 519
22.7 Impact of Going Concern Issues on the Audit Opinion 520
22.8 Practical Approach to Identifying the Correct Modified Audit Opinion 521
22.9 CA 2006 Terminology 524
22.10 Annual Report – Other Information 525
22.10.1 General information 526
22.10.2 Strategic report and directors’ report 527
22.10.3 Other information – UK listed companies 527
22.10.4 Other information – US listed companies 528
22.10.5 Other reporting responsibilities 528
22.11 Auditor’s Requirements Regarding Other Reporting Documents 529
22.12 Summary 531

22. Audit Process: Reporting
22.1 Introduction
22.1.1 Which Stage?
Risk Assessment
Systems
Substantive
Testing
Analysis
1. explain the key elements of the audit report;

2. explain the types of modified opinion available and apply these to a scenario to identify the appropriate form of
modification; and
3. describe the additional responsibilities of auditors in relation to additional information in the annual report and
other reporting documents.
Achieving these outcomes will help you to meet the fourth, seventh and eighth learning outcomes for the course as
per the syllabus.
Notes

22.3 Overview of the Completion Stage
The auditor is now at the last stage of the audit process – the completion stage. This stage commences after the
year end and involves the following tasks:
1. Materiality recalculation and assessment of

misstatements
2. Going concern assessment

See Module 21
3. Overall analytical review of financial statements
4. Subsequent events review
5. Management representation letters
6. Engagement and client management See Module 14
7. Audit report issued See Module 22
The final task will be discussed in this module. This module will explain the contents of the audit report, its meaning
and the forms of ‘modified’ audit reports.
The key output of the audit process is the audit report. This provides an independent opinion to the users of the
financial statements that the figures are reliable (i.e., they show a ‘true and fair view’). In doing so the auditor is
highlighting that there are no material misstatements that would influence the decisions of the users of the accounts
or, if applicable, highlighting where these exist.
22.4 Contents of the Audit Report
The audit report is used by the independent external auditor to communicate the opinion on the financial statements
to the shareholders. There are four ISAs (UK) which the auditor should comply with when preparing their report to
the shareholders:
• ISA (UK) 700 Forming an opinion and reporting on financial statements

• ISA (UK) 701 Communicating key audit matters in the independent auditor’s report
• ISA (UK) 705 Modifications to the opinion in the independent auditor’s report; and
• ISA (UK) 706 Emphasis of matter paragraphs and other matter paragraphs in the independent auditor’s report
(this will be covered in the TPS Assurance and Data Course).
Notes

The recommended uniformity in the form and content of the auditor’s report allows the reader to identify unusual
circumstances when they occur.
According to ISA (UK) 700, the following 13 basic elements must be included in every audit report:
1. Title;
2. Addressee;
3. Auditor’s opinion (on the financial statements);
4. Basis for opinion;
5. Conclusions relating to going concern;
6. Irregularities including fraud;
7. Other information;
8. Other reporting responsibilities;
9. Responsibilities of management for the financial statements;
10. Auditor’s responsibilities for the audit of the financial statements;
11. Signature of the auditor;
12. Address of the auditor; and
13. Date of the audit report.
Additional requirements for listed and public interest entities
There are some additional elements that will be included for listed entities, public interest entities and entities that
are required to, or that voluntarily choose to, report on the UK Corporate Governance Code (‘the Code’). Some of
the requirements cover additional disclosures within the ‘other reporting responsibilities’ section of the audit report
whilst others require the entity to include some additional elements within the audit report. These include:
1. Key audit matters; and

2. Name of the engagement partner.
Key audit matters
This section applies to auditors of listed and public interest entities, as well as those entities that are required
to, or choose to, report on the Code.
ISA (UK) 701 requires the auditor to include additional disclosures in their audit report regarding ‘key audit
matters’. These are matters that, in the auditor’s professional judgement, were of most significance in the audit of
the financial statements, selected from matters reported to those charged with governance.
Notes

When deciding which items are ‘key audit matters’ the auditor will consider:
• those items that were judged to have the highest risk of material misstatement including those with the greatest
effect on the overall audit strategy, the allocation of resources in the audit and directing the efforts of the
engagement team;
• where significant auditor judgements have been made; and
• the effect on the audit of significant events or transactions occurring during the period.
For each key matter identified by the auditor, the auditor shall include in the audit report:
• a description why the matter was considered to be one of the most significant in the audit;
• how the matter was addressed in the audit, including significant judgements made by the engagement team with
respect to the matter; and
• a reference to any related disclosures in the financial statements, if any.
The auditor is also required to communicate additional planning and scoping matters, including:
• explanations of the application of materiality, including the figure for overall materiality and performance
materiality; and
• an overview of the scope of the audit.
The descriptions of key audit matters by the auditor should be useful to the users of the financial statements and
enable the user to understand their significance to the context of the audit of the financial statements as a whole.
Name of the engagement partner
For listed companies the audit report must specifically name the engagement partner responsible for the audit.
22.4.1 Audit report example
The following is an example of an audit report and includes each of the basic elements of the audit report, with
the specific requirements of the auditing standards as well as statutory responsibilities highlighted. The financial
reporting framework references in this example are UK Accounting Standard references, however, in the event that
the client applies IFRS, the financial reporting references and terminology needs to be changed to reflect this.
For the purpose of the Assurance and Reporting exam, you are not required to memorise the layout or
wording of this report. However, it is important to familiarise yourself with the main content of each of the 13
basic elements and be able to explain why this content is required.
Notes

Independent Auditor’s Report1 To The [Members] [Shareholders]2 of XYZ Limited
Opinion on Financial Statements3
We have audited the financial statements of [name of entity] for the year ended [DATE] which comprise [specify
the primary financial statements such as the statement of comprehensive income, statement of financial position,
statement of changes in equity, cash flow statement etc.] and the related notes. The financial reporting framework
that has been applied in their preparation is applicable law and United Kingdom Accounting Standards (United
Kingdom Generally Accepted Accounting Practice).
In our opinion the financial statementsa:
• give a true and fair view of the state of the company’s affairs as at [date] and of its [profit/ loss] for the year then
ended;
• have been properly prepared in accordance with United Kingdom Generally Accepted Accounting Practice
(United Kingdom Accounting Standards, comprising FRS 102 “The Financial Reporting Standard applicable in
the UK and Republic of Ireland”, and applicable law); and
• have been prepared in accordance with the requirements of the Companies Act 2006b.
Basis for opinion4
We conducted our audit in accordance with International Standards on Auditing (UK) (ISAs (UK)) and applicable
law. Our responsibilities under those standards are further described in the auditor’s responsibilities for the audit
of the financial statements section of our report. We are independent of the company in accordance with the
ethical requirements that are relevant to our audit of the financial statements in the UK, including the FRC’s Ethical
Standard and we have fulfilled our other ethical responsibilities in accordance with these requirements. We believe
that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.
1. The title “independent auditor’s” distinguishes the report from other reports within the annual report.
2. It is a requirement of the CA 2006 that the duty of the company’s auditor is to report to the members on the financial statements.
3. A clear statement of an unqualified ‘clean’ opinion. The auditor also verifies the parts of the financial statements on which they are providing
an opinion.
a. Clarification that the opinion is not a guarantee.
b. An opinion on whether the financial statements comply with statutory requirements.
4. The auditor must identify the relevant standards and ethical guidance that are used to form the basis for the audit opinion and that they
believe that sufficient appropriate evidence has been gathered. The auditor also provides confirmation that they are independent from the
client. This also outlines the reasons for any modified audit opinion.
Notes

Conclusions related to going concern5
We have nothing to report in respect of the following matters in relation to which the ISAs (UK) require us to report to
you where:
• the directors’ use of the going concern basis of accounting in the preparation of the financial statements is
not appropriate; or
• the directors have not disclosed in the financial statements any identified material uncertainties that may
cast significant doubt about the company’s ability to continue to adopt the going concern basis of accounting
for a period of at least twelve months from the date when the financial statements are authorised for issue.
Explanation of extent the audit was considered capable of detecting irregularities, including fraud6
Irregularities, including fraud, are instances of non-compliance with laws and regulations, as defined by ISA (UK)
250A. We designed our procedures to detect such irregularities, and note that failing to detect irregularities due
to fraud is a higher risk than failing to detect due to error, given the potential for deliberate concealment of fraud.
Our procedures for detecting irregularities, including fraud, are detailed below. The primary responsibility for the
prevention and detection of fraud lies with the company and those charged with governance.c
[Detail procedures carried out, including how an understanding of the entity and relevant regulations was obtained,
risk assessment, controls tested, specific tests carried out, such as enquiries of legal teams, etc.]
Other information7
The directors are responsible for the other information. The other information comprises the information included in
the annual report, other than the financial statements and our auditor’s report thereon. Our opinion on the financial
statements does not cover the other information and, except to the extent otherwise explicitly stated in our report, we
do not express any form of assurance conclusion thereon. In connection with our audit of the financial statements,
our responsibility is to read the other information and, in doing so, consider whether the other information is
materially inconsistent with the financial statements or our knowledge obtained in the audit or otherwise appears
to be materially misstated. If we identify such material inconsistencies or apparent material misstatements, we
are required to determine whether there is a material misstatement in the financial statements or a material
misstatement of the other information. If, based on the work we have performed, we conclude that there is a material
misstatement of this other information, we are required to report that fact. We have nothing to report in this regard.
5. The auditor provides a summary of any matters that would impact the appropriateness of the company’s use of the going concern
assumption.
6. The auditor explains what is meant by irregularities, and details the main procedures they have carried out to ensure that their audit detected
such irregularities.
c. A reminder of it being the directors who have responsibility for preventing and detecting fraud.
7. This paragraph details the responsibilities of the directors for preparing other information reported with the financial statements and the
scope of the work that the auditor carries out over such information. The auditor does not give an opinion on ‘other information’.

Other reporting responsibilities8
Opinion on other matters prescribed by the Companies Act 2006
In our opinion, based on the work undertaken in the course of the audit:
• The information given in the strategic report and directors’ report for the financial year for which the financial
statements are prepared is consistent with the financial statements; and
• The strategic report and directors’ report have been prepared in accordance with applicable legal requirements.d
In the light of the knowledge and understanding of the company and its environment obtained in the course of the
audit, we have not identified material misstatements in the directors’ report.
We have nothing to report in respect of the following matters in relation to which the Companies Act 2006 requires
us to report to you if, in our opinion:
• adequate accounting records have not been kept;

• returns adequate for our audit have not been received from branches not visited by us;
• the financial statements are not in agreement with the accounting records and returns;
• certain disclosures of directors’ remuneration specified by law are not made; or
• we have not received all the information and explanations we require for our audit.
Responsibilities of management and those charged with governance9
As explained more fully in the directors’ responsibilities statement [set out on page …], the directors are responsible
for the preparation of the financial statements and for being satisfied that they give a true and fair view, and for such
internal control as the directors determine is necessary to enable the preparation of financial statements that are free
from material misstatement, whether due to fraud or error.
In preparing the financial statements, the directors are responsible for assessing the company’s ability to continue
as a going concern, disclosing, as applicable, matters related to going concern and using the going concern basis
of accounting unless the directors either intend to liquidate the company or to cease operations, or have no realistic
alternative but to do so.
8. This section details the auditor’s opinion on additional matters required under legislation or regulations.
d. Required by the CA 2006.
9. This it to make clear to the reader the extent of the responsibilities for those that have oversight of the financial reporting process.
Notes

Auditor’s responsibilities for the audit of the financial statements10
Our objectives are to obtain reasonable assurancee about whether the financial statements as a whole are free from
material misstatementf, whether due to fraud or error, and to issue an auditor’s report that includes our opinion.
Reasonable assurance is a high level of assurance, but is not a guaranteee that an audit conducted in accordance
with ISAs (UK) will always detect a material misstatement when it exists. Misstatements can arise from fraud or error
and are considered materialg if, individually or in the aggregate, they could reasonably be expected to influence the
economic decisions of users taken on the basis of these financial statements.
A further description of our responsibilitiesh for the audit of the financial statements is located on the Financial
Reporting Council’s website at: [website link] This description forms part of our auditor’s report.
Signature111
A N Auditor (Senior statutory auditor) for and on behalf of ABC LLP, Statutory Auditor
Address12
Date13
10. This is to make clear to the reader the extent of the responsibilities of the auditors in order to avoid any confusion with the responsibilities of
those responsible for preparing the financial statements.
e. Tells the reader it is not absolute assurance.
f. Free from material misstatement assures the reader the amounts are correct only within reasonable limits.
g. Explains the concept of materiality in relation to the overall financial statements.
h. This provides linkage to coverage of the overall scope of the auditor’s responsibilities which have not been detailed in the audit report, but
still apply.
11. Name of auditor required (if company is listed) as well as audit firm.
12. Location of auditor’s office.
13. The date should be the date the audit report is signed and after the directors have approved the financial statements and tells the reader the
auditor has considered events up to that date.
Notes

Learning Outcome 1: Explain the key elements of the audit report
There are 13 key elements of the audit report. These are:
1. Title;
2. Addressee;
6. Irregularities including fraud;
There are also additional areas for listed, public interest and entities that report on the Code.
22.5 The Audit Opinion
The third section of the audit report is the audit opinion. The purpose of the audit opinion is to tell the users of the
financial statements and shareholders whether or not the auditor believes that the financial statements give a true
and fair view of the company.
The audit opinion is often considered as the key element of the audit report.
There are two different types of audit opinion:
Unmodified opinion: this is issued when, in the auditor’s opinion, the accounts give a true and fair view.
Modified opinion: this is issued when, in the auditor’s opinion, the accounts do not give a true and fair
view or the auditor cannot form an opinion on the accounts.
Notes

An unmodified opinion is considered the best-case scenario and is the most common form of audit opinion. In
achieving this, the auditor has been able to conclude that, based on the evidence obtained, the financial statements
as a whole are free from material misstatement. The auditor must have gathered sufficient, appropriate
evidence to support this.
22.6 Modified Audit Opinions
Although in most cases an unmodified audit opinion will be issued, there are circumstances which give rise to a
modified audit opinion.
22.6.1 Types of modified audit opinions
ISA (UK) 705 identifies three different forms of modified audit opinion, and the form of the modification will depend
on the circumstances that the auditor has found.
The following table summarises the possible modifications:
Auditor’s judgement about the pervasiveness of the effects or possible

effects on the financial statements
Nature of matter giving Material but not Material and pervasive

rise to modification pervasive
Financial statements are Qualified opinion Adverse opinion

materially misstated
Inability to obtain sufficient Qualified opinion Disclaimer of opinion

appropriate audit evidence
This section considers the different circumstances that would result in a modified opinion and how the auditor would
assess the appropriate opinion to include in the audit report.
22.6.2 Nature of matter giving rise to the modification
Per ISA (UK) 705, there are two circumstances that could give rise to a modified audit opinion. These are:
1. when the auditor concludes that, based on the evidence obtained, the financial statements as a whole are not
free from material misstatement; or
2. when the auditor is not able to obtain sufficient, appropriate evidence to conclude that the financial
statements as a whole are free from material misstatement.
Notes

Financial statements are materially misstated
The financial statements are materially misstated when there is a material error in the financial statements.
This may arise where the auditor has found a material misstatement that the client refuses to adjust in the
financial statements or where there is a disagreement between the auditor and the client as to the treatment of a
material item in the financial statements.
Inability to obtain sufficient, appropriate audit evidence
The auditor’s inability to obtain sufficient, appropriate evidence is often referred to as a limitation on scope.
A limitation on scope may arise from:
• circumstances beyond the control of the entity;

• circumstances relating to the nature or timing of the auditor’s work; or
• limitations imposed by management.
Examples
Reason for limitation Examples
Circumstances beyond the • the entity’s accounting records have been destroyed by fire/ flood; or
control of the entity • the accounting records have been seized and held indefinitely by
government authorities.
Circumstances relating to • due to the timing of appointment the auditor is unable to attend/
the nature or timing of the observe the counting of physical inventories.
auditor’s work
Limitations imposed by • management prevent the auditor attending the count of physical
management inventories; or
• management prevent the auditor from requesting third party
confirmation of specific balances.
Notes

22.6.3 Effect on the financial statements
To merit modification, the matter must be at least material to the users of the financial statements. Additionally,
some matters may be so serious that they are considered to be not just material, but also pervasive to the financial
statements.
Therefore, a matter can be:
• Not material;
• Material; or
• Material and pervasive.
An item is considered pervasive if the effects of the matter:
• are not confined to specific elements, accounts or items of the financial statements;
• represent a substantial proportion of the financial statements; or
• in relation to disclosures, are fundamental to users’ understanding of the financial statements.
The auditor must use judgement when deciding whether a matter is pervasive.
Example
Overall materiality is £10,000. The net assets of the company total £1,500,000 and the profit for the year is
£200,000.
• An error of £600 has been detected in the trade payables balance. This is not material, and the error is
recorded in the summary of misstatements.
• An error of £11,000 has been detected in the trade receivables balance. This is material, but only one
area of the financial statements has been affected and it does not represent a substantial proportion of
the financial statements. Therefore, this error is material but not pervasive.
• Revenue is overstated by £250,000. This is material, but it is also pervasive because although only one
area is affected, the amount is 125% of profit which would be considered substantial.
• It has been discovered that one of the directors has committed fraud and many accounts have been
affected. The errors total £500,000 and so this issue is both material and pervasive.
Notes

Activity 1
For each of the following, identify if you think they are not material, material only or material and pervasive:
NM/M/P
1. The auditor believes that the trade receivables balance is overstated by £15,000. Overall
materiality is £12,000, and net assets are £100,000
2. Inappropriate application of the going concern assumption
3. Inability to audit the petty cash balance which accounts for less than 1% of the total
assets
4. Disagreement over appropriateness of the depreciation policy. The adjustment would

reduce net profit by 0.5%
5. Restrictions imposed by the client prohibit the auditor from observing the inventories
count, which accounts for 40% of all assets. No alternative procedures can be applied
6. A fire at head office has destroyed all the financial records for the year
7. The directors have failed to make any disclosures about going concern in the annual
report, including references to a number of material uncertainties identified
Solution
22.6.4 Choosing the correct opinion
The auditor must choose between the types of audit opinion noted at Section 22.6.1. Below details each of the types
of opinion that would be used depending on the circumstances and effect on the financial statements. Note that a
qualified opinion will be selected whenever a matter is material but not pervasive, regardless of the circumstance.
Notes

Audit Opinion wording
opinion
Material Qualified In our opinion, except for the effects of the matter described in
misstatement in the the Basis for Qualified Opinion paragraph, the financial statements
financial statements present fairly (or give a true and fair view of) the financial
performance of XYZ Ltd.
Pervasive Adverse In our opinion, because of the significance of matters described in the
misstatement in the Basis for Adverse Opinion paragraph, the financial statements do not
financial statements give a true and fair view of the financial performance of XYZ Ltd.
Material limitation Qualified In our opinion, except for the possible effects of the matter described
on scope in the Basis for Qualified Opinion paragraph, the financial statements
present fairly (or give a true and fair view of) the financial
performance of XYZ Ltd.
Pervasive limitation Disclaimer We do not express an opinion on the financial statements of XYZ
on scope Ltd. Because of the significance of matters described in the Basis for
Disclaimer of Opinion paragraph, we have not been able to obtain
sufficient appropriate audit evidence to provide a basis for an audit
opinion.
A qualified opinion is commonly referred to as a qualified ‘except for’ opinion. This is due to the opinion wording
stating that the accounts are true and fair ‘except for’ the matter described.
22.6.5 Explaining modified audit opinions
In all modified audit reports the auditor should:
• amend the heading of the Opinion and Basis for Opinion paragraphs to Basis for Qualified Opinion/ Adverse
Opinion/ Disclaimer of Opinion (as appropriate);
• give reasons for the modification; and
• quantify the effect on the accounts if possible (if not possible a statement to this effect should be included).
This explanation is included in the ‘Basis for opinion’ (and was the fourth basic element of the audit report covered in
Section 22.4).
Notes

22.7 Impact of Going Concern Issues on the Audit Opinion
Going concern is pervasive to the financial statements as it is fundamental to the users’ understanding.
Therefore:
• if the financial statements contain a misstatement concerning the going concern status of a business this
would result in an adverse opinion; and
• if the auditor is unable to obtain sufficient evidence to support the directors’ assessment of going concern,
then a disclaimer of opinion may need to be given.
The impact of material uncertainty disclosures on the audit opinion and report will be considered further at TPS
Assurance and Data.
The auditor is required to include a statement within a ‘Conclusions relating to going concern’ section in the audit
report regarding the going concern basis applied by the directors (and was the fifth basic element of the audit report
covered in Section 22.4). This will conclude on:
a) Whether the going concern assumption is appropriate; and

b) Whether there are any material uncertainties requiring to be reported by the directors.
Notes

Activity 2
For the first six situations in Activity 1, decide which audit opinion should be issued.
NM/M/P Opinion
1. The auditor believes that the trade receivables balance is overstated M

by £15,000. Overall materiality is £12,000, and net assets are
£100,000
2. Inappropriate application of the going concern assumption P
3. Inability to audit the petty cash balance which accounts for less than NM
1% of the total assets
4. Disagreement over appropriateness of the depreciation policy. The NM

adjustment would reduce net profit by 0.5%
5. Restrictions imposed by the client prohibit the auditor from observing P

the inventories count, which accounts for 40% of all assets. No
alternative procedures can be applied
6. A fire at head office has destroyed all the financial records for the year P
Solution
22.8 Practical Approach to Identifying the Correct Modified Audit Opinion
In the Assurance and Reporting exam, you may be provided with a question describing a scenario at a client and
then asked to identify the audit opinion that you would give based on the scenario facts. The following approach
should be applied to determine what the opinion is:
1. Identify the circumstances causing concern in the scenario;

2. Determine whether the issue is not material, material only or material and pervasive; and
3. Conclude on the audit opinion.
The flowchart over the page demonstrates the process you should follow to identify the correct opinion.
Notes

Issue identified
What are the circumstances?

Error or disagreement Insufficient evidence
Misstatement Limitation on scope
No Is the issue material? Is the issue material? No
Yes Yes
Are many items Yes Yes Are many items
affected? affected?
No No
Is the impact Is the impact
on the overall Yes on the overall
Yes
financial statements financial statements
substantial? substantial?
No No
In the case of In the case of
disclosure, is the item disclosure, is the item
fundamental to the Yes Yes fundamental to the
users’ understanding users’ understanding
of the financial of the financial
statements? statements?
No No
Material Only Material Only
QUALIFIED ‘EXCEPT QUALIFIED ‘EXCEPT

FOR’ OPINION FOR’ OPINION
UNMODIFIED Material and Material and UNMODIFIED

OPINION Pervasive Pervasive OPINION
DISCLAIMER
ADVERSE OPINION
OF OPINION

Example
Sweet Tooth Ltd
You are the auditor of Sweet Tooth Ltd, a company that manufactures and sells confectionery. During the
year to 30 June 20X2 the company suffered a break-in and as a result many of the company’s accounting
records were destroyed, including the trade receivables ledger. Trade receivables at the year end amounted
to £1,200,000 and these cannot be verified because of the loss of records. The company has net assets of
£2,200,000 and profit before tax for the year is £500,000.
Identify how this matter should be treated in the audit report.
Hint: Follow the flowchart above to identify the appropriate opinion.
Solution to Example
Following the flow chart above:
1. This is an example of a limitation on scope as the auditor is not able to obtain sufficient, appropriate audit
evidence.
2. The matter is material. Although no specific overall materiality is given, the fact that the trade receivables
figure is 55% of net assets and greater than current year profit tells us that it will be material, based on
our knowledge of common materiality levels from Module 15.
3. Only one item is impacted – trade receivables.
4. The impact on the overall financial statements is substantial as the unsubstantiated figure accounts for
55% of the net assets figure and is greater than current year profit.
Conclusion: This is a pervasive limitation on scope and would result in a Disclaimer of Opinion.
Notes

Activity 3
You are the auditor of Lawnzies Ltd a company which sells turf for football grounds. For the year ended
31 August 20X3, Lawnzies had revenue of £2,400,000 with a profit before tax of £350,000. During the audit
for this year you discover that the inventories of turf have been valued at £500,000 using net realisable value,
and this figure has been included in the statement of financial position. The cost of the turf is £450,000. The
directors have said that at this late stage they will not be adjusting any more figures in the accounts.
Identify how you would treat this matter in the audit report.
Solution
22.9 CA 2006 Terminology
Under the Companies Act 2006 (‘CA 2006’) an auditor’s report must provide a clear opinion on the financial
statements taken as a whole and that opinion can be qualified or unqualified. Therefore, the CA 2006 refers to
qualified or unqualified opinions as opposed to modified and unmodified.
Notes

Although the terminology is different from the auditing standards, the overall conclusion being provided to the users
of the financial statements is the same, as shown in the table below:
CA 2006 audit opinion Situation ISA audit opinion
Unqualified opinion The accounts give a true and fair Unmodified opinion
view.
Qualified opinion The accounts do not give a true Modified opinion

and fair view/ unable to form an
opinion.
Learning Outcome 2: Explain the types of modified opinion available and apply these to a
scenario to identify the appropriate form of modification
There are two categories of audit opinions: modified or unmodified.
Auditor’s judgement about the pervasiveness of the effects or

possible effects on the financial statements
Nature of matter giving rise to Material but not pervasive Material and pervasive
the modification
Financial statements are materially Qualified opinion Adverse opinion

misstated

Use the flowchart provided in the module to establish the correct audit opinion for a given scenario.
You should now be able to meet the second learning outcome for the module.
22.10 Annual Report – Other Information
TC Financial Accounting identifies that there are a number of other documents that are commonly included within the
annual report along with the annual financial statements and audit report.
Notes

Other information in the annual report could include:
• a directors’ report;
• a strategic report;
• a chairman’s report;
• a corporate social responsibility report;
• a corporate governance statement;
• a report on the effectiveness of a company’s internal controls;
• a directors’ remuneration report; and
• a going concern statement.
The work that the auditor must do on this additional information varies.
22.10.1 General information
ISA (UK) 720 The auditor’s responsibilities relating to other information requires the auditor to read all other
information presented to the shareholders and request that management resolve any discrepancies with the
audited financial statements or inconsistencies with the auditor’s understanding of the entity, if they are encountered.
Impact on Reporting
Material inconsistency: where there is a material contradiction between the information contained in the
financial statements and information contained elsewhere in the annual report. An example might be the
narrative review referring to the company making a profit when it was in fact loss-making.
If a material inconsistency is discovered, the auditor must determine whether:
• the audited financial statements need to be amended;

• the other information needs to be amended; or
• the auditor’s understanding of the entity needs to be updated.
If the material inconsistency is in the financial statements and this is not corrected by the directors, the auditor will
issue a modified audit opinion due to the disagreement over the correct accounting treatment, as with any other
misstatement.
If it is the other information that is misstated or inconsistent with the audited information and the matter is not
resolved or amended by the directors, the auditor should communicate the matter to those charged with governance
and request it to be updated. If it still remains incorrect the auditor should include a description of the inconsistency
Notes

in the ‘other information’ section of the audit report (the seventh basic element of the audit report covered in
Section 22.4). This would be an example of communicating information in the audit report, but not requiring
a modification to the audit opinion. As the financial statements would still be deemed to be true and fair, no
modification would be required to the opinion in this situation.
22.10.2 Strategic report and directors’ report
Per the example audit report at Section 22.4.1 and the eighth element of the audit report, the auditor may also have
other reporting responsibilities. As discussed in TC Financial Accounting, under the Companies Act 2006 many UK
companies are required to include within their annual report a strategic report and directors’ report.
The auditor is required to state whether in their opinion:
• the information given in the strategic report and directors’ report is consistent with the accounts; and
• whether the strategic report and directors’ report have been prepared in accordance with applicable legal
requirements (i.e., the Companies Act 2006).
22.10.3 Other information – UK listed companies
Listed and public interest companies and those companies that report on the UK Corporate Governance Code often
must include additional information in their annual reports, some of which extends the auditor’s responsibilities when
performing the audit of a listed company.
The following financial reporting requirements extend the auditor’s responsibilities:
• Directors’ remuneration reports; and

• Corporate governance statements.
Directors’ Remuneration Reports
For listed companies, the auditor is required to audit the numerical part of the directors’ remuneration report,
stating in the audit report whether, in the auditor’s opinion, it has been prepared in accordance with the CA 2006.
This includes areas such as directors’ emoluments, pensions and compensation for loss of office. The non-numerical
information (the remuneration policies) must be reviewed for consistency with the auditor’s understanding.
Corporate Governance Statements
The FRC does not require the auditor to audit the narrative statement concerning the application of the principles
of the UK Corporate Governance Code (‘the Code’). However, specific work is required by the auditor in relation to
the compliance statement, being the second part of the two-part statement required as discussed in Module 2.
Notes

The requirements of the auditor include:
1. Performing specific procedures on seven of the 41 provisions; and

2. Treating the remaining provisions of the Code as ‘other information’ in the annual report.
1. Specific Provisions
The Listing Rules state that the auditor is expected to review the directors’ compliance statement in relation to seven
specific provisions within the Code and note any apparent misstatements or inconsistencies. These provisions are
chosen as they relate to areas that the auditor generally has involvement in. You are not expected to know which
provisions these are for your Assurance and Reporting exam. If any misstatements are identified, these are reported
in the ‘other information’ section of the audit report.
2. Remaining Provisions – ‘Other Information’
As described above, under ISA (UK) 720, auditors are required to review all other information contained in the
annual report for consistency with the financial statements.
22.10.4 Other information – US listed companies
As discussed in Module 2, the Sarbanes-Oxley Act (‘SOX’) requires the directors of the company to issue a section
404 report assessing the effectiveness of their internal controls over financial reporting, including the details of the
specific weaknesses identified and management’s approach to addressing these weaknesses.
In relation to the SOX statement the auditor must attest to and report on the statement made by the directors.
The statement is an assessment of effectiveness rather than confirmation that controls have been reviewed and
improvements actioned. As a result, the procedures required to make this statement, as well as the amount of work
required from the auditor, are substantial.
22.10.5 Other reporting responsibilities
For some sectors and entity types the auditor may be required to provide an opinion on other matters as a result
of legal and regulatory requirements. This is the eighth key element of the audit report and normally involves the
auditor either making a positive statement or reporting by exception.
Notes

Example
Matters reported by exception under the Companies Act 2006
The auditor is also required by the CA 2006 to form an opinion about several other matters and will report, by
exception, the following failings:
• Returns have not been received from branches not visited by the auditor;
• Accounts do not agree with the underlying records;
• Proper accounting records have not been kept;
• Information and explanations necessary for the purposes of the audit have not been received; and
• Directors’ emoluments (e.g., salary, bonuses, and pension contributions) and other benefits
disclosures specified by law are not complete.
Matters reported by exception were covered in Module 9.
22.11 Auditor’s Requirements Regarding Other Reporting Documents
During the course of an audit engagement the auditor may be involved in the production of other reports apart from
the statutory audit report. This is common when the entity is a listed company.
Report Auditor’s requirements
Standalone The auditor is not required to make a statement on the standalone strategic report with
strategic report supplementary information, but must check that it is consistent with the strategic report
with supplementary in the full financial statements and the supplementary information has been prepared
information in accordance with the Companies Act 2006.
The report must also state whether the auditor’s opinion on the financial statements
was qualified or unqualified and whether the auditor’s opinion on the strategic report
and directors’ report (22.10.2) was modified or unmodified. If either is qualified, the
opinion must be included together with any other relevant information needed to
understand the opinion.
Preliminary If a company chooses to issue a preliminary announcement, this should be agreed

Announcement with the auditor. If the audit report is likely to be modified, the modification and the
reasons for modification should be indicated in the preliminary announcement.
Half-yearly Financial Companies may choose whether or not to have their half-yearly financial report audited
Report or reviewed. This is normally only reviewed by the auditor, and may be an example of
an auditor providing limited rather than reasonable assurance (see Module 7).

Learning Outcome 3: Describe the additional responsibilities of auditors in relation to
additional information in the annual report and other reporting documents
Some companies produce a range of extra inclusions in the annual report. The auditor must be aware of their
responsibilities in relation to this additional information. The general rule is that this information must be reviewed for
consistency with the financial statements.
Auditors of UK listed companies may also find that they have obligations in relation to other reporting documents
prepared by their clients.
The regulations for US listed companies extend the scope of the auditor’s responsibilities in relation to internal
controls beyond the scope of UK listed company auditors.
Notes

22.12 Summary
Reporting – Audit Report
Each audit report is required to contain the following 13 components:
1. Title;
2. Addressee;
6. Irregularities including fraud
There are also two additional areas for listed companies: key audit matters and the name of the engagement partner.
Notes

Reporting – Audit Opinion Modifications
The audit opinion is usually unmodified, stating that the auditor thinks the financial statements do give a true and
fair view of the affairs of the company. However, the audit opinion can also be modified. There are three types of
modified audit opinion.
Auditor’s judgement about the pervasiveness of the effects or

possible effects on the financial statements
Nature of matter giving rise to Material but not pervasive Material and pervasive
modification
Financial statements are materially Qualified opinion Adverse opinion

misstated

Reporting – Other Information
In general, the auditor must review additional information in the annual report for consistency with the financial
statements.
Some companies are obliged to comply with the more onerous financial reporting and disclosure requirements. You
should understand the additional responsibilities that the auditor has in relation to:
• UK companies that are listed, public interest or who report on the Code – corporate governance statement and
the directors’ remuneration report; and
• US listed companies – internal controls report.
Reporting – Other Auditor Reporting Documents
You should understand the roles and responsibilities of the auditor concerning:
• Standalone strategic report with supplementary information;

• Preliminary announcements; and
• Half-yearly financial reports.
Notes

1. Material – above materiality, but only affects a few balances and at 15% of net assets, it is unlikely to
result in the overall financial statements being seriously misleading.
2. Pervasive – likely that most assets and liabilities will be incorrectly stated.
3. Not material – petty cash counts for less than 1% of total assets.
4. Not material – the adjustment is less than 1% of profit.
5. Pervasive – although only a few balances are affected, the main balance affected (inventories) accounts for
a substantial portion of the net assets and therefore inability to audit this balance prevents the auditor from
being able to form an opinion on whether the overall financial statements could be seriously misleading.
6. Pervasive – inability to audit the financial statements will be a pervasive matter as it will have a major
impact on every balance in the accounts.
7. Pervasive – the disclosure that has been omitted is fundamental to the users’ understanding of the
Back to Activity
1. Material misstatement – qualified ‘except for’ opinion

2. Pervasive misstatement – adverse opinion
3. Not material – unmodified opinion
4. Not material – unmodified opinion
5. Pervasive inability to obtain sufficient, appropriate evidence – disclaimer of opinion
6. Pervasive inability to obtain sufficient, appropriate evidence – disclaimer of opinion
Back to Activity
Notes

There is a disagreement over the inventories valuation which is contained within one account and does not
account for a substantial proportion of the financial statements (as it represents 2% of the revenue figure and
14% of the net profit). However, the item is material as it resulted in a 14% misstatement in profit and 10% of
inventories.
Therefore, this is a material, but not pervasive, misstatement. In this scenario the auditor would give a qualified
‘except for’ opinion.
Issue identified
What are the circumstances?

Error or disagreement
Misstatement
Is the issue material?
Yes
Are many items
affected?
No
Is the impact
on the overall
financial statements
substantial?
No
Is the item
fundamental to the
users’ understanding
of the financial
statements?
No
Material Only
QUALIFIED ‘EXCEPT
FOR’ OPINION
Back to Activity

2022 Icas TC Ar V Imp

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2022 Icas TC Ar V Imp

Uploaded by

Copyright:

Available Formats

Test of Competence

Device Type Recommendation

Remember to save regularly if you are highlighting or annotating the document.

TC – Assurance and Reporting 2022/23 – Index 3

TC – Assurance and Reporting 2022/23 – Module 1 4

The content of this module is not examinable.

1.2 Course Outline

1.2.1 Syllabus Learning Outcomes

On completion of this course students will be able to:

TC – Assurance and Reporting 2022/23 – Module 1 5

The course can be split into two sections:

1. Corporate governance, including risk management and internal controls; and

The first section is structured as follows:

3 Internal Control Systems

4 Accounting Information Systems and Controls: Part One

5 Accounting Information Systems and Controls: Part Two

Assurance and the statutory audit

The second section is structured as follows:

8 The Requirement for Audit

9 Auditor Responsibilities: Legislation

10 Auditor Responsibilities: Common Law

11 Auditor Independence and Ethics

TC – Assurance and Reporting 2022/23 – Module 1 6

13 Audit Process: Fundamental Concepts

14 Audit Process: Engagement and Client Management

15 Audit Process: Planning

16 Audit Process: Systems and Controls

17 Audit Process: Evidence

18 Audit Process: The Use of Statistics

19 Audit Process: Substantive Testing – Part One

20 Audit Process: Substantive Testing – Part Two

21 Audit Process: Completion

22 Audit Process: Reporting

1.3.2 Style of Teaching

1.3.3 Test Coverage

TC – Assurance and Reporting 2022/23 – Module 1 7

Module Topic PT1 PT2 MEX

3 Internal Control Systems   

4 Accounting Information Systems and Controls: Part One   

5 Accounting Information Systems and Controls: Part Two   

8 The Requirement for Audit   

9 Auditor Responsibilities: Legislation   

10 Auditor Responsibilities: Common Law   

11 Auditor Independence and Ethics   

13 Audit Process: Fundamental Concepts  

14 Audit Process: Engagement and Client Management  

15 Audit Process: Planning  

16 Audit Process: Systems and Controls  

17 Audit Process: Evidence  

18 Audit Process: The Use of Statistics  

19 Audit Process: Substantive Testing – Part One  

20 Audit Process: Substantive Testing – Part Two  

21 Audit Process: Completion 

22 Audit Process: Reporting 

TC – Assurance and Reporting 2022/23 – Module 1 8

TC – Assurance and Reporting 2022/23 – Module 1 9

In terms of technique, the following common errors arise:

1. Misunderstanding the question

2. Lack of technical knowledge

TC – Assurance and Reporting 2022/23 – Module 1 10

TC – Assurance and Reporting 2022/23 – Module 1 11

TC – Assurance and Reporting 2022/23 – Module 2 12

2.2 Learning Outcomes

5 Note: The pre-approval requirement is subject to de minimis amounts.