gtring kiểm

PREFACE
The economy of Vietnam is transforming remarkably in order to

integrate into the global economy according to the commitments of Free Trade
Agreements (FTA), ASEAN Economy Community (AEC), Trans-Pacific
Partnership (TPP). Byfollowing free trade agreements, the investment flows
from overseas (FDI) would reach Vietnam and create more job opportunities in
every sector within the country, in which auditing sector is one of them.
However, it also creates more job opportunities due to the commitment in
freedom of movements. Besides that, requirements of integration including
competence, in-depth professional knowledge, working methodology, soft
skills, teamworking, face difficulties due to limitationsof Vietnamese laboursin
foregn languages.
Therefore, the book called “Auditing" is compiled bythe Auditing
Department- Faculty of Accounting, Academy of Finance in order to meet the
requirements of integrated economy, to universalise professional English based
on the contents of original lectures and updated contents of the current
International and Vietnamese auditing standards. The book also supplements
some new research trends from professional bodies such as IAASB, IESBA,
IIA, INTOSAI, AICPA, COSOin order to establish good foundation based on
those global auditing standards in terms of professional diagnostic and
scepticism “audit with brainstorm”. Additionally, the textbook diversifies
contents regarding with risk evaluation, materiality and the use of materiality in
evaluating mistakes, auditing evidences and other aspects in attempt to provide
readers with the organised auditing knowledge following the trend in the global
world.
“Auditing” could be considered as a referred material for accountants,
auditors, lecturers, students from universities, managers, and other professional
organizations to meet the basic requirements of works, study and researches of
auditing major at Academy ofFinance. Despite great attempts in editing as well
as compiling, there might be remaining shortcomings. Authors are willing to
thank for truly feedbacks from researchers, readers in order to improve the
book in the next publication.
i
The Academy of Finance would like to thank researchers both in and
outside the Academy, including Assoc. Prof.Ph.D Nguyen Vu Viet; Assoc.
Prof. Ph.D Mai Ngoc Anh, Assoc. Prof. Ph.D Le Van Lien, Ph.D Ngo Thanh
Hoang, Assoc.Prof. Ph.DGiang Thi Xuyen, Assoc. Prof. Ph.D Pham Tien
Hung, M.A.ACCA.CPA Nguyen Thu Hao...and experts from Deloitte Vietnam,
KPMG Viet nam for their contributions in acceptance and finishing process in
order to improve the quality of this book.
THE AUTHORS
ii
ABOUT THE AUTHORS
The textbook was compiled by a group of experienced lecturers from

Auditing Department – Faculty of Accounting, Academy of Finance, including:
1. Luu Duc Tuyen, Assco.Prof.Ph.D - Head of Accounting Department,
AOF, Co-editor andco-compiled Part 1
2. Vu Thuy Linh, Ph.D- Vice auditing module leader, Co-editor and co-
compiled Part I, II and complied part IV
3. Ngo Nhu Vinh, M.A.ACCA.CPA - Auditing lecturer, co-compiled Part
II, III
4. Dinh Thi Thu Ha, M.A - Auditing lecturer, co-compiled Part II, III
5. Nguyen Minh Hien, M.A.ACCA.CPA - Manager of Educating
Department, Deloitte Vietnam, co- compiled Part II, III
iii
CONTENT
PREFACE ............................................................................................................................ i
ABOUT THE AUTHORS .................................................................................................iii
CONTENT ......................................................................................................................... iv
PART ONE: INTRODUCTION TO AUDITING .............................................................. 1
CHAPTER 1 ...................................................................................................................... 1
AUDITING PROFESSIONAL OVERVIEW ................................................................ 1
LEARNING OBJECTIVES ............................................................................................... 1
INTRODUCTION .............................................................................................................. 1
CONTENTS........................................................................................................................ 1
1.1.NATURE OF AUDITING ......................................................................................1
1.1.1.History, development of auditing in the world .....................................................1
1.1.2.Definition of auditing ...........................................................................................4
1.1.3.The importance of auditing in the global market economy ..................................6
1.1.4.Function of auditing ..............................................................................................8
1.2. CLASSIFICATION OF AUDITING .....................................................................9
1.2.1. Based on purpose of auditing ..............................................................................9
1.2.2. Based on forms of auditing organization ...........................................................11
1.2.3. Some other ways of classification of audit ........................................................20
1.3. THE AUDITING PROCESS ................................................................................20
REVIEW QUESTIONS AND PROBLEMS .................................................................... 21
CHAPTER 2 .................................................................................................................... 24
AUDITING STANDARDS AND PROFESSIONAL ETHICS CODE ...................... 24
LEARNING OBJECTIVES ............................................................................................. 24
INTRODUCTION ............................................................................................................ 24
CONTENT ........................................................................................................................ 24
2.1. AUDITING STANDARDS ..................................................................................24
2.1.1. Nature of auditing standards ..............................................................................24
2.1.2. Auditing Standards for Professional Practice of Independent Auditing ..........26
2.1.3. Auditing Standards for Professional Practice of Internal Auditing ...................28
2.1.4. Auditing Standards for Professional Practice of State Auditing ......................28
2.2. PROFESSIONAL ETHIC CODE ........................................................................29
2.2.1. Code of ethics for independent auditing ............................................................29
2.2.2. Code of ethics for internal auditing and state auditing ......................................30
iv
PART TWO: BASIC CONCEPTS IN AUDITING .................................................... 37
CHAPTER 3 ..........................................................................................................37
AUDIT REPORT ..................................................................................................37
INTRODUCTION ............................................................................................................ 37
CONTENT ........................................................................................................................ 38
3.1. NATURE OF THE AUDIT REPORT .................................................................38
3.2. FINANCIAL STATEMENT AUDIT REPORT ..................................................39
3.2.1. Content of the financial statement audit report .................................................39
3.2.2. Types of financial statement audit report ..........................................................41
3.2.3. Emphasis of matter paragraph and other matter paragraph in the auditor’s
report ............................................................................................................................47
3.3.COMPLIANCE AUDIT REPORT AND PERFORMANCE AUDIT REPORT .....48
CHAPTER 4 ..........................................................................................................51
FINANCIAL REPORT ASSERTIONS AND AUDIT OBJECTIVES ...........51
INTRODUCTION ............................................................................................................ 51
CONTENT ........................................................................................................................ 51
4.1 HOW THE TRANSACTIONS AND EVENTS AFFECT THE FINANCIAL
STATEMENTS' PRESENTATION ............................................................................51
4.2 MANAGEMENT'S RESPONSIBILITY FOR THE FINANCIAL
STATEMENTS ...........................................................................................................52
4.3 ASSERTIONS IN THE AUDIT OF FINANCIAL STATEMENTS ...................53
4.3.1 Why do the auditors need to test financial statements assertions? .....................53
4.3.2 Types and examples ............................................................................................54
4.4 FINANCIAL STATEMENTS ASSERTIONS AND AUDIT PROCEDURES ...60
4.4.1 Understanding of risk-base approach in financial statements audit ...................60
4.4.2 Steps for audit procedures ..................................................................................61
4.4.3 Common accepted audit procedures ...................................................................62
4.5 AUDITOR'S RESPONSIBILITY AND AUDIT OBJECTIVE ............................62
4.5.1 Audit objectives ..................................................................................................62
4.5.2 Audit objectives in different phases of an audit engagement .............................63
REVIEWQUESTIONS AND PROBLEMS ..................................................................... 69
v
CHAPTER 5 ..........................................................................................................75
FRAUDS AND ERRORS, MATERIALITY AND RISKS IN AN AUDIT.....75
INTRODUCTION ............................................................................................................ 75
CONTENTS...................................................................................................................... 75
5.1. FRAUDS AND ERRORS ....................................................................................75
5.1.1. Nature of fraud and error ...................................................................................75
5.1.2. Factors affect fraud and error ............................................................................77
5.1.3. Management's responsibility for fraud and error ...............................................79
5.1.4. Auditor’s responsibility for fraud and error.......................................................79
5.2. MATERIALITY IN PLANNING AND PERFORMING AN AUDIT ..........82
5.2.1. Nature of materiality in an audit ........................................................................82
5.2.2. Application materiality in audit .........................................................................84
5.3. RISKS IN AN AUDIT ..........................................................................................88
5.3.1. Audit risk ...........................................................................................................88
5.3.2. Overview of audit risk model ............................................................................94
5.4. RELATIONSHIP AMONG MATERIALITY, RISK, AND AUDIT EVIDENCE
......................................................................................................................................97
CHAPTER 6 ........................................................................................................103
INTERNAL CONTROL - AN OVERVIEW ...................................................103
LEARNING OBJECTIVE .............................................................................................. 103
INTRODUCTION .......................................................................................................... 103
CONTENT ...................................................................................................................... 103
6.1. NATURE OF INTERNAL CONTROL ............................................................ 103
6.1.1. History and development of internal control .................................................. 103
6.1.2. Relationship among management, internal control and internal audit in an
entity ......................................................................................................................... 106
6.2. COMPONENTS OF INTERNAL CONTROL ................................................. 106
6.2.1 Control environment ........................................................................................ 106
6.2.2 Risk assessment ............................................................................................... 108
6.2.3.Control activities .............................................................................................. 108
6.2.4. Information and Communication .................................................................... 109
6.2.5. Monitoring Activities (Controls) .................................................................... 109
vi
6.3. THE PROCESS OF UNDERSTANDING OF THE INTERNAL CONTROL IN
AN AUDIT AND ASSESSMENT OF CONTROL RISK ....................................... 110
REVIEW QUESTIONS AND PROBLEMS .................................................................. 113
CHAPTER 7 ........................................................................................................118
AUDIT EVIDENCE ...........................................................................................118
LEARNING OBJECTIVES ........................................................................................... 118
INTRODUCTION .......................................................................................................... 118
CONTENTS.................................................................................................................... 118
7.1. NATURE OF AUDIT EVIDENCE................................................................... 118
7.2. REQUIREMENT OF AUDIT EVIDENCE ...................................................... 119
7.2.1. Sufficiency ...................................................................................................... 119
7.2.2. Appropriateness .............................................................................................. 120
7.2.3. Audit evidence decision .................................................................................. 121
7.3. PROCEDURES FOR OBTAINING AUDIT EVIDENCE ............................... 121
7.3.1 Inspection ......................................................................................................... 123
7.3.2 Observation ...................................................................................................... 124
7.3.3 Inquiry .............................................................................................................. 125
7.3.4 Confirmation .................................................................................................... 125
7.3.5 Computation..................................................................................................... 126
7.3.6 Analytical procedures ...................................................................................... 126
PART THREE: AUDIT TESTS AND SAMPLING.................................................. 130
CHAPTER 8 ........................................................................................................130
AUDIT TESTS ....................................................................................................130
LEARNING OBJECTIVE .............................................................................................. 130
INTRODUCTION .......................................................................................................... 130
CONTENTS.................................................................................................................... 131
8.1. GENERAL AUDIT METHODOLOGY ........................................................... 131
8.1.1. Definition of audit methodology .................................................................... 131
8.1.2. Contents of audit methodology ....................................................................... 134
8.1.3. The important of audit methodology .............................................................. 135
8.2. AUDITS TESTS ................................................................................................ 135
8.2.1. Nature of audit tests ........................................................................................ 136
8.2.2. Risk assessment procedures ............................................................................ 136
8.2.3. Tests of controls .............................................................................................. 139
vii
8.2.4. Substantive tests .............................................................................................. 142
CHAPTER 9 ........................................................................................................149
AUDIT SAMPLING ...........................................................................................149
LEARNING OBJECTVES ............................................................................................. 149
INTRODUCTION .......................................................................................................... 149
CONTENT ...................................................................................................................... 149
9.1. THE IMPORTANT OF AUDIT SAMPLING .................................................. 149
9.2. DEFINITION OF AUDIT SAMPLING AND RELATED CONCEPTS ......... 150
9.3 SAMPLING STEPS ........................................................................................... 152
9.3.1 Step 1 - Determine Objectives ......................................................................... 153
9.3.2 Step 2 - Define the extent and composition of the population (audit scope) .. 153
9.3.3 Step 3 - Determine sample size ....................................................................... 154
9.3.4 Step 4 - Sampling method ................................................................................ 155
9.3.5 Step 5 - Drawing conclusions from sampling ................................................. 157
9.4 DETERMINE WHETHER THE MISSTATEMENT IS AN ANOMALY ....... 158
9.5. SAMPLING IN TESTS OF CONTROLS ......................................................... 159
9.5.1 Planning samples ............................................................................................. 159
9.5.2 Sample selection .............................................................................................. 160
9.5.3 Performance and evaluation ............................................................................ 160
9.6. SAMPLING IN SUBSTANTIVE TESTS OF DETAILS ................................. 161
9.6.1 Planning samples ............................................................................................. 161
9.6.2 Samples selection ............................................................................................. 163
9.6.3 Evaluation ........................................................................................................ 163
REVIEW QUESTIONS AND PROBLEMS ............................................................ 166
CHAPTER 10 ......................................................................................................174
AUDIT IN AN EDP SYSTEM ...........................................................................174
INTRODUCTION .......................................................................................................... 174
CONTENT ...................................................................................................................... 174
10.1. OVERVIEW OF AN EDP SYSTEM IN AN ENTERPRISE ........................ 174
10.2. THE IMPORTANCE OF AUDIT IN AN EDP SYSTEM.............................. 176
10.3. RISK ASSESSMENT AND EVIDENC-GATHERING IN AN EDP SYSTEM
................................................................................................................................... 177
10.4. AUDIT WITH THE USE OF CAATs IN AN EDP SYSTEM ....................... 179
viii
10.4.1. Test data ........................................................................................................ 179
10.4.2. Audit software............................................................................................... 180
REVIEWS QUESTIONS AND PROBLEMS................................................................ 182
PART FOUR: ORGANIZATION THE AUDIT PROCESS .................................... 184
CHAPTER 11 ......................................................................................................184
ORGANIZATION THE AUDIT PROCESS ...................................................184
INTRODUCTION .......................................................................................................... 184
CONTENT ...................................................................................................................... 185
11.1. PREPLAN THE AUDIT ................................................................................. 186
11.1.1. Audit engagement acceptance ...................................................................... 187
11.1.2. Select staff and facilities for the engagement ............................................... 187
11.2. AUDIT PLANNING........................................................................................ 188
11.2.1. Overall audit strategy .................................................................................... 188
11.2.2. Audit plan .................................................................................................... 189
11.3. AUDIT IMPLEMENTING ............................................................................. 191
11.3.1. Implementing tests detail of controls ............................................................ 192
11.3.2. Implementing substantive tests ..................................................................... 192
11.3.3. Analyzing, evaluating the evidence and making decision ............................ 193
11.4. AUDIT COMPLETING .................................................................................. 195
11.4.1. Issue audit reports and management letter.................................................... 195
11.4.2. Completion documentation and review subsequent events .......................... 198
11.5. FOLLOW UP AND MONITOR OF AUDIT QUALITY .............................. 200
GLOSSARY
REFERENCE
ix
PART ONE: INTRODUCTION TO AUDITING
CHAPTER 1: AUDITING PROFESSIONAL OVERVIEW
CHAPTER 2: AUDITING STANDARDS AND PROFESSIONAL
ETHICS CODE
CHAPTER 1
AUDITING PROFESSIONAL OVERVIEW
LEARNING OBJECTIVES
1. Understand history, development of auditing in the world
2. Understand the concept of auditing and the elements of auditing concept
3. Describe the importance of auditing in the global market economy
4. Identify the auditing functions
5. Classify the primary types of audits and auditors
6. Understand the overview of audit process
INTRODUCTION
The term “audit” is derived from the Latin word meaning “hearing”.
Auditing was dated back to the Ancient Rome in the 3 rd century BC, firstly in
Egypt, and subsequently in Greece, Rome and elsewhere, citizens entrusted
with the collection and disbursement of public funds where required to present
themselves publicly, before a responsible official to give oral account of their
handling of those funds. During the long history, auditing has developed
rapidly during the last 160 years with the development of the economy and
financial market.
In this chapter, we examine the nature of the audit, its function and
distinguish between financial statement audits, compliance audits and
operational audits and also between independent, internal and state audit. We
consider forms of audit organization and the factors that make financial
statement audits necessary and discuss there value for users of financial
statements, for auditees and for society as a hold.
CONTENTS
1.1. NATURE OF AUDITING
1.1.1. History, development of auditing in the world
Historically, auditing was dated back to the Ancient Rome in the 3 rd
century BC. The term audit is derived from the Latin term “Auditing” which
1
means “to hear”. In early days, the person who was responsibility for checking
activities was called "auditor". They used to listen to the accounts read over by
an accountant in order to check them. Initially, the audit process was simple
called classical audit. The performance of classical audit was that the
accountants read aloud the accounts and figures to the independent person to
check. At that time, checking finance & accounting was comparatively simple
with aim to facilitate the financial control of traders, dominants, landlords. The
ancient audit activities focused on state revenue and expenditure transactions or
examination the riches of merchants after sailing-ships. The historical audit
objective was to detect and prevent frauds and errors. The ancient auditing had
little commercial operations until the industrial revolution in the early time of
1920s.
Tin the boom of industrial revolution in Europe, with the introduction of
multi economic sectors, different form of business organizations came into
being. The development of market and capital speculation led to the expansion
of groups and businesses. The distinction between the ownership of the owner,
the managers and employees created challenges for the owners in checking
accounts, which needed to be based on professional and external auditors.
Along with the development of societies and accounting, instruments for
checking accounts have developed constantly. Human economic activities are
closely related to the evaluation and control on accounts and finance. Checking
accounts evolved and grew gradually with the growth of societies, there was
abundance of wealth. The expansion and complexity of accounting required
higher consideration of checking accounts and financial control. In the 1930s of
the 20th century with the shutting down of numerous financial organizations
and economic crisis in the world, checking account which emphasized internal
checking revealed its weakness, since then there has been a requirement of
independent checking. The growth of the US economy in the 1920s-1960s had
moved the development of auditing from the UK to the USA. In America, after
the financial crisis of the 1920s, SEC was established in 1934 to set up and
issue regulations on external auditors. At the same time, AICPA printed first
standards on auditing reports of a business’ accounts. Also, in businesses and
enterprises, independent control within the firms called internal audit was
introduced and developed until now. In 1941, IIA was founded and taken shape
to train internal auditors and has become professional service. In France,
independent reviews by professional auditors were allowed by the laws on
2
commercial forms on 24th July, 1996. In the same period, internal audit in
France was introduced officially in the 1960s in the subsidiaries of international
groups. In 1965 Association of Internal Auditors in France was established and
then become official association in 1973. Under the complicated flow of
information and the development of economic condition, the audit objective
shifted from preventing frauds and errors towards providing the truth and
fairness of the entity financial statements. It was not until the 1980s the
performance audit was introduced and now it has been developed rapidly,
especially in state audit and internal audit.
The world economy has continued rapidly since 1990s and the modern
auditing has changed both of audit organizations and methodologies. In early
years of foundation, independent audit refers to the services supplied by a
group of independent auditors or an auditing firm. The model is cited
efficiently in some countries in the world now. However, in the time of global
integration, this model has many disadvantages and low competitiveness.
Gradually these groups and firm have joined together to establish large
organizations or groups with high competitiveness and strong financial
potentials in the future to meet demands of the market economy. There are
typical international auditing firms (the Big Four): KPMG; Ernst and Young;
PricewaterhouseCoopers and Deloitte TouchéTohmatsu International. Each
firm has employed more than tens of thousands of dedicated professionals in
independent firms throughout the world collaborate to provide audit,
consulting, financial advisory, risk management, tax and related services to
select clients and competed directly with regional and local firms. Before 1975,
in the South of Vietnam there was the auditing practice of auditing firms. After
1986, Vietnam’s economy transferred from the planned economy to socialist-
oriented market economy. In 1994, the State Audit of Vietnam was established
under Decree No 70/CP dated on 11th, July, 1994 and the National Assembly
promulgates the Law on State Audit Office of Vietnam in 2015 (according to
No 81/2015/QH13). It is considered an independent body and has duty to report
audit results to the National Assembly and its standing committee. It’s believed
that auditing in Vietnam has developed rapidly with more than hundreds
auditing firms and more than thousands independent auditors. Independent
auditing practice has gradually expanded under the Law on Independent audit
of Vietnam (promulgated by National Assembly under No 67/2011/QH12) as a
3
result of the global growth at the world market economies and the huge flow of
investment into Vietnam during period time.
Nowadays, internal and external audit have expanded with new audit
approach – the business risk method. The process and techniques of auditing
have evolved and grown gradually from traditional audit to risk-based audit;
from auditing based on accounting system to auditing based on the efficiency
and effectiveness of the internal control system; from personal and subjective
assessment to professional and objective evaluation; from using legal evidence
to using persuasive evidence. The scope of auditing is also expanded from
focusing on the financial statements audit to the compliance and performance
audit. The functions of auditing also change from attestation to giving
recommendations for future decisions. The future audit now is facing an
opportunities to a higher level of automation and to be continue to become
professional services in globalization of the world economies.
1.1.2. Definition of auditing
In early days of the Ancient Rome in the 3 rd Century BC, the term audit
meant to hear. Audit was conducted by a professional person who checked the
accounts from the audited persons and read aloud result. The ancient audit
objective was to detect the fraudulent or defalcation actions. When the
bookkeeping activities developed, the auditing was defined as to examined the
accounting transactions for the management purposes. All the above auditing
definitions have limitations both of audit approach, objectives, functions,
methodologies and other facilities relating to audit. Up to the present, there
exists different definitions of auditing in Vietnam and in the world. The
following definition is widely accepted: “Auditing is a process in which
independent and competent auditors collect and evaluate of evidence about
audited information to determine and report on the degree of correspondence
between the information and established criteria.” Several technical terms used
in the definition can be further explained as follows:
Auditing is a process: The term "process" refers to a set of interacting
work activities followed by the auditor from a beginning to a completion stage.
The audit process may vary depending upon the specific type of audit, its
objectives, nature, timing and other resources relating to audit.
4
Independent and competent auditors: The auditor must have an
independent mental attitude. It helps the auditors in the audit process be free
from any factors which may influence the reliability of the audited financial
information. These two objectives are frequently identified as independence in
factandindependence in appearance. Independence in fact exists when the
auditor maintains an unbiased attitude throughout the audit. In the audit
process, the auditor only follows the auditing standards and obeys the law, and
does not relied upon other influences. Independence in appearance means the
auditor should not be influenced by the company employee's interests and close
relationships during audit process. Depending on the specific requirements
about type of audits, the level of independence is very different; but the most
fundamental part of any auditors and firms must be still "independence”.While
independence is the vital requirement of an auditor, competence is also
considered as necessary in order to ensure the success of the audit process.
Auditors’ competence involves qualifications, skills, ethics and factors needed
to effectively perform the audit functions. Being competent means having
knowledge and skill that auditor need and knowing how to apply it.
Collection and evaluation of evidence: Evidence is any information or
document used by the auditor to analyse, measure and draw conclusion based
on it. Audit is in fact a process that the auditor employs different auditing
techniques and methods to collect and measure audit evidences as the basis for
giving his opinions and recommendations. It is important to obtain a sufficient
quality and volume of evidence to satisfy the purpose of the audit.
Audited information: is existing information available for audit evidence
source and used as basic for evaluating the data. Audited information can be
quantifiable, compatible, re-checkable and they can be financial or non-
financial information.
Established criteria (standards): The criteria for evaluating information
vary depending on the information being audited. Audit criteria include polices,
procedures, or requirements. Standards are the background and measurement to
evaluate the information during audit process. The standards are various
depending upon different types of auditing such as regulations in legal
documents (and the auditor may use the terms compliance and noncompliance
to indicate whether or not requirements are being met), or criteria for each
sector, accounting principles of each nation (and the auditor may use the term
5
conformity and nonconformity instead of compliance and noncompliance). The
use of standards should conform to the types of auditing but thesecriteria are
always effective and active in the audit process.
Audited business: It can be a legal entity (such as a state-owned
enterprise, an equalized company or a private business, companies,
corporations, enterprises, firms…) or non-legal entity (such as an individual, a
group or a team). Depending on the specific types of audits, the term audited or
audit client will be used. An audited is an organization (or part of an
organization) that being audited and audit client is any person or organizations
that request an audit.
Reporting: The final stage in the audit process is the audit report, which
show auditor's opinion about the degree of correspondence between
information and established criteria. The form of audit reports can differ in
form and can vary from complex written reports to oral reports.
Generally, the nature of auditing is to ascertain and give opinion about
whether the matter subject is conformity or compliance with applicable criteria.
This is done by an independent and competent auditor in an audit organization.
1.1.3. The importance of auditing in the global market economy
Information provided by the enterprises is considered important source
for decision makers in the global market economy. It can be seen that more and
more users are interested in information for business or management decision,
such as governments, managers, shareholders, investors, banks, credit unions,
sellers, buyers, employees… . However, the more complicated the society
becomes, the more risky or unreliable the information is. There are some
causes for theseeffectssuch as remoteness of information, biases and motives of
the provider, voluminous data and the existence of complex transactions.
Firstly, the big gap between the users and supplier of information and the
adjustment of information which may benefit the suppliers. The development
of society leads to expansion of economic activities and the distinction between
ownership and managementmay cause information can be used wrongly.
Secondly, the great volume of information has become various, complex
and numerous, which may increase the incorrectness of information.
6
Thirdly, incorrect treatment of information. There’s possibility of using
incorrect information to benefit suppliers. Therefore, information risks become
higher.
There are three main ways to minimize information risks:
Firstly, user verifies the information themselves. This way has
disadvantages of high cost and inefficiency of obtaining information and
inconvenience to provide the information. Moreover, users can be limited to
their knowledge and qualification, and may have troubles difficulty in
considering whether the information is reliable or not to make decision.
Secondly, user shares information risk with management or supplier of
information must be legally responsible for information. This way has
disadvantage that may not be able to collect on losses, which means user
suffers the loss in case of bankruptcy or shutting down.
Thirdly, using audited financial statements provided by independent
auditors. Advantages of using this way are: multiple users can obtain
information and information risk can usually be reduced sufficiently to satisfy
users at reasonable cost. Moreover, this way may minimize inconvenience to
management and ensure the reliability of information. Independent auditor are
legally responsible for their evaluation and recommendations. For this reason,
the introduction and development of auditing is to meet the demand of users.
Therefore, auditing plays an important role in providing reliable information.
The importance of auditing can be seen by looking at its functions in the
global economy:
Firstly, auditing brings belief to interested users. In the market economy,
many kinds of users believed in audited information for their variety purposes
such as: for government to control macro economy and impose taxes; manager
to corporate entity's operations effectively; investors to allocation their capital;
banks to grant loans; shareholders to invest in stocks…
Secondly, auditing contributes to guide and stabilize financial activities
in particular and business activities in general in the auditee. Through the
process of auditing if the auditors find out misstatements in subject matters,
they will evaluate, inform, and give recommendation to help auditee to improve
quality audited information. Auditing not only strengthens financial activities
of a business but also improves public finance and encourages economic
7
growth, the efficient use of resources as well as compliance laws and
regulations.
Thirdly, auditing contributes to implement of efficiency and management
ability. In addition to confirm information, auditing can also function as
consultation in order to improve economic efficiency and minimize risks in the
market economy.
The importance of auditing can also be seen through the roles of each
types of auditing. Internal audit provides the management with reliable
information needed in running the business and enable them to improve
business efficiency and to enhance competitive as well as to best use of all
resources of the business. State audit enables the management of micro
economy of the government to ensure the proper performance of regulations,
laws and governments courses of the actions. At the same time, state audit
helps minimize and best use public funds and national resources. Independent
auditing adds credibility to management's subject matters which allows owners,
investors, bankers, government and other creditors to use them with great
confidence. In summary, audit plays an important role and useful in most
aspects of economic life.
1.1.4. Functionof auditing
The overall function of auditing can be seen as “examination,
confirmation” and “ consultancy”.
Firstly, examination and confirmation information (or verification
function). This function is established together with the first introduction of
auditing and developed rapidly until now. At the beginning time, ancient
auditing functioned as attestation of financial statements (classical audit). The
auditor examine the information in the past and confirm these information
presented true and fair (reliability) or not. The function has emphases at a high
level of audit reports (high level of assurance).
Secondly, consultancy function. The consulting function ranges from
simple suggestions for improving the client's businesses more effectively to
advice in their development strategies, and actuarial benefit consulting. In some
specific types of auditing like internal audit or state audit, the function is
considered recommendation. This is an important audit function in the market
economy. The function of expressing opinion has a history of development.
8
Auditing cannot fully satisfy manager’s requirements with only verification
function of report. Consulting function arises from the management in practice.
In the early time, the function was expressed in the form of letter of
management. However consulting function of auditing has changed over the
time. In fact, the function has developed quickly since the 20 th century and
plays an increasingly important part in the market economy.
As can be seen from the two main functions of auditing, auditing has an
overall view of the past and the future. For the past event, auditing has
completed tasks for confirming past information. For the future event, auditing
has completed tasks for consulting future information. These two function of
auditing can vary depending upon each period of time and specific purposes of
an auditee.
1.2. CLASSIFICATION OF AUDITING
1.2.1.Based on purpose of auditing
There are three types of audits, including operational audit, compliance
audit, and financial statement audit.
1.2.1.1. Performance audit (or Management audit)
Performanceaudit is conducted to evaluate the economy, effectiveness
and efficiency of the organization's operations. Economy refers to use
organization’s (input) resources economically. It is called “minimize” principle
which means to minimize the use of resources to best satisfy one’s needs (both
in consumption or in use). Effectiveness refers to the ability to complete
identified tasks an objectives set by the organization. Efficiency means to make
the best use of a certain resource, called “maximize” principle. In other words,
efficiency is the degree to which costs are reduced without reducing
effectiveness. Economy, effectiveness, and efficiency of different form should
be checked and kept track of; therefore subject of performance audit can be
various and diversified. They are not only limited in financial fields but also
can be seen in other fields or sectors such as the valuation organizational
structure, a business solution, a technological procedure, a computer system, a
kind of assets, a new equipment…. It is difficult to in identify criteria and
standards to evaluate the economy, efficiency and effectiveness of audited
performance and the standardization of criteria can be subjective. The
evaluation of audited results can also be extremely subjective matter. The
9
conduct of an operational audit and the reported results are less easily defined
than for either of the other two types of audits. Economy, efficiency, and
effectiveness of operations are more difficult to evaluate than compliance or
presentation of financial statement. In order to manage this audit well, auditors
need to be qualified and knowledgeable about different aspects as accounting,
finance, economics, science, technology…. The “product” of this audit is a
report sent to managers on audited results and recommendations to improve a
business performance.
1.2.1.2. Compliance audit
Compliance audit is aimed at considering whether or not the audited
firms comply the applicable authorities identified as criteria set by higher level
of state management authorities such as the evaluation of regulations on value
added tax, environment protection, labour protection… or the obedience of
rules set by higher level of management in the firm or the compliance of
regulations set by specialized agencies such as procedures to spend funds set by
state treasury or procedure of loan of application set by banks. The criteria and
standards used to evaluate information of compliance audit is not as
complicated as those of performance audit and can be easily identified and
closely related to procedures and regulations of auditing. This kind of audit
usually provides such users as the business or business managers with audited
results, not to serve general users. If the customer is not the firm but the tax
authority for example, audit result will be reported to the entity who hires the
auditing firm.
1.2.1.3.Financial statement audit
Financial statement audit is conducted to determine whether the overall
the information being verified in the financial statements are stated in
accordance with specified criteria. Financial statements can usually be balance
sheet, income statement, cash flow statement or interpretation of financial
statements of businesses. Besides, financial statements of other firm as the
capital and budget balance sheet of administrative office and so on also are
subjects of financial statement audit. The standard to evaluate information of
this kind of audit is usually accounting standards, law regulations and other
related rules. In the country, which has economy market, the financial
statements of the entities are cared by many user information. Thus, they might
10
be audited by many different audit organizations especially professional
independent audit organization.
1.2.2. Based on forms of auditing organization
According to forms of organization, auditing can be divided into three
types, including: internal audit, state audit and independent audit. Internal audit
is managed within a business to check and give opinions about audited subjects
with the aim to improve its performance and objective. State audit provide
information on financial accountability of the state to check and report on the
use of state resources at enterprises. Independent audits can be seen in the form
of audit firms to provide auditing services and other services for the public.
1.2.2.1. The independent audit
(1)The function and role of independent audit organization
Generally, the demand of information is necessary to people both
individual and organization view. The information itself is provided for the
user throughout entity's reports or documents. It cannot be denied that there are
many objective and subjective reasons to affect the content and the reliability
of information so it might be serious effectiveness to the decision users. For
example, the owner firm finds to hide the loss, or to enlarge business’s
effectiveness by overstating the financial ability in the financial statements. The
information in the financial statements will not ensure the true and fair view if
the process of presenting and disclosure information does not comply with
standards. Therefore, users need a set of reliable information to make decision.
This appraisal might be professional person who has necessary independence
and certain responsibility to carry an audit and give opinion about the quality of
audited information.
The independent audit organization plays role as an independent party
(third party) presenting examination and confirmation function, and gives an
opinion about the true and fair view of audited information. When the financial
information is confirmed by the independent organization, the user information
has reliance basis to give his decision suitably. In the other hand, the result of
audit also helps auditee or client to see themselves objectively. In addition, the
audit consultation in the management letter will help top of management to
give the necessary adjustment in business as well as management task.
11
In the developed country, the independent audit organizations appear and
develop strongly. Thanks to them, they contribute to develop the financial
market, help to attract capital and promote investment activities. Beside the
financial statement audit, the independent audit organization also serves
different services like operational audit, compliance audit, and performs many
other services if the customer requests.
(2)Structure and Operation of the independent audit firms
The independent audit firm is structured following to modern company,
like limited liability company, or general/limited liability partnership. All
constitute the firm as a separate entity and provide the independence and
competence features. The audit firms can include the international firms (have
offices in its country and many cities throughout the world, for example “Big
Four”), national firms, large or small local firms. In Vietnam, the independent
audit firms have operated officially since 1991 with two first companies, which
are VACO and AASC. Up to now, there are many audit firms operating at
Vietnam. These audit companies must have unlimited responsibility following
to rules. In general, the audit companies perform two broad categories of
services including attestation and other services.
Attestation services
Attestation services are any services in which the audit firm issues a
written communication that expresses a conclusion about the reliability of
information that is responsibility of another party. They are audits of financial
statement, reviews of financial statements, attestation services on information
technology and other attestation services. The request of checking and
confirmation information might be at comprehensive level (for audit of
financial statement), and particular level or only at general level (for review of
financial statement). Depending on the request of different attestation services,
the audit’s opinion has vary guarantee level as reasonable guarantee level (for
audit of financial statement), limited guarantee level (for review of financial
statement), and reasonable/limited guarantee level (for other attestation).
Other services
a) Advisory services
Audit firms can provide advisory services depending on their ability and
the rules of national law. The advisory services are commonly included:
12
- Financial services such as mobilization, exploiting, and using financial
resource effectively;
- Tax services providing consultation for customer about tax law and the
specific tax policy, prepare corporate and individual tax returns, and tax declare
and other tax services;
- Human resource services providing consultation for customer about
recruiting, training, using human resource with specific standard;
- Management advisory services include setting up structure of
management system, policies and management methods;
b) Accounting and Bookkeeping services: It helps enterprises a variety of
accounting and bookkeeping services to meet the need of their client. It also
prepare customer’s financial statements, or their own journals and ledgers;
c) Checking financial information services based on the generally
accepted procedures;
d) Re-evaluation assets service: re-evaluation, confirm the value of asset
for customer;
e) Training/ Education services about accounting, auditing;
g) Tax services.
The advisory services are performed based on agreement rules except the
case which is set up by the law. The audit firm has obligation to conduct the
engagement, and the customer has obligation to pay fee for audit firm
following agreement.
(3) The auditor and professional association
The independent auditor
The person who performs an audit is called as auditor. Commonly, the
auditor who belongs to audit firm is called the independent auditor. The name
of auditor might be different at each country. For example, in many countries
like USA, Canada, China auditors are called as Certified Public Accountant; in
France, they are called Expert Compatible. These auditors not only present
audit services but also provide many kinds of other services. The auditor must
be a person who meets the basic requirements about skills, abilities
(competence and ability) and ethic code. Thanks to training and improvement
13
of professional knowledge in theory and in fact, the auditors have professional
level. The professional knowledge must be improved and updated. Besides, the
independent auditor must have been competent and organized task, as well as
collected evidence. Auditors must ensure that they meet suitable ethic code
according to professional and ethical standards.
Professional associations
The independent audit in each country is managed by the law. It must be
controlled by the State or the audit professional association following to the
specific rules. In the international scale, International Federation of
Accountants(IFAC) set up at 1977 is common professional organization for
accounting and auditing field. There are many committee in the IFAC body
namely the International Auditing Practices Committee (IAPC), which is
responsible for drawing up and disclosure auditing standards and introduces
other services; the Ethical Standard Committee, which is responsible for setting
up and disclosure the ethic code rule and other instructions; In 2004, IAPC
renamed as International Auditing and Assurance Standard Board (IAASB).
The aim of IFAC is to develop and strengthen the combination accounting
transaction by the suitable standards overall the world. The activities of this
organization encourage members in different countries to have common
opinions based on generally accepted standards. Each country has activities of
independent audit, and most of them have become the member of accounting
and auditing professional association including: American Accounting
Association (AAA), AICPA (American Institute of Certified Public
Accountant), ICAEW (The Institute of Chartered Accountants in England and
Wales)...The members of these associations usually include the accountants,
auditors, audit firms and other specialist organizations. The activity of career
association is to setup, disclosure and present the national accounting and
auditing standards. In Viet Nam, Accounting Association was found in the last
1994 following to 12th/TTg The Prime’s Decision on the January of 10th 1994.
On March 2004, after the 3rd festival, Accounting Association renamed as Viet
Nam Accounting and Auditing Association and now it is common career
association of accounting and auditing. However, the activities of Accounting
and Auditing Association includes propaganda, dissemination, and transaction
training. After the Accounting Law appearing and the instruction decree, the
role of Accounting Association is strengthened. However, with setting up
14
Vietnamese auditing and accounting standard, Association is just only a
member under presiding over by Ministry of Finance. In the last of year 2004,
Association started promotion for setting up Professional Auditing Association
to instruct specialized and protect the right of auditor and audit firms. Vietnam
Association of Certified Public Accountants (VACPA) was set up from June
2005 with the number of thousands members who work from over hundreds
audit firms operating in Viet Nam up to now.
1.2.2.2. Audit State Organization
(1)The function and role of Audit State organization
Audit State Organization which is specialized agency belonging to
management system office of the State is set up to audit own State agencies, or
organizations. Each country may have different regulations for the functions,
and tasks of the State audit organization. State Audit organization plays role as
management tool of the State, especially in expenditure State budget. It helps to
improve and strengthen management of State agencies, or organizations in
compliance with law and other regulations such as the business law, the added
value tax law, the environment protect law, and accounting law... Audit State
organization operates under the regulation of law and control of State in
general. However the management, control and guide operation for this
organization in each country depends on specific law of that country.
(2) Structure and operation of state audit organization
In many countries in the world, audit state organization is called audit
state office (or other name). Audit state organization is also provided into many
levels such as the central state audit, the local audit state or geographic area. In
the modern world, the model organization of audit state, which belongs to
specific management system, has some main forms as follow:
The model of audit state system is organized independently with
Legislative and Executive bodies. Audit state organization performs
sufficiently, strongly and independently with the process of presenting
professional job. This model is established at many countries, which have
strong foundation on auditing and jurisdiction such as France, Germany. The
model of audit state system is depended on a system (it might be Legislative or
Executive bodies). Audit State organization can perform many kinds of audit
such as financial statement audit, performance audit and compliance audit.
15
State Audit of Vietnam is a state agency of Vietnam has been set up since 1994
with the audit function of public property, checking expenditure, assessment of
financial reporting in agencies Vietnam government, and state owned
enterprises.
(3)The Auditors and professional association
The State Auditors State Auditors belong to the civil service system of
the State and meet some standards at a certain level. The main activities of
them are suitable to the national law and specific regulations.
The professional Association: In the international area, the International
Organization of Supreme Audit Institutions (INTOSAI) was found in 1953 and
operates as an umbrella organization for the external government audit
community. The INTOSAI's purposes are "to provide an institutionalized
framework for supreme audit institutions to promote development and transfer
of knowledge, improve government auditing worldwide and enhance
professional capacities, standing and influence of member SAIs in their
respective countries" (INTOSAI.org). At present, INTOSAI has 192 Full
Members and 5 Associated Members. In the local area, the Asia Organization
of Supreme Audit Institute(ASOSAI) was set up in 1979. Nowadays, it has
over 40 members including State Audit of Vietnam. The international and local
area associations have operated as the common bridge among the auditors, and
as a platform for countries which join to provide information about all of state
audit activities, and other experiences.
1.2.2.3. Internal Audit
(1)The function and role of internal audit organization
The appearance of internal auditing aimed to meet the management demand
of enterprises, government bodies and even non-profit organizations. In early
days, the central task of internal auditing was to check the timeliness and accuracy
of operations, minimized errors in double entry record and prevented potential
violations in wages and asset in enterprises. The internal auditing division was
considered the “eyes and ears” of managers. In 1986, the role of internal auditing
swifted from “auditing for managers” to “auditing of managers ”.To control the
firm’s activities, the managers need to organize, implement and control internal
policy, and procedures in order to meet their management purposes. The
inspection and appraisal activities of the firm in general, and the internal
16
control activities in specific can be presented by the manager themselves (in the
case that firm has small size) or specific sections which is responsible for that
field (in the case that firm has big size or the content of inspection is larger).
The business environment has experienced rapidly for many years and
revolutionary change for organizations worldwide. Management responses to
fierce global competition have included improved quality and risk management
initiatives, restructured processes, and greater accountability – all need more
time, reliable, and relevant information for decision – making. (IIA Research
Foundation). It is an objective demand to appear and develop the internal audit
organization.
The concept of internal auditing was revised and amended over time by the
IIA. From 1978 until now, there have been five times of revision, the latest of
which was on October 2010 (effected on Jan 01, 2011). According to
IIA,“Internal auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organization's operations. It helps
an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control,
and governance processes". In addition, the IIA also revised standards about code
ethics of internal auditors and issued framework of practice in 2002, which
indicatedan improvement in accordance with the historical development in the
nature of internal auditing. Nowadays, internal auditing presents in almost all
organizations, enterprises in all areas of the economy.
Internal audit organization plays role as manageable tool of top of
management in the enterprise. It serves for governance activity of firm itself,
particularly the elements of assurance, risk, and control. Perhaps the best
summary of the internal auditing role in governance that developed by the IIA
is internal auditors’ roles include monitoring, assessing, and analyzing
organizational risks and controls; and reviewing and confirming information
and compliance with policies, procedures, and laws. Working in partnership
with management, internal auditors provide the board, the audit committee, and
executive management assurance that risk are held at bay and that the
organization’s corporate governance is strong and effective. And, when there is
room for improvement anywhere within the organization, the internal auditors
make recommendations for enhancing processes, policies, and procedures. In
17
general, internal audit organization is only responsible for its activity under
requirements of management.
The specific objectives of internal auditing include: (i) assisting Board of
Management(BOM) and Executives in performingsupervisoryfunctionforthe
process of information report; (ii) evaluatingthe effectiveness ofrisk
management and internal controlsystems,proposingrecommendation
withBOMand Executives to improve entity's operations; (iii) assessing
compliance with related laws and regulationsto protectthe
existenceandreputationof the entity;(iv) and helping to liftthe
entity'spositionbyimproving risk management and internal control systems in
enterprise.
(2)Structure and activity of internal audit organization
In firm, internal audit organization is established as the form of specific
department or division, belongs to the senior official and independence with
other departments of firm. Therefore the internal audit has not been legal entity
and its activities area limited in the firm. This section undertakes audit work in
internal firm. The members of internal audit usually include persons who have
professional skills, attributes and competencies related to finance, accounting
and the main field activities of the firm. Sometimes, members who join the
internal audit activity can invite specialist or consulting person in specific field.
The internal auditors are the labour of the firm. Therefore, the firm will pay
salary and other expenses for internal auditors. Internal audit organization is
responsible for the result of its activity to the leader firm. In general, internal
audit organization may carry out performance audit, compliance audit, and
financial statement audit.
The model and organizational structure of internal auditing
Internal auditing mechanism is organized according to centralized,
dispersed or combined models.
According to the centralized model: the function of internal auditing
belongs to the headquarter. The structure of internal auditing is set up by the
regulation on organization and operation, which was issued by the Internal Audit
Committee and approved by the BOM. According to this, the structure of internal
auditing is divided into departments, units, groups or teams under the Audit
Committee (approved and established by the BOM). It includes Chairman/Vice
18
Chairman of the internal audit committee; Chief /Vice Chief internal auditors and
internal auditors. According to the dispersed model, the function of internal
auditing can be done in branches or subsidiaries of enterprises. Auditors can be
those from branches or subsidiaries. According to the combined model, the
function of internal auditing can be done at the headquarter (as in the centralized
model) to preserve the independence of auditors. At branches, the internal audit
unit can operate according to the dispersed model but they are from the
headquarter – it aims to separate the function of internal audit with daily
operations of branches.
(3)Auditors and the Professional Association
Internal Auditors
Internal Auditors is a person who is employed by a company to audit for
the company’s board of director and management. Internal Auditors not only
ensure the common requirements of an auditor such as professional
competence, ethic code, and independence but also to commensurately raise
their organizational status and profile appropriates within their respective
organizations. The internal auditors need to be independent and objective,
implying integrity, competence, due care, and ethical behaviour.
The professional association
The professional internal audit association may be established in the
national country or international area. The internal audit association in each
country usually undertakes functions such as seminar, exchanging experiences
and training for internal auditors. In the international aspect, there has been the
Institute of Internal Auditors (IIA), which was set up in 1941.
Internal Audit activities
The internal audit function offers two main services: assurance and
consulting services. According to IIA Standards, Glossary, assurance services
are defined as “providing an independent assessment on risk management,
control, and governance processes of organization. Examples may include
financial, performance, compliance, system security, due diligence
engagement”. The consulting services are “Advisory and related client services
activities, the nature and scope of which are agreed upon with the client and
which are intended to add value and improve an organization’s operations.
19
Examples include counsel, advice, facilitation, process design, and training”.
(Standards, Glossary).
1.2.3.Some other ways of classification of audit
Classification of audit based on auditing party’s relationship
Based on this classification, auditing can be classified into: internal and
external audit. Internal audit is carried out by staff of the business firm and
external audit is done by people outside the business firm (independent or state
audit).
Classification of audit based on legal liability of audited object
Based on this classification, auditing can be classified into: compulsory
and voluntary audits. Compulsory audit means audited object must be audited
on requirements of law and regulation (a legal or obligation to carry out an
audit). Voluntary audit is required only when the business demands for auditing
(contractual right).
Classification of audit based on cycle of auditing
Based on this classification, auditing can be classified into: regular audit,
periodical audit and unexpected audit.
1.3. THE AUDITING PROCESS
Different audits require different typical processes. In general, all types
of audits share the same three-steps procedures: audit planning, implementing
and completing.
Step 1: Audit planning which consists of preparation (identify what tasks
are being performs, who perform the tasks), planning for audit and identifying
the audit process. In the independent audit of financial statements, audit
planning has been made if the audit firm and auditee have a contractual
obligation.
Step 2: Audit implementing is to carry out tasks in audit planning and to
collect evidence for achieving audit objectives. In the audit of financial
statements, main tasks in this step include: performing tests of control and
substantive tests.
Step 3: Audit completing involves summarizing results, writing and
issuing audit reports. In the audit of financial statements, this step consists of
the following tasks: review unexpected debts and events, evaluate the audited
results, write and issue reports and complete auditing documentation.
20
In addition, in some types of audit or specific auditing firms, auditing
task can involves rechecking the works recommended by auditors.
REVIEW QUESTIONS AND PROBLEMS
Short review questions
1. Define the term Auditing and its elements in the definition. Distinguish
auditing and accounting.
2. What is the objective of external auditing? Describe the role of external
auditing in meeting society’s demands for unbiased financial and internal
control information.
3. How does an audit enhance the quality of financial statements and
management’s reports on internal control? Does an audit guarantee a fair
presentation of a company’s financial statements?
4. Identify differences among internal audit, independent audit and state audit?
5. Identify differences among audit of financial statements, performance audit
and compliance audit.
True or false questions
Is the following statement true or false?
1. Independence is referred to as the cornerstone of the auditing profession.
2. The sole responsibility of management with regard to financial reporting
involves preparing and presenting financial statements in accordance with the
applicable financial reporting framework.
3. The independent audit firm only conduct financial statement audits.
4. Companies with effective corporate governance are more risky to audit.
5. Directors are stewards of the investment made by shareholders in a
company.
6. The format of the internal audit report is governed by statute.
7. The level of assurance provided by an external audit is absolute.
8. Regarding auditor's duty of confidentiality, auditors must never, under any
circumstances, disclose any matters of which they become aware during the
course of the audit to third parties, without the permission of the client.
9. It is not the auditor's responsibility to ensure that the entity complies with
relevant laws and regulations.
Multiple choices questions
21
1. Which of the following factors does not create a demand for external audit
services?
a. Potential bias by management in providing information.
b. Requirement of the regulation.
c. Complexity of the accounting processing systems.
d. Remoteness between a user and the organization."
2. Which of the following parties are involved in preparing and auditing
financial statements?
a. Management.
b. Audit committee.
c. Internal audit function.
d. External auditor.
e. All of the above.
3. Which of the following are the responsibilities of the external auditor in
auditing financial statements?
a. Maintaining internal controls and preparing financial reports
b. Providing internal assurance on internal control and financial reports
c. Providing internal oversight of the reporting process
d. All of the above.
e. None of the above.
4. Who normally appoints the external auditors of a company?
a. Directors
b. Shareholders
c. Audit committee
d. Senior management
5. Which of the following is the most appropriate definition of the external
audit?
22
a. The external audit is an exercise carried out by auditors in order to give an
opinion on whether the financial statements of a company are materially
misstated.
b. The external audit is an exercise carried out in order to give an opinion on
the effectiveness of a company's internal control system.
c. The external audit is performed by management to identify areas of
deficiency within a company and to make recommendations to mitigate those
deficiencies.
d. The external audit provides negative assurance on the truth and fairness of a
company's financial statements."
6. Who is ultimately responsible for a company's system of internal controls?
a. External auditors
b. Board of directors
c. Internal auditors
d. Audit committee
7. Which two of the following characteristics apply to internal audit?
(1) The purpose is to improve the company's operations.
(2) Reports to shareholders on whether the financial statements give a true and
fair view of affairs.
(3) Auditors may be employees of the company.
(4) Evidence is collected in accordance with relevant ISAs.
a. (1) and (3)
b. (2) and (4)
c. (1) and (4)
d. (2) and (3)
8. Which of the following is a limitation of the internal audit function?
a. The internal audit report is not circulated to the members.
b. Internal audit assignments are designed to meet the needs of the business.
c. Internal auditors may be employees of the company.
23
d. Internal auditors may report to an audit committee.
CHAPTER 2
AUDITING STANDARDS AND PROFESSIONAL ETHICS CODE
LEARNING OBJECTIVES
1. Define the auditing standards
2. Understand the importance of auditing standards
3. Describe the Auditing Standards for Professional Practice of
Independent Auditing, Internal Auditing and State Auditing
4. Understand the Professional Ethics Code of Independent Auditing,
Internal Auditing and State Auditing
INTRODUCTION
The right, reponsbilities and duties of auditors are defined by 3 separate
institutions: Parliament (law), the profession (Auditing standards), regulators
(specific requirements applied in the audits of regulated entities). Laws
establish the standard of work expected of auditors in the performance of their
duties. The profession provide detailed guidance to auditors on what is required
of them when conducting an audit. Regulators impose specific duties on
auditors when auditing regulated entities.
In this chapter, we discuss the requirement of the auditor in conducting
audit an entity, the right and duties of the auditors. We consider audit
standards, nature of auditor’s work and his ethical requirements, the auditor’s
responsibility for the audited financial statements.
Auditor being independent of their audited entities, their
clients’managements and other influences which might impair their objectivity
and impartiality, is of critical importance to the audit function. If auditor are not
independent, their opinion on those financial statements will lack credibility
and thus the audit will be litter or no value. In this chapter, we also discuss
threats to auditor’s independence and steps taken are designed to preserve and
strengthen auditor’s independence.
CONTENT
2.1. AUDITING STANDARDS
2.1.1. Nature of auditing standards
24
Importance of auditing standards
Auditing standards are general guideline, and regulations of basic
principles, procedures to aid auditors in fulfilling their professional
responsibilities in the audit. In this stance, auditing standards primarily are
principles and guides for auditors to best complete his tasks. This means,
auditing standard are compulsory and at the same time enables and guides
auditors. Besides, auditing standards are used by auditing firms and other
entities to measure and evaluate the task fulfilment of auditors as well as are
means of demonstrating a capacity to self regulate, and/or to improve the
quality of auditing practices. Moreover, auditing standards can be the base for
audited firms and related parties to cooperate in auditing process and issuing
audited results. As a results, auditing standards play an important role not only
in the national scale, in the auditing field and for audit organizations but also in
the international scale, especially in the world of global integration now.
The relationship between national and international auditing standards
On the global scale, most countries should establish their own system of
auditing standards. Besides on the national scale, before the late 20 th century,
there existed a system of international standards on auditing (ISAs) because of
the requirements of globalization of the world’s economy. Along with the
introduction and development, the relationship between national and
international standards on accounting has become more closely related. At first,
this was due to the allowance national auditing operation at different levels. In
order to control the auditing operations, most countries set their own system of
standards on auditing. The system of standards can vary on both the form and
content owing to different ideas, manner and qualification of auditing. To
facilitate the case of auditing standards in auditing process in different
countries and different audit organizations, IFAC, IIA, INTOSAI and other
professional bodies have made comparisons and distinction of documentation
of standards on auditing between different countries as a basic for composing
and issuing a system of the ISAs which are generally accepted on the global
scale. Thus, ISAs are issues based on the analysis, synthetics and research to
reconcile different standards of different nations. Once issued, ISAs become
the foundation and base for every nation in setting its own standards on
auditing. The central point here is the voluntary not compulsory application of
international standards. On the nation scale, where there is no system of
25
auditing standards, international standards on auditing can be issued as the base
to establish their own system of standards.
The content and legal form of standards on auditing
On a large scale, systems of standards on auditing consist of two separate
but closely related parts: system of standards of qualification which is followed
by high requirements of standards on ethics (ethical standards on auditing) and
system of standards on field work (professional standards on auditing). For
standards on ethics, the overall guidance on career qualification of auditing
standards is the principle of ethics. These principles directly affect all
participants in the field of auditing including independent auditors, state
auditors, internal auditors and indirect related qualified parties involved in
accounting and auditing such as consultants or trainees. For professional
standards, these auditing standards are divided into specific field work and
support or guidance group.
2.1.2. Auditing Standards for Professional Practice of Independent
Auditing
International auditing standards for independent auditing are divided into
2 groups: ethical standards and professional standards. For global scale, IFAC
and IAASB (belongs to IFAC) are responsible for issuing the international
auditing standards for independent auditing.
IFAC was formed in 1977 and now is the global organization for the
accountancy professional. It is comprised of over 175 members and associates
in more than 130 countries, representing almost 3 millions accountants in
public practice, education, government service, industry and commerce.
IAASB is one of committees belonging to IFAC. It was found in March 1978
and previous known as the IAPC. It is an independent standard-setting body
that serves the public interest by setting ISAs, quality control, review, other
assurance, and related services, and by facilitating the convergence of
international and national standards (IFAC.org).
For ethical standards include basic principles classified into different
groups: group A which includes all professional auditors, group B who are
practical auditors and group C who works as auditors in different fields. In
Vietnam, for the time being, principles on ethics of auditors and accountants
was established on the Degree 87/2005/QD-BTC of the MOF on 1 st Dec 2005
26
and revised in 2015.For professional standards, generally, in the system of
international standards on auditing of financial statements, standards on
auditing can be divided into 9 groups of different contents: group 1:
Framework of ISAs; group 2: Responsibility; group 3: Planning; group 4:
Internal control; group 5: Audit evidence; group 6: Using documentation of
related parties; group 7: Conclusion and auditing reports; group 8: Specific
fields; and group 9: Related services. Beside the auditing standards, there are
standards on other operation fields: standards on control standards on other
assurance services, and standards on related services. In Viet nam, Ministry of
Finance issued the VSAs by the Circular No 214/2012/TT-BTC dated on
December, 6th, 2012 and effectively dated on January, 1 st, 2014. Appendix 2.1
and 2.2 will give an overview of groups of auditing standards issued by IFAC
and MOF of Viet nam.
Legal form of auditing standards
Depending on each country, the tasks of research, issuance and control
of standards on auditing can be carried out by different firms or organizations.
In some countries, this task belongs to auditing organizations. In other
countries, it is carried out by the government. Therefore, the legal firms of
standards on auditing can vary. On the nation scale, where there is no system of
auditing standards, international standards on auditing can be issued as the base
to establish their own system of standards. The Vietnamese Standards on
Auditing (VSAs) and Vietnamese standard on Quality Control (VSQC) are
based on the ISAs and ISQC of the same titles that have been issued by
IAASB, and are used with the permission of IFAC. Ministry of Finance has
researched and issued VSAs in conformity of specific economic condition in
Vietnam. Conditions to transfer the international standards on auditing to
Vietnamese standards on auditingdepend on the national economic situation,
law, culture, customs, and the circumstance of development of professional
auditing in Viet nam.
The procedure of composing and issuing standards on auditing
In order to compose and issue standards on auditing, most countries set
up a Committee and sub-committee to compose standards on auditing. The
standards setting process can vary in different countries, but at first each draft
of standards are researched and set by sub-committee including analysts,
auditing and accounting experts, auditing firms, other organization. National
27
auditing standard setterswill request specific feedback from certain stakeholder
groups as follows:audit firms;public sector auditors;professional bodies;audit
inspection groups; andother stakeholders.Drafting and redrafting of the
standards are evaluated by the appointed individual or organization. Next
following works can consist ofevaluating exposure draft comments and
incorporating changes deemed appropriate, issuance of a final standards.
2.1.3. Auditing Standards for Professional Practice of Internal
Auditing
For global scale, International Auditing Standards of Internal Auditing
(Standards) are issue by the Institute of Internal Auditors (IIA). The purpose of
the Standards is to: "Delineate basic principles that represent the practice of
internal auditing; Provide a framework for performing and promoting a broad
range of value-added internal auditing; Establish the basis for the evaluation of
internal audit performance; Foster improved organizational processes and
operations. The structure of the Standards is divided between Attribute and
Performance Standards. Attribute Standards address the attributes of
organizations and individuals performing internal auditing. The Performance
Standards describe the nature of internal auditing and provide quality criteria
against which the performance of these services can be measured". (IIA's
Standards).
2.1.4. Auditing Standards for Professional Practice of State Auditing
On the international scale, INTOSAI sets general principles which are
only applied to Supreme Audit Institutions (SAI) call state audit. The standards
can be on recruitment, training staff, documentation, skills, and audit
experience for state auditors. The standards also consist two parts: general
system and practice system. Practice standards in state audit include standards
on planning, reviewing, researching, evaluating internal control system,
procedure auditing, auditing evidence, evaluation of standards on audit reports.
General standards include the ethics of auditors as independence, qualification,
preciseness. These requirements are set for both state auditors and audit
organization. The structure and content of Standards of SAI consist of four
levels including: Level 1: Founding Principles; Level 2: Prerequisites for the
Functioning of Supreme Audit Institutions; Level 3: Fundamental Auditing
Principles (for financial auditing, performance auditing and compliance
auditing; Level 4: Auditing Guidelines. In Vietnam, the State audit office of
28
Vietnam (SAV) has been issued and revised the auditing standards for
governmental activities. The process of researching and publishing these
standards system bases on the INTOSAI standards' requirements and divided
into three groups: general standards, practical standards and reporting
standards. The present of SAV's standards are applied for all of SAV's
activities especially for financial audit and compliance audit.
2.2. PROFESSIONAL ETHIC CODE
2.2.1. Code of ethics for independent auditing
The following content of code of ethics for accountancy profession is
based on the Code of Ethics for Professional Accountants (the Code) issued by
IESBA (The International Ethics Standards Board for Accountants).
2.2.1.1. Fundamental ethical requirements for accountancy profession
According to the Code, there are 5 fundamental requirements that the
professional accountants shall comply with including*:
(a) "Integrity: The principle of integrity imposes an obligation on all
professional accountants to be straightforward and honest in all professional
and business relationships.
(b) Objectivity: The principle of objectivity imposes an obligation on all
professional accountants not to compromise their professional or business
judgment because of bias, conflict of interest or the undue influence of others.
(c) Professional Competence and Due Care: The principle of Professional
Competence and Due Care imposes the following obligations on all
professional accountants: (1) To maintain professional knowledge and skill at
the level required to ensure that clients or employers receive competent
professional services; and (2) To act diligently in accordance with applicable
technical and professional standards when providing professional services.
(d) Confidentiality: The principle of Confidentiality imposes an obligations
on all professional accountants to refrain from: (1) Disclosing outside the firm
or employing organization confidential information acquired as a result of
professional and business relationships without proper and specific authority or
unless there is a legal or professional right or duty to disclosure; and (2) Using
confidential information acquired as a result of professional and business
relationships to their personal advantage or the advantage of third parties.
29
(e) Professional Behaviour: The principle of Professional Behaviour
imposes an obligations on all professional accountants to comply with relevant
laws and regulations and avoid any action that may discredit the
profession".(Source: The IESBA Code of Ethics. 100.5)
2.2.1.2. Conceptual framework approach

Identify threats to compliance with fundamental requirements
(a) Self-interest threat – the threat that a financial or other interest will
inappropriately influence the professional accountant's judgment or behaviour
(b) Self-review threat – the threat that a professional accountant will
appropriately evaluate the result of a previous judgment made or service
performed by the professional accountant, or by another individual within the
professional accountant's firm or employing organization, on which the
accountant will rely when forming a judgment as part of providing a current
service.
(c) Advocacy threat – the threat that a professional accountant will promote
a client's or employee's position to the point that the professional accountant's
objectivity is compromised.
(d) Familiarity threat – the threat that due to a long or close relationship
with a client or employee, a professional accountant will be too sympathetic to
their interests or too accepting of their work.
(e) Intimidation threat – the threat that a professional accountant will be
deterred from acting objectively because of actual or perceived pressures,
including attempts to exercise undue influence over the professional
accountants.(IESBA Code, 100.12)
Apply safeguards to eliminate or reduce threats by the profession,
legislation, or regulations; and safeguards in the work environment.
2.2.2. Code of ethics for internal auditing and state auditing
For the internal ethics code, auditors are expected to apply principles and
rules of conduct including: Integrity, objectivity, confidentiality, and
competency. The auditor shall comply with principles and perform internal audit
services in accordance with the International Standards for the Professional
Practice of Internal Auditing (Standards). The content of these principles for
internal audit has no as much difference in meaning as these principles for
30
independent audit. For the state ethics code, auditors must comply with the
INTOSAI Code of Ethics or national SAI Code of Ethics. On a global scale,
INTOSAI issue ISSAI 30 – Code of Ethics for public sector auditor consist of
the ethical requirements of civil servants in general and the particular
requirements of auditors, including the latter’s professional obligations.
Appendix 2.1: Vietnamese Standards on Auditing System in
correlate relationship with International Standard on Auditing (ISAs)
(Issued by Circular No 214/2012/TT-BTC dated on December, 6th,2012.
Effectively dated on January,1st ,2014)
No VSAs Number and name of auditing standard ISAs
100- 199: Frameworks of ISAs
1 VSQC1 Quality control for firms that perform audits and ISQC1
reviews of financial statements, and other assurance
and related services engagements.
200-299: Responsibility
2 200 Overall objectives of the independent auditor and the 200

conduct of an audit in accordance with international
standards on auditing
3 210 Agreeing the terms of audit engagements 210
4 220 Quality control for an audit of financial statements 220
5 230 Audit documentation 230
6 240 The auditor’s responsibilities relating to fraud in an 240

audit of financial statements
7 250 Consideration of Laws and regulations in an audit of 250

financial statements
8 260 Communication with those charged with governance 260
9 265 Communicating deficiencies in internal control to 265
31
those charged with governance and management
300-499: Risk assessment and related content
10 300 Planning an audit of financial statements 300
11 315 Identifying and assessing the risks of material 315

misstatement through understanding the entity
12 320 Materiality in planning and performing an audit 320
13 330 The auditor’s responses to assessed risks 330
14 402 Audit considerations relating to an entity using a 402

service organization
15 450 Evaluation of misstatements identified during the 450

audit
500 – 599: Audit evidence
16 500 Audit evidence 500
17 501 Audit evidence – specific considerations for selected 501

items
18 505 External confirmations 505
19 510 Initial audit engagements – opening balances 510
20 520 Analytical procedures 520
21 530 Audit sampling 530
22 540 Auditing accounting estimates, including fair value 540

accounting estimates, and related disclosures
23 550 Related parties 550
24 560 Subsequent events 560
25 570 Going concern 570
32
26 580 Written representations 580
600-699: Using other parties' document
27 600 Special considerations – audits of group financial 600

statements (including the work of component
auditors)
28 610 Using the work of internal auditors 610
29 620 Using the work of an auditor’s expert 620
700 – 799: Conclusion and reporting
30 700 Forming an opinion and reporting on financial 700

statements
31 705 Modifications to the opinion in the independent 705

auditor’s report.
32 706 Emphasis of matter paragraphs and other matter 706

paragraphs in the independent auditor’s report
33 710 Comparative information – corresponding figures and 710

comparative financial statements
34 720 The auditor’s responsibilities relating to other 720

information in documents containing audited
800 – 899: Other activities
35 800 Special considerations – audits of financial 800

statements prepared in accordance with special
purpose frameworks
36 805 Special considerations – audits of single financial 805

statements and specific elements, accounts or items
of a financial statement.
33
37 810 Engagements to report on summary financial 810
statements
900- 999: Related services
910 Engagements to Review Financial Statements* -
920 Engagements to Perform Agreed - Upon Information* -
930 Engagements to Compile Financial Information* -
The private standard of Viet Nam **
1000 Kiem toan bao cao quyet toan von dau tu hoan thanh -
(*: The standard transferred into other kind; **: The private standard of Viet
Nam)
34
Appendix 2.2:The formal declaration of IAASB structure
Ethic code of IFAC with professional auditors
Some kinds of service which is declared by IAASB
ISQCs 1-99 International standard about quality

control
The international model about assurance contract
Audit and check Other assurance contract

financial information which is not audit and
checking financial
information.
ISAs 100 - 999 ISAEs 3000-3699

International International standard on
standard on auditing assurance contract
IAPSs 1000-1999 IAEPSs 3700-3999

International practicing Application for practicing
audit report report of assurance
contract.
The service concerned
ISREs 2000-2699 ISRSs 4000-4699

International standard International standard on
on control contract service concerned
IREPSs 2700-2999 IRSPSs 4700-4999
35
1. Explain why it is important for audits to be conducted in accordance with
auditing standards.
2. Distinguish the different among the independent auditing standards,
internal auditing standards and state auditing standards.
3. Define the fundamental ethic requirements according to IESBA's the
Code. What are the threats and safeguards to eliminate or reduce the threats
when the professional accountants comply with the fundamental requirements.
4. Explain how technical knowledge and professional ethic could affect the
audit quality?
5.Which of the following are recognized threats to independence and
objectivity
(1) Familiarity
(2) Self-interest
(3) Integrity
(4) Advocacy
a. (1), (2), (3) and (4)
b. (1), (2) and (4)
c. (2), (3) and (4)
d. (2) and (4) only
6. In which of the following situations would the auditor be able to disclose
confidential information about a client?
(1) Disclosure is required by law.
(2) Disclosure is permitted by law but the auditor has not requested the
client's permission.
(3) The auditor suspects that the client has committed money-laundering
offences.
a. (1) and (2) only
b. (1) and (3) only
c. (2) and (3) only
d. (1), (2) and (3)
36
PART TWO: BASIC CONCEPTS IN AUDITING
CHAPTER 3: AUDIT REPORT
CHAPTER 4: FINANCIAL REPORT ASSERTIONS AND AUDIT
OBJECTIVES
CHAPTER 5: FAUDS AND ERRORS, MATERIALITY AND RISKS IN
AN AUDIT
CHAPTER 6: INTERNAL CONTROL – AN OVERVIEW
CHAPTER 7: AUDIT EVIDENCE
CHAPTER 3
AUDIT REPORT
LEARNING OBJECTIVES
1. Nature of the audit report
2. Clarify the content of Financial statement audit report
3. Describe the types of financial statement audit report
4. Clarify the content of compliance audit report and performance audit
report
INTRODUCTION
The audit process ends after auditor issues his auditor report to the users.
This report is the end product of the audit and a tool to communicate to the
users his/her opinion on the audited information. In financial statement audit,
audit report is a tool to communicate to shareholder and other users of the
company’s financial statements, the auditor’s conclusions about the truth and
fairness of the financial statement portray the entity’s financial position and
performance and their compliance with the accounting standards.
In this chapter, we discuss the reporting obligation of the auditors in
three types of audit – financial statement audit, compliance audit and
performance audit. We also explore content of these types of audit report, and
roles of different types of audit reports. We discuss the issue of what is required
for financial statement audit to assess true and fair of the financial statements,
types of audit report and audit opinion in financial statement audit.
37
CONTENT
3.1. NATURE OF THE AUDIT REPORT
The audit report is considered the primary product of the audit process.
The audit report is a written document prepared and issued by the auditor and
audit organization to express their opinion on the audited information of the
entity being audited.
The auditor's report is issued by either an internal auditor, a state
auditor or an external auditor, as a result of an internal or external audit as
an assurance service for the users to make decisions based on the results of the
audit. The auditor can report on the financial information, compliance
information or performance information.
In an audit of financial statements, the audit report is considered an
essential tool when reporting financial information to users, particularly in
business. Since many third-party users prefer or even require financial
information to be certified by an independent external auditor, many auditees
rely on auditor reports to certify their information in order to attract investors,
obtain loans, and improve public appearance. Some have even stated that
financial information without an auditor's report is "essentially worthless" for
investing purposes.
In a compliance audit, the audit report is a clear written statement of
audit opinion on compliance in the entity. The compliance audit report is very
significant for the management and governance in the entity or in the public
sectors as well as for the state or government. The reliable compliance audit
report can provide the transparency in administering funds or exercising
management as well as corrective action, promote accountability by reporting
deviation from and violation of authorities, enhance good governance both by
identifying weaknesses and deviation from laws and regulations by auditor's
opinion and recommendation.
In a performance audit, the audit report is a comprehensive document of
audit opinion on the economy, efficiency and effectiveness of audited
activities. The performance audit report also provide new information, and
recommendations based on an analysis of audit findings as well as the
consultation for improvement the audited operations.
38
3.2. FINANCIAL STATEMENT AUDIT REPORT
3.2.1. Content of the financial statement audit report
Basically, an audit report includes the following elements:
Basic elements
of audit report Explanation
The auditor's report must have a title that clearly indicates that it
is the report of the independent auditor. This signifies that the
Title auditor has met all the ethical requirements concerning
independence and therefore distinguishes the auditor's report
from other reports.
The addressee will be determined by law or regulation but is

Addressee
likely to be the shareholders or those charged with governance.
This shall identifies the entity being audited, state that the
financial statements have been audited, identify the title of each
Introductory statement that comprises the financial statements being audited,
paragraph refer to the summary of significant accounting policies and
other explanatory notes, and specify the date or period covered
by each statement comprising the financial statements.
This part of the report describes the responsibilities of those

who are responsible for the preparation of the financial
statements. The report shall include a section headed
'Management's responsibility for the financial statements' and
Management's describe management's responsibility including the following:
responsibility • Management is responsible for the preparation of the financial
for the statements in accordance with the applicable financial reporting
financial
framework.  
statements
• Management is responsible for such internal control necessary
to enable the preparation of financial statements that are free
from material misstatement, whether due to error or fraud.  
• Reference shall be made to 'the preparation and fair
39
presentation of these financial statements' (or 'the preparation of
financial statements that give a true and fair view') where the
financial statements are prepared in accordance with a fair
presentation framework.  
The report shall include a section entitled 'Auditor's

responsibility'. The report must state that the auditor is
responsible for expressing an opinion on the financial statements
based on the audit.
This section must also state that the audit was conducted in
accordance with auditing standards and ethical requirements and
that the auditor planned and performed the audit so as to obtain
reasonable assurance that the financial statements are free from
material misstatement.
The report must describe an audit by stating that:
• An audit involves performing procedures to obtain audit
Auditor's evidence about the amounts and disclosures in the financial
responsibility statements.  
• The procedures chosen depend on the auditor's judgment of
risks of material misstatements, and the auditor considers
internal control relevant to the preparation of the financial
statements in order to design appropriate audit procedures (but
not to express an opinion on the effectiveness of internal
control).  
• An audit includes evaluation of the appropriateness of the
accounting policies used, the reasonableness of accounting
estimates made by management and the overall presentation of
the financial statements. This part of the report shall also state
whether the auditor believes that the audit evidence obtained is
sufficient and appropriate to provide a basis for the opinion.  
40
If the auditor expresses an unmodified opinion on financial
statements prepared in accordance with a fair presentation
framework, the opinion shall use one of the following equivalent
phrases:
Opinion
• The financial statements present fairly, in all material respects,
paragraph
...in accordance with [the applicable financial reporting
framework]; or  
• The financial statements give a true and fair view of ... in
accordance with [the applicable financial reporting framework].
If the auditor is required by law to report on any other matters,

Other reporting this must be done in an additional paragraph below the opinion
responsibilities paragraph which is titled 'Report on other legal and regulatory
requirements' or otherwise as appropriate.
Auditor's The report must contain the auditor's signature, whether this is
signature the auditor's own name or the audit firm's name or both.
The report must be dated no earlier than the date on which the
Date of the
auditor has obtained sufficient appropriate audit evidence on
report
which to base the auditor's opinion on the financial statements.
Auditor's
Address of the auditor
address
(Source: ISA 700, ISSAI 200 and IIA Standards for audit report on financial statements )
3.2.2. Types of financial statement audit report

In order to form the opinion, the auditor needs to conclude as to whether
reasonable assurance has been obtained so that the financial statements are free
from material misstatements. According to ISA 700, the auditor's conclusion
needs to consider the following:
• Whether sufficient appropriate audit evidence has been obtained  
• Whether uncorrected misstatements are material  
• Qualitative aspects of the entity's accounting practices, including
indicators of possible bias in management's judgments  
41
• Whether the financial statements adequately disclose the significant
accounting policies selected and applied  
• Whether the accounting policies selected and applied are consistent with
the applicable financial reporting framework and are appropriate
• Whether accounting estimates made by management are reasonable  
• Whether the information in the financial statements is relevant, reliable,
comparable and understandable  
• Whether the financial statements provide adequate disclosures to allow
users to understand the effect of material transactions and events on the
information presented in the financial statements  
• The overall presentation, structure and content of the financial statements
 Whether the financial statements represent the underlying transactions and
events so as to achieve fair presentation  
• Whether the financial statements adequately refer to or describe the
applicable financial reporting framework  
In order to form an audit, the auditor should consider two factors. Firstly,
whether the financial statements are materially misstated or not. Secondly,
whether the auditor is able to obtain sufficient and appropriate audit evidence.
After considering the factors above, there are basically two types of audit
report: unmodified and modified audit opinion.
Nature of Material but not
Material and pervasive
circumstances pervasive
Financial statements
are materially QUALIFIED OPINION ADVERSE OPINION
misstated
Auditor is unable to
obtain sufficient DISCLAIMER OF
QUALIFIED OPINION
appropriate audit OPINION
evidence
Pervasiveness is a term used to describe the effects or possible effects on
the financial statements of misstatements or undetected misstatements (due to
inability to obtain sufficient appropriate audit evidence).
3.2.2.1. Unmodified opinion and the unmodified audit report
42
An unmodified opinion is an opinion expressed by the auditor when the
auditor concludes that the financial statements are prepared, in all material
respects, in accordance with the applicable financial reporting framework. The
unmodified audit report is a written document prepared and issued by the
auditor and audit organizationto express their unmodified opinion on the
audited information of the entity being audited.
The following extract from an auditor's report shows an example of the
opinion paragraph for an unmodified report.
In our opinion, the financial statements present fairly, in all material

respects, (or give a true and fair view of) the financial position of ABC
Company as of December 31, 20X1, and (of) its financial performance and its
cash flows for the year then ended in accordance with International Financial
Reporting Standards (or national accounting standards).
3.2.2.2. Modified opinion and modified audit report

Modified opinion has three types of opinion: qualified opinion, adverse
opinion and disclaimer of opinion.
a. Qualified opinion and qualified audit report
Aqualified opinion is an opinion expressed by the auditor when the
auditor concludes that:
- The auditor cannot obtain sufficient appropriate audit evidence on
which to base the opinion but the possible effects of undetected misstatements,
if any, could be material but not pervasive; or
- There exists disagreement between auditee and auditor about the
preparation and disclosure financial statements in comply with generally
accepted accounting standards.
A qualified audit report is a written document prepared and issued by the
auditor and audit organization to express their qualified opinion on the audited
information of the entity being audited.
According to ISA 705, a qualified opinion must be expressed in the
auditor's report in the two following situations:
(1) The auditor concludes that misstatements are material, but not
pervasive, to the financial statements.
43
Material misstatements could arise in respect of:
• The appropriateness of selected accounting policies  
• The application of selected accounting policies
• The appropriateness or adequacy of disclosures in the financial
statements. 
Example of a qualified opinion due to disagreement between the auditee
and auditor about the disclosure financial information:
Basis for qualified opinion
The company's fixed assets are carried in the statement of financial
position at 31/12/N. Managementchanged the depreciation method of
accountingtangible fixed assetswithout disclosure in the financial
statement with the amount of xxx. This would have been affected to
depreciation cost, residual value, related expenses by xxx, and income
tax, net income would have been affected by xxx and xxx, respectively.
Qualified Opinion
In our opinion, except for the effects of the matter described in the
Basis for Qualified Opinion paragraph, the financial statements present
fairly, in all material respects, (or give a true and fair view of) the
financial position of ABC Company as at December 31, N, and (of) its
financial performance and its cash flows for the year then ended in
accordance with International Financial Reporting Standards.
(2) The auditor cannot obtain sufficient appropriate audit evidence on

which to base the opinion but concludes that the possible effects of undetected
misstatements, if any, could be material but not pervasive.
The auditor's inability to obtain sufficient appropriate audit evidence is
also referred to as a limitation on the scope of the audit and could arise from:
• Circumstances beyond the entity's control (e.g. accounting records
destroyed)
• Circumstances related to the nature or timing of the auditor's work (e.g.
the timing of the auditor's appointment prevents the observation of the physical
inventory count)
• Limitations imposed by management (e.g. management prevents the
44
auditor from requesting external confirmation of specific account balances)
(ISA 705.A8) 
Example of a qualified opinion due to inability to obtain sufficient
appropriate audit evidence:
Basis for qualified opinion

With respect to fixed assets having a carrying amount of $X the
audit evidence available to us was limited because we did not observe the
counting of the physical fixed assets as at 31 December N, since that date
was prior to our appointment as auditor of the company. Owing to the
nature of the company's records, we were unable to obtain sufficient
appropriate audit evidence regarding the inventory quantities by using
other audit procedures.
Qualified Opinion
In our opinion, except for the possible effects of the matter
described in the Basis for Qualified Opinion paragraph, the financial
statements present fairly, in all material respects, (or give a true and fair
view of) the financial position of ABC Company as at December 31, N,
and (of) its financial performance and its cash flows for the year then
ended in accordance with International Financial Reporting Standards.
b. Adverse opinion
An adverse opinion is expressed when the auditor, having obtained
sufficient appropriate audit evidence, concludes that misstatements are both
material and pervasive to the financial statements. The adverse audit report isa
written document prepared and issued by the auditor and audit organization to
express their adverse opinion on the audited information of the entity being
audited.
Example of adverse opinion:
House building company has included all the houses it has constructed
during the year as non-current assets rather than inventory. The value of these
houses constitutes 90% of the total asset value on the statement of financial
position.
45
Basis for adverse opinion
The company has included houses built for re-sale (including
related land) at a cost of $X as non-current assets and depreciated them at
a rate of X%, resulting in depreciation of $X. Under International
Financial Reporting Standards, these should have been included as
inventory in the financial statements and no depreciation should have
been provided in respect of these. The carrying value of the houses
represents 90% of the company's total assets and the company's records
indicate that ... [explanation of the effect on amounts presented in the
financial statements].
Adverse Opinion
In our opinion, because of the significance of the matter discussed
in the Basis for Adverse Opinion paragraph, the financial statements do
not present fairly (or do not give a true and fair view of) the financial
position of ABC Company as at December 31, 20X1, and (of) its
financial performance and its cash flows for the year then ended in
accordance with International Financial Reporting Standards.
c. Disclaimer of opinion
An opinion must be disclaimed when the auditor cannot obtain sufficient
appropriate audit evidence on which to base the opinion and concludes that the
possible effects on the financial statements of undetected misstatements, if any,
could be both material and pervasive. The disclaimer of audit report is a written
document prepared and issued by the auditor and audit organization to express
their disclaimer of opinion on the audited information of the entity being
audited.
Example of a disclaimer of opinion:
Basis for disclaimer of opinion

We did not observe the counting of physical inventories at the
beginning and end of the year at December, 31, N because of conducting
engagement after the dated on December, 31, N. We were also unable to
perform alternative means concerning the inventory quantities held at
December 31, N-1 and N which are stated in the statement of financial
46
position at xxx and xxx, respectively. In addition, we were unable to confirm
alternative means accounts receivable included in the statement of financial
position at a total amount of xxx as at December 31, 20X1. As a result of
these matters, we were unable to determine whether any adjustments might
have been found necessary in respect of recorded or unrecorded inventories
and accounts receivable, and the elements making up the statement of profit or
loss, statement of changes in equity and cash flow statement.
Disclaimer of Opinion
Because of the significance of the matters described in the Basis for
Disclaimer of Opinion paragraph, we have not been able to obtain sufficient
appropriate audit evidence to provide a basis for an audit opinion.
Accordingly, we do not express an opinion on the financial statements.
3.2.3. Emphasis of matter paragraph and other matter paragraph in the

auditor’s report
a. Emphasis of matter paragraphs
According to ISA 706.6, an emphasis of matter paragraph is a paragraph
included in the auditor's report that refers to a matter appropriately presented or
disclosed in the financial statements that, in the auditor's judgment, is of such
importance that it is fundamental to users' understanding of the financial
statements. For example, an uncertainty relating to future outcome of
exceptional litigation or regulatory action.
Emphasis of matter paragraphs are used to draw readers' attention to a
matter already presented or disclosed in the financial statements that the auditor
feels is fundamental to their understanding, provided that the auditor has
obtained sufficient appropriate audit evidence that the matter is not materially
misstated.
When an emphasis of matter paragraph is included in the auditor's report,
it comes immediately after the opinion paragraph and is entitled 'Emphasis of
matter' (or appropriate).
b.Other matter paragraph
According to ISA 706.6, an other matter paragraph is a paragraph
included in the auditor's report that refers to a matter other than those presented
or disclosed in the financial statements that, in the auditor's judgment, is
47
relevant to users' understanding of the audit, the auditor's responsibilities or the
auditor's report.
Other matter paragraphs are used where the auditor considers it
necessary to draw readers' attention to a matter that is relevant to their
understanding of the audit, the auditor's responsibilities or the auditor's report.
The other matter paragraph must be included immediately after the
opinion paragraph and any emphasis of matter paragraph, or elsewhere in the
auditor's report if the content of it is relevant to the other reporting
responsibilities section.
3.3.COMPLIANCE AUDIT REPORT AND PERFORMANCE AUDIT
REPORT
Normally, the compliance audit report and the performance audit report
are often issued by the internal or public sector auditor (state auditor). The
audit conclusions may take the form of a clear statement of opinion on
compliance or auditor's findings on the economy, efficiency with which
resources are used and the effectiveness with which objectives are met. The
contents of the audit report of two audits consist of these followings:
- Title: Title names "the report of the internal or state auditor" about the
compliance audit or performance audit. This title clarify the intended user, the
responsible party and the subject matter relating to an audit.
- Addressee: as required by the circumstances of the engagement;
- Scope of the audit, including the time period covered;
- Identification or description of the subject matter, audit objective, audit
question, answer to those questions;
- Identification of auditing standards or criteria applied in performing the
work: the audit is performed based on the Fundamental Principles of
Compliance Auditing or Performance Auditing (adopted by ISSAI or IIA or
other professional bodies);
- A summary of the work performed includes methodology, sources of
data, any limitations;
- Audit findings;
48
- A opinion/ conclusion: For the performance audit report, opinions may
be internal auditor's conclusions or other descriptions of the results in relation
to effectiveness or efficiency of internal controls around a specific process,
risk, or business unit. The formulation of such opinions requires consideration
of the engagement results and their significance.For the compliance audit
report, opinion may be state auditor's conclusions of the results in relation to
compliance laws and regulations in the entity. If required there is a section with
heading "Report on other legal and regulatory requirements" to address other
reporting responsibilities of the auditor.
- Replies from the audited entity;
- Recommendations for compliance or improvements to performance;
- Report date;
- Signature of the auditor
- The location in the jurisdiction where the auditor practices.
49
1. What is audit report? Explain why auditors' reports are important to users
of financial statements.
2. What types of opinions should an auditor issue when there is a material
uncertainty regarding entity continuing as a going concern.
3. What types of audit reports and distinguish among financial statement
audit report, compliance audit report and public sector audit report.
4. Lists the differences among independent audit report, internal audit report
and state audit report.
5. Describe the conditions to issue the unqualified audit report and qualified
audit report. Each of audit reports has what importance to the firm, and users
information.
6. Clarify the differences between disclaimer audit report and adverse audit
report. Give an example for each of circumstances.
7. You are the independent auditor in charge of conducting audit of financial
statement for client ABC (for the year ended 31.12.N). During the audit of
inventory, you identify that the client has changed the inventory accounting
method and does not disclosure in the notes of financial statements.
Requirements:
4. What are the auditor's responsibilities when he discovers the misstatement
in audit of inventory in client ABC.
5. What kinds of audit reports can be issued in this circumstance? Why?
Write audit opinion paragraph for each of audit reports.
50
CHAPTER 4
FINANCIAL REPORT ASSERTIONS AND AUDIT OBJECTIVES
LEARNING OBJECTIVES
1. Understand how the transactions and events affect the financial
statements' presentation
2. Management’s Responsibility for the Financial Statements
3. Define assertions in the Audit of Financial Statements and audit
procedures
4. Clarify auditor's responsibility and audit objectives
INTRODUCTION
This chapter mentions the following contents:
• Financial statements need to reflect entity’s financial performance for
the reporting period and financial position for the period ended. According,
financial statements present the effects of all transactions and other events of
the entity incur during the period.
• Management of the Company is responsible for preparing the financial
statements.
• Auditors are required to test assertions relating to identified risks of
misstatements of account balances and transactions by applying relevant audit
procedures before coming to a conclusion as to whether the financial
statements are free from material misstatement.
• Auditor’s responsibility is to express an opinion on these financial
statements based on our audit. Auditor is required to conducted audit in
accordance with Professional Standards on Auditing. Those standards require
that auditor comply with ethical requirements and plan and perform the audit to
obtain reasonable assurance about whether the financial statements are free
from material misstatement. Accordingly, audit objectives are set out in detail
and are in line with auditor’s responsibility in an audit engagement.
CONTENT
4.1 HOW THE TRANSACTIONS AND EVENTS AFFECT THE
FINANCIAL STATEMENTS' PRESENTATION
Financial statements need to reflect, in an appropriate manner and as far
as is practicable, the effects of transactions and other events on the reporting
51
entity’s financial performance and financial position. This involves a high
degree of classification and aggregation. Order is imposed on this process by
specifying and defining the classes of items - the elements of financial
statements -that enclose the key aspects of the effects of those transactions and
other events.
The elements of financial statements are aware of:
(a) in the case of the balance sheet (or statement of financial position) -
assets, liabilities and ownership interest;
(b) in the case of the profit and loss account and any other statement of
financial performance - gains and losses;
(c) contributions from owners; and distributions to owners.
Elements have been specified and defined to analyze comprehensively
the way in which the financial effects of transactions and other events are
represented in financial statements. However, as the cash flow statement
represents only one type of financial effect - cash flows - analysis into elements
is not relevant to that statement.
4.2 MANAGEMENT'S RESPONSIBILITY FOR THE FINANCIAL
STATEMENTS
Management of the Company is responsible for preparing the financial
statements, which give a true and fair view of the financial position of the
Company and of its results and cash flows for the year in accordance with
generally accepted accounting principles standards, accounting regime for
enterprises and legal regulations relating to financial reporting. In preparing
these financial statements, the Company’s is required to:
• Select suitable accounting policies and then apply them consistently;
• Make judgments and estimates that are reasonable and prudent;
• State whether applicable accounting principles have been followed,
subject to any material departures disclosed and explained in the financial
statements;
• Prepare the financial statements on the going concern basis unless it is
inappropriate to presume that the Company will continue in business; and
52
• Design and implement an effective internal control system for the purpose
of properly preparing and presenting the financial statements so as to minimize
errors and frauds.
Company’s management is responsible for ensuring that proper
accounting records are kept, which disclose, with reasonable accuracy at any
time, the financial position of the Company and that the financial statements
comply with generally accepted accounting principles standards, accounting
regime for enterprises and legal regulations relating to financial reporting.
Company’s management is also responsible for safeguarding the assets of the
Company and hence for taking reasonable steps for the prevention and
detection of frauds and other irregularities.
The statement on the Company’s responsibility on preparing the
financial statements is required to attached with the audited financial
statements.
4.3 ASSERTIONS IN THE AUDIT OF FINANCIAL STATEMENTS
Definition of Assertions: Assertions are the implicit or explicit claims
and representations made by the management responsible for the preparation of
financial statements regarding the appropriateness of the various elements of
financial statements and disclosures. Assertions are also known as
Management Assertions and Financial Statement Assertions.
In preparing financial statements, management is making implicit or
explicit claims (i.e. assertions) regarding the recognition, measurement and
presentation of assets, liabilities, equity, income, expenses and disclosures in
accordance with the applicable financial reporting framework (e.g. IFRS).
4.3.1 Why do the auditors need to test financial statements assertions?
The objective of audit testing is to assist the auditor in coming to a
conclusion as to whether the financial statements are free from material
misstatement.
However, the auditor does not simply design tests with the broad
objective to identify material misstatement. This is a difficult conclusion to
reach and can only be based upon a series of detailed tests, each designed with
a specific testing objective relating to certain areas of the financial statements.
53
Example 1: auditors have to assess whether inventory balances are free
from material misstatement. Unfortunately, there are many ways inventory
could be misstated:
• items could be missed out of inventory;
• items from the next accounting period could be accidentally included;
• it might not be valued at the lower of cost and net realizable value;
• damaged or obsolete stock might not be identified;
• purchase cost may not be recorded accurately; or
• the stock count may not be performed thoroughly.
Example 2: If a balance sheet of an entity shows buildings with carrying
amount of $10 million, the auditor shall assume that the management has
claimed that:
• The buildings recognized in the balance sheet exist at the period end;
• The entity owns or controls those buildings;
• The buildings are valued accurately in accordance with the measurement
basis;
• All buildings owned and controlled by the entity are included within the
carrying amount of $10 million.
Each of these concerns could result in misstatement, which ultimately
could (alone or in aggregate) be material.
For this reason, auditors have to perform a range of tests on the
significant classes of transaction, account balances and disclosures to be
reasonably sure that they are not misstated. These tests focus on what are
known as financial statements assertions.
4.3.2 Types and examples
Assertions may be classified into the following types:
54
Assertions relating to classes of transactions
Example
Related
Assertions Explanation Examples: Salary costs
potential
identified risks
Occurrence Transactions Salaries & wages expense has Validity:
recognized in been incurred during the Salaries & wages
the financial period in respect of the expense may be
statements have personnel employed by the recorded base on
occurred and entity. Salaries and wages fictitious staff,
relate to the expense does not include the fictitious
entity. payroll cost of any working hour and
unauthorized personnel. related expenses.
Completeness All transactions Salaries and wages cost in Completeness:

that were respect of all personnel have Salary costs may
supposed to be been fully accounted for. be not
recorded have completely
been recorded for the
recognized in year ended or
the financial differed to the
statements. next accounting
period.
Accuracy Transactions Salaries and wages cost has Recording:

have been been calculated accurately. Salary costs may
recorded Any adjustments such as tax be recorded
accurately at deduction at source have been inaccuracy for
their correctly reconciled and the period
appropriate accounted for.
amounts.
Cut-off Transactions Salaries and wages cost Cut-off

have been recognized during the period Recorded salary
recognized in relates to the current costs for current
the correct accounting period. Any period may
accounting accrued and prepaid expenses
55
periods. have been accounted for include those
correctly in the financial incurred in prior
statements. period or exclude
costs that may be
deferred to the
next accounting
period.
Classification Transactions Salaries and wages cost has Recording

have been been fairly allocated between: Salary costs may
classified and -Operating expenses incurred be improperly
presented fairly in production activities; - reclassified to
in the financial General and administrative relevant class of
statements. expenses; and -Cost of transactions base
personnel relating to any self- on current
constructed assets other than accounting
inventory. guideline.
Assertions relating to assets, liabilities and equity balances at the period end
Example Related
Examples: Inventory
Assertions Explanation potential
balance
identified risks
Assets, Inventory recognized in the Validity:

liabilities and balance sheet exists at the Inventory balance
Existence equity balances period end. may include
exist at the fictitious inventory
period end. items.
All assets, All inventory units that Completeness:

liabilities and should have been recorded Inventory balance
equity balances have been recognized in the may exclude items
Completeness that were financial statements. Any that entity has the
supposed to be inventory held by a third right to ownership
recorded have party on behalf of the audit or use.
been entity has been included in
56
recognized in the inventory balance.
the financial
statements.
Entity has the Audit entity owns or Validity:

right to controls the inventory Some inventory
ownership or recognized in the financial items that are not
use of the statements. Any inventory the entity’s
recognized held by the audit entity on ownership have
assets, and the account of another entity has been included in
Rights and
liabilities not been recognized as part the inventory
Obligations
recognized in of inventory of the audit balance.
the financial entity.
statements
represent the
obligations of
the entity.
Assets, Inventory has been Valuation/recording

liabilities and recognized at the lower of
equity balances cost and net realizable value
Inventory balance
have been in accordance with IAS 2
is not properly
valued Inventories. Any costs that
evaluated.
appropriately. could not be reasonably
allocated to the cost of
production (e.g. general and
Valuation
administrative costs) and
any abnormal wastage has
been excluded from the cost
of inventory. An acceptable
valuation basis has been
used to value inventory cost
at the period end (e.g. FIFO,
AVCO, etc.)
57
Assertions relating to presentation and disclosures
Example
Examples: Inventory Related
Assertions Explanation
balance potential
identified risks
Occurrence Transactions and Transactions with

events disclosed related parties disclosed Presentation:
in the financial in the notes of financial
Related parties
statements have statements have
transactions and
occurred and occurred during the
balances
relate to the period and relate to the
presentation and
entity. audit entity.
disclosure may
Completeness All transactions, All related parties, include those in
balances, events related party nature are not
and other matters transactions and related parties
that should have balances that should relationship.
been disclosed have been disclosed
have been have been disclosed in
Or, Related
disclosed in the the notes of financial
parties
financial statements.
transactions and
statements.
balances
Classification Disclosed The nature of related presentation and
events, party transactions, disclosure may
transactions, balances and events has omits some
balances and been clearly disclosed transactions or
other financial in the notes of financial balances
matters have statements. Users of the
been classified financial statements can
Or Value and
appropriately clearly determine the
amount of
and presented financial statement
related parties
clearly in a captions affected by the
transactions and
manner that related party
balances are not
promotes the transactions and
58
understand balances and can easily correctly
ability of ascertain their financial disclosed or
information effect. presented.
contained in the
financial
statements.
Accuracy & Transactions, Related party

Valuation events, balances transactions, balances
and other and events have been
financial matters disclosed accurately at
have been their appropriate
disclosed amounts.
accurately at
their appropriate
amounts.
The auditor may use the relevant assertions as they are described above
or may express them differently provided aspects described above have been
covered. For example, the auditor may choose to combine the assertions about
transactions and events with the assertions about account balances. As another
example, there may not be a separate assertion related to cut-off of transactions
and events when the occurrence and completeness assertions include
appropriate consideration of recording transactions in the correct accounting
period.
The auditor should use relevant assertions for classes of transactions,
account balances, and presentation and disclosures in sufficient detail to form a
basis for the assessment of risks of material misstatement and the design and
performance of further audit procedures. The auditor should use relevant
assertions in assessing risks by considering the different types of potential
misstatements that may occur, and then designing further audit procedures that
are responsive to the assessed risks.
Relevant assertions are assertions that have a meaningful bearing on
whether the account is fairly stated. For example, valuation may not be relevant
to the cash account unless currency translation is involved; however, existence
and completeness are always relevant. Similarly, valuation may not be relevant
59
to the gross amount of the accounts receivable balance but is relevant to the
related allowance accounts. Additionally, the auditor might, in some
circumstances, focus on the presentation and disclosure assertion separately in
connection with the period-end financial reporting process.
For each significant class of transactions, account balance, and
presentation and disclosure, the auditor should determine the relevance of each
of the financial statement assertions. To identify relevant assertions, the auditor
should determine the source of likely potential misstatements in each
significant class of transactions, account balance, and presentation and
disclosure. In determining whether a particular assertion is relevant to a
significant account balance or disclosure, the auditor should evaluate:
a. The nature of the assertion;
b. The volume of transactions or data related to the assertion; and
c. The nature and complexity of the systems, including the use of
information technology, by which the entity processes and controls information
supporting the assertion.
4.4 FINANCIAL STATEMENTS ASSERTIONS AND AUDIT
PROCEDURES
4.4.1 Understanding of risk-base approach in financial statements
audit
ISA states that “The objective of the auditor is to identify and assess the
risks of material misstatement, whether due to fraud or error, at the financial
statement and assertion levels, through understanding the entity and its
environment, including the entity’s internal control, thereby providing a basis
for designing and implementing responses to the assessed risks of material
misstatement.” Accordingly, a risk-based audit approach is designed to apply
throughout the audit to efficiently and effectively focus the nature, timing and
extent of audit procedures to those areas that have the most potential for
causing material misstatement(s) in the financial report.
The risk-based approach requires the auditor to first understand the entity
and its environment in order to identify risks that may result in material
misstatement of the financial report. Next, the auditor performs an assessment
of those risks at both the financial report and assertion levels. The assessment
60
involves considering a number of factors such as the nature of the risks,
relevant internal controls and the required level of audit evidence.
When performing an audit engagement, auditors are required to state
what significant risks/non-significant risks that may incur to account balances,
transactions… as well as assertions related to such identified risks.
For example, when perform understanding client’s operation, a
significant risk of misstatement on revenue recognition to meet the Company’s
operation budget is identified. Auditor is required to state clearly such recorded
revenue may be overstated or understated for the year ended. Accordingly,
related assertions on such specific significant risk are required to be clearly
noted in audit planning. In case, the auditor states that revenue may be
overstated to meet the Company’s budget, the related assertions may be
occurrence or cut-off or both.
The assertions embodied in the financial statements are used by auditor
to determine related audit procedures to mitigate identified risks.
4.4.2Steps for audit procedures
Auditor applies following steps for audit procedures:
• Designing the audit procedures or tests;
• Carrying out the audit procedures or tests and/or gathering evidence;
• Analyzing evidence and drawing conclusions, which may also involve
evaluating performance against the audit criteria; and
• Making decisions about whether additional information is required and can
be obtained (go back to step 1) or whether sufficient appropriate evidence exists.
Audit procedures typically focus on the key risk areas identified through
a risk analysis.
It is not unusual for audits to be redesigned during the examination stage
as teams encounter unforeseen difficulties in gathering sufficient evidence of
appropriate quality. Auditors have to be alert to any signs that the evidence-
gathering process may not be achieving the level of assurance required for the
audit assignment and take appropriate corrective action. If there are any
potential amendments to the audit program, communicate these changes and
raise any other issues, on a timely basis, with the senior members of the audit
61
team. In instances where modifications did not take place before the start of
field work, modify the audit steps as the work progresses, obtain approval for
changes to audit programs, and include appropriate information on the nature,
timing, and extent of steps to be performed.
4.4.3 Common accepted audit procedures
a. InspectionInspection of documents and records provides varying
degrees of reliability, depending on the nature and source of the documents.
Inspection of physical assets provides highly reliable evidence of existence and
some indication of value (if it does not appear damaged or obsolete) but not
necessarily of ownership or value.
b. Observation Observation of the application of a client's or entity's
policy or procedure provides assurance of that procedure at a given point in
time, but not necessarily of its performance at other times during the year.
c. External confirmation Confirmation is a written request addressed to
third parties.
d. RecalculationComputation or recalculation provides a high level of
assurance regarding arithmetical accuracy.
e. ReperformanceReperformance techniques may be performed manually
or through the use of computer-assisted audit techniques (CAATs).
f. Analytical proceduresare used throughout the audit process for the risk
assessment - to direct attention to higher risk areas in determining the nature,
timing, and extent of audit procedures, to obtain audit evidence of accuracy or
to identify potential misstatements/errors as a substitute for tests of details, to
assist in assessing the propriety of audit conclusions reached and in evaluating
the overall opinion/report; understanding the business and to develop more
meaningful entity communications through a deeper understanding of the
relevant business and audit issues.
g. Inquiry is used throughout the engagement to obtain knowledge of the
entity; develop the preliminary audit approach; collect specific evidence; and
corroborate evidence collected by other means.
4.5 AUDITOR'S RESPONSIBILITY AND AUDIT OBJECTIVE
4.5.1 Audit objectives
The audit objective forms the basis of the audit. The objective states the
subject matter under examination and how performance will be assessed. Once
the objective is determined, the scope, criteria, and approach can be developed.
62
Audit objectives are normally expressed in terms of the conclusion the
audit is expected to draw regarding the entity’s performance of an activity.
They are based on the question(s) that the audit seeks to answer about the
performance of an activity or program; for example, “Did the entity have
effective procedures in place to manage its program?”
The objectives may cover a single program area or range of
responsibilities, and they may fall under the mandate area of a single entity or
multiple entities. The objectives should be based on the requirements of the
relevant legislation, regulations, and policies.
Audit objectives should be realistic and achievable and give sufficient
information to the entity and other stakeholders about the focus of the audit.
Ideally, each audit would have one audit objective that provides a clear
focus for the audit. Complex audits may need several objectives, but these
should be limited to a small number. Presenting audit objectives as clearly and
concisely as possible prevents the audit team from undertaking unnecessary or
overly ambitious audit work.
Accordingly, audit objectives are set out in detail and are in line with
auditor’s responsibility in an audit engagement.
4.5.2 Audit objectives in different phases of an audit engagement
a. To accept or continue an audit engagement, the objective of auditor
include:
• Establishing whether the Preconditions for an Audit are present
• Confirming that there is a common understanding between the auditor
and management and, where appropriate, Those Charged with Governance of
the terms of the audit engagement.
b. In conducting an audit of Financial Statements, the overall objectives of
the Auditor are:
• To obtain reasonable assurance about whether the financial statements as
a whole are free from material misstatement, whether due to fraud or error,
thereby enabling the Auditor to express an opinion on whether the financial
statements are prepared, in all material respects, in accordance with an
applicable financial reporting framework
63
• To report on the financial statements and communicate as required by
professional standards and applicable legal and regulatory requirements, in
accordance with the Auditor’s findings.
c. Audit objectives relating to quality control procedures are requirements
for auditor at the engagement level to implement necessary procedures to
provide them reasonable assurance that:
• The audit complies with professional standards and applicable legal and
regulatory requirements
• The auditor’s report issued is appropriate in the circumstances.
d. When conducting an initial audit engagement, the objective of the
auditor with respect to opening balances is to obtain Sufficient appropriate
audit evidence about whether:
• Opening balances contain misstatements that materially affect the current
period’s financial statements
• Appropriate accounting policies reflected in the opening balances have
been consistently applied in the current period’s financial statements, or
changes thereto are appropriately accounted for and adequately presented and
disclosed in accordance with the applicable financial reporting framework.
e. When conduction an audit engagement, the objectives of auditor include:
• Prepare sufficient and appropriate record audit documentation for the
basis for the auditor’s report
• Prepare audit documentation that provides evidence that the audit was
planned and performed in accordance with professional standards and
applicable legal and regulatory requirements
• Identify and Assess the risks of material misstatement of the financial
statements due to Fraud
• Obtain sufficient appropriate audit evidence regarding the assessed risks
of material misstatement due to fraud, through designing and implementing
appropriate responses
• Respond appropriately to fraud or suspected fraud identified during the
audit
• Obtain sufficient appropriate audit evidence regarding compliance with
the provisions of those laws and regulations generally recognized to have a
64
direct effect on the determination of material amounts and disclosures in the
• Perform specified audit procedures to help identify instances of non-
compliance with other laws and regulations that may have a material effect on
the financial statements
• Respond appropriately to non-compliance or suspected non-compliance
with laws and regulations identified during the audit
• Communicate clearly with Those Charged with Governance the
responsibilities of the Auditor in relation to the financial statement audit and an
overview of the planned scope and timing of the audit
• Obtain from Those Charged with Governance information relevant to the
audit
• Provide Those Charged with Governance with timely observations
arising from the audit that are significant and relevant to their responsibility to
oversee the financial reporting process
• Promote effective communication between the auditor and Those
Charged with Governance Communicate appropriately to Those Charged with
Governance and management deficiencies in internal control that the auditor
has identified during the audit and that, in the auditor’s professional judgment,
are of sufficient importance to merit their respective attentions.
• Plan the audit so that it will be performed in an effective manner
• Identify and assess the risks of material misstatement, whether due to
fraud or error, at the financial statement and assertion levels, through
understanding the Entity and its environment, including the entity’s internal
control, thereby providing a basis for designing and implementing responses to
the assessed risks of material misstatement
• Apply the concept of materiality appropriately in planning and
performing the audit
• Obtain Sufficient appropriate audit evidence regarding the assessed risks
of material misstatement, through designing and implementing appropriate
responses to those risks
• Evaluate the effect of identified misstatements on the audit
• Evaluate the effect of uncorrected misstatements, if any, on the financial
statements
65
• Design and perform audit procedures in such a way as to enable the
auditor to obtain Sufficient appropriate audit evidence to be able to draw
reasonable conclusions on which to base the auditor’s opinion
• When using external confirmation procedures, design and perform such
procedures to obtain relevant and reliable audit evidence
• Obtain relevant and reliable audit evidence when using substantive
analytical
• Design and perform analytical procedures near the end of the audit that
assist us when forming an overall conclusion as to whether the financial
statements are consistent with our understanding of the entity
• When using audit sampling, provide a reasonable basis for the auditor to
draw conclusions about the population from which the sample is selected
• Obtain sufficient appropriate audit evidence about whether accounting
estimates, including Fair Value accounting estimates, in the financial
statements, whether recognized or disclosed are reasonable; and related
disclosures in the financial statements are adequate, in the context of the
applicable financial reporting framework
• Irrespective of whether the applicable financial reporting framework
establishes related party requirements, obtain an understanding of related party
relationships and transactions sufficient to be able:
• To recognize fraud risk factors, if any, arising from related party
relationships and transactions that are relevant to the identification and
assessment of the risks of material
• Misstatement due to fraud
- To conclude, based on the audit evidence obtained, whether the financial
statements, insofar as they are affected by those relationships and transactions:
- Achieve fair presentation , or
- Are not misleading
• In addition, where the applicable financial reporting framework
establishes related party requirements, obtain sufficient appropriate audit
evidence about whether related party relationships and transactions have been
appropriately identified, accounted for and disclosed in the financial statements
in accordance with the framework
• Obtain Sufficient appropriate audit evidence about whether events
occurring between the date of the financial statements and the date of the
auditor’s report that require adjustment of, or disclosure in, the financial
66
statements are appropriately reflected in those financial statements in
accordance with the applicable financial reporting framework
• Respond appropriately to facts that become known to the auditor after
the date of the auditor’s report, that, had they been known to the Auditor at that
date, may have caused the auditor to amend the auditor’s report
• Obtain Sufficient appropriate audit evidence regarding the
appropriateness of management’s use of the going concern assumption in the
preparation of the financial statements
• Conclude, based on the audit evidence obtained, whether a material
uncertainty exists related to events or conditions that may cast significant doubt
on the entity’s ability to continue as a going concern
• Determine the implications for the auditor’s report related to
management’s use of the going concern assumption in the preparation and
presentation of the financial statements
• Obtain written representations from management and, where appropriate,
Those Charged with Governance that they believe that they have fulfilled their
responsibility for the preparation of the financial statements
• Support other audit evidence relevant to the financial statements or
specific Assertions in the financial statements by means of written
representations if determined necessary by the Auditor or required by
Professional Standards and applicable legal and regulatory
• Respond appropriately to written representations provided by
management and, where appropriate, Those Charged with Governance, or if
management or, where appropriate, Those Charged with Governance do not
provide the written representations requested by the auditor
• Where the entity has an internal audit function that the external auditor
expects to use the work of the function to modify the nature or timing, or
reduce the extent, of audit procedures to be performed directly by the external
auditor are:
• Determine whether the work of the internal audit function can be used,
and if so, in which areas and to what extent
• Obtain sufficient appropriate audit evidence about whether the
comparative information included in the financial statements has been
presented, in all material respects, in accordance with the requirements for
comparative information in the applicable financial reporting framework
• Report in accordance with the auditor’s reporting responsibilities
67
• Respond appropriately when documents containing audited financial
statements and the auditor’s report thereon include other information that could
undermine the credibility of those financial statements and the auditor’s report.
f. In forming an opinion on the financial statements and in expressing that
opinion in the auditor’s report, the objectives of the auditor are to:
• Form an opinion on the financial statements based on an evaluation of
the conclusions drawn from the audit evidence obtained
• Express clearly that opinion through a written report that also describes
the basis for that opinion.
• Express clearly an appropriately modified opinion on the financial
statements that is necessary when the auditor:
• Concludes, based on the audit evidence obtained, that the financial
statements as a whole are not free from material misstatement
• Is unable to obtain sufficient appropriate audit evidence to conclude that
the financial statements as a whole are free from material misstatement
• Having formed an opinion on the financial statements, draw users’
attention, when in the auditor’s judgment it is necessary to do so, by way of
clear additional communication in the auditor’s report, to a matter, although
appropriately presented or disclosed in the financial statements, that is of such
importance that it is fundamental to users’ understanding of the Financial
Statements/ or to as appropriate, any other matter that is relevant to users’
understanding of the audit, the auditor’s responsibilities or the auditor’s report.
68
REVIEWQUESTIONS AND PROBLEMS
Select 01 correct answer
1. An auditor tests an entity's policy of obtaining credit approval before
shipping goods to customers in support of management's financial statement
assertion of
a) Valuation or allocation.
b) Completeness.
c) Existence or occurrence.
d) Rights and obligations.
2. Which of the following audit procedures would an auditor most likely
perform to test controls relating to management's assertion concerning the
completeness of sales transactions?
a) Verify that extensions and footings on the entity's sales invoices and monthly
customer statements have been recomputed.
b) Inspect the entity's reports of renumbered shipping documents that have not
been recorded in the sales journal.
c) Compare the invoiced prices on renumbered sales invoices to the entity's
authorized price list.
d) Inquire about the entity's credit granting policies and the consistent
application of credit checks.
3. Which of the following internal control procedures most likely would assure
that all billed sales are correctly posted to the accounts receivable ledger?
a) Daily sales summaries are compared to daily posting to the accounts
receivable ledger.
b) Each sales invoice is supported by a renumbered shipping document.
c) The accounts receivable ledger is reconciled daily to the control account in
the general ledger.
d) Each shipment on credit is supported by a renumbered sales invoice.
4. Two assertions for which confirmation of accounts receivable balances
provides primary evidence are
a) Completeness and valuation.
b) Valuation, rights and obligations.
c) Rights & Obligations and existence.
d) Existence and completeness.
5. An auditor's purpose in reviewing the renewal of a note payable shortly after
69
the balance sheet date most likely is to obtain evidence concerning
management's assertions about
a) Existence or occurrence.
b) Presentation and disclosure.
c) Completeness.
d) Valuation or allocation.
6. In testing the existence assertion for an asset, an auditor ordinarily works
from the
a) Financial statements to the potentially unrecorded items.
b) Potentially unrecorded items to the financial statements.
c) Accounting records to the supporting evidence.
d) Supporting evidence to the accounting records.
7. An auditor's purpose in reviewing credit ratings of customers with delinquent
accounts receivable most likely is to obtain evidence concerning management's
assertions about
a) Presentation and disclosure.
b) Existence or occurrence.
c) Rights and obligations.
8. To satisfy the valuation assertion when auditing an investment accounted for
by the equity method, an auditor most likely would
a) Inspect the stock certificates evidencing the investment.
b) Examine the audited financial statements of the investee company.
c) Review the broker's advice or cancelled check for the investment's
acquisition.
d) Obtain market quotations from financial newspapers or periodicals.
9. Cut-off tests designed to detect credit sales made before the end of the year
that have been recorded in the subsequent year provide assurance about
management's assertion of
a) Presentation.
b) Completeness.
c) Rights.
d) Existence.
10. Inquiries of warehouse personnel concerning possible obsolete or slow-
moving inventory items provide assurance about management's assertion of
a) Completeness.
70
b) Existence.
c) Presentation.
d) Valuation.
11. Which of the following control procedures most likely would assist in
reducing control risk related to the existence or occurrence of manufacturing
transactions?
a) Perpetual inventory records are independently compared with goods on
hand.
b) Forms used for direct material requisitions are renumbered and accounted
for.
c) Finished goods are stored in locked limited-access warehouses.
d) Subsidiary ledgers are periodically reconciled with inventory control
accounts.
12. Which of the following audit procedures probably would provide the most
reliable evidence concerning the entity's assertion of rights and obligations
related to inventories?
a) Trace test counts noted during the entity's physical count to the entity's
summarization of quantities.
b) Inspect agreements to determine whether any inventory is pledged as
collateral or subject to any liens. c) Select the last few shipping advices used
before the physical count and determine whether the shipments were recorded
as sales.
d) Inspect the open purchase order file for significant commitments that should
be considered for disclosure.
13. During an audit of an entity's stockholders' equity accounts, the auditor
determines whether there are restrictions on retained earnings resulting from
loans, agreements or state law. This audit procedure most likely is intended to
verify management's assertion of
b) Completeness.
c) Valuation or allocation.
d) Presentation and disclosure.
14. Which of the following most likely would give the most assurance
concerning the valuation assertion of accounts receivable?
a) Tracing amounts in the subsidiary ledger to details on shipping documents.
b) Comparing receivable turnover rates to industry statistics for reasonableness.
71
c) Inquiring about receivables pledged under loan agreements.
d) Assessing the allowance for uncollectible accounts for reasonableness.
15. An auditor most likely would inspect loan agreements under which an
entity's inventories are pledged to support management's financial statement
assertion of
b) Completeness.
c) Presentation and disclosure.
16. An auditor most likely would analyze inventory turnover rates to obtain
evidence concerning management's assertions about
b) Rights and obligations.
17. Which of the following procedures would an auditor most likely perform to
verify management's assertion of completeness?
a) Compare a sample of shipping documents to related sales invoices.
b) Observe the client's distribution of payroll checks.
c) Confirm a sample of recorded receivables by direct communication with the
debtors.
d) Review standard bank confirmations for indications of kiting.
18. Which of the following is a substantive test that an auditor most likely
would perform to verify the existence and valuation of recorded accounts
payable?
a) Investigating the open purchase order file to ascertain that renumbered
purchase orders are used and accounted for.
b) Receiving the client's mail, unopened, for a reasonable period of time after
the year end to search for unrecorded vendor's invoices.
c) Vouching selected entries in the accounts payable subsidiary ledger to
purchase orders and receiving reports.
d) Confirming accounts payable balances with known suppliers who have zero
balances.
19. An auditor most likely would review an entity's periodic accounting for the
numerical sequence of shipping documents and invoices to support
management's financial statement assertion of
72
b) Rights and obligations.
c) Valuation or allocation.
d) Completeness.
20. In auditing accounts payable, an auditor's procedures most likely would
focus primarily on management's assertion of
b) Presentation and disclosure.
c) Completeness.
21. An auditor concluded that no excessive costs for idle plant were charged to
inventory. This conclusion most likely related to the auditor's objective to
obtain evidence about the financial statement assertions regarding inventory,
including presentation and disclosure and
a) Valuation and allocation.
b) Completeness.
d) Rights and obligations.
22. An auditor selected items for test counts while observing a client's physical
inventory. The auditor then traced the test counts to the client's inventory
listing. This procedure most likely obtained evidence concerning management's
assertion of
a) Rights and obligations.
b) Completeness.
d) Valuation.
23. In testing plant and equipment balances, an auditor examines new additions
listed on an analysis of plant and equipment. This procedure most likely obtains
evidence concerning management's assertion of
a) Completeness.
b) Existence or occurrence.
24. Which of the following most likely would give the most assurance
concerning the valuation assertion of accounts receivable?
73
a) Tracing amounts in the subsidiary ledger to details on shipping documents.
b)Comparing receivable turnover ratios to industry statistics for reasonableness.
c) Inquiring about receivables pledged under loan agreements.
d) Assessing the reasonableness of the allowance for doubtful accounts.
25. Cut-off tests designed to detect credit sales made before the end of the year
that have been recorded in the subsequent year provide assurance about
management's assertion of
a) Presentation.
b) Completeness.
c) Rights.
d) Existence.
74
CHAPTER 5
FRAUDS AND ERRORS, MATERIALITYAND RIKS IN AN AUDIT
LEARNING OBJECTIVES
1. Understand the nature of fraud and error, some factors affecting fraud and
error and the responsibility of management and auditor to fraud and error.
2. Understand the nature of materiality and applying materiality in planning
and performing audit.
3. Identify the some risks incurred in audit and introduce audit risk model.
4. Specify relationship among materiality, risk and audit evidence
INTRODUCTION
Frauds, errors, materiality and risks are fundamental concepts in audit
planning. Both these concepts require significant auditor'sprofessional
judgments and they directly impact the auditor’s planned audit evidence.The
auditor’s understanding of the entity and its environment, including internal
control provide a basis for the auditor’s assessment of risk of material
misstatements, as well as determining the relationship between materiality and
risks in an audit will help the auditor determine the nature, timing and extent of
audit procedures.
CONTENT
5.1. FRAUDS AND ERRORS
5.1.1. Nature of fraud and error
ISA 240 The auditor’s responsibilities relating to fraud in an audit of
financial statements require the auditors to assess the fraud risk. Fraud is a
broad legal concept. However, for the purpose of audit financial statement,
fraud is defined as follow:
Fraud refers to an international act by one or more individuals among
management, those charged with governance, employees, or third parties,
involving the use of deception to obtain an unjust or illegal advantage.
The auditor is concerned with fraud that causes a material misstatement
in the financial statement. Two types of intentional misstatements are relevant
to the auditor – misstatements resulting from fraudulent financial reporting and
misstatements resulting from misappropriation of assets.
75
+ Fraudulent financial reporting involves intentional misstatement
including omissions of amount or disclosures in financial statement to deceive
financial users. Fraudulent financial reporting may be accomplished by the
following:
- Manipulation, falsification or alteration of accounting records or
supporting documentation from which the financial statement are prepared.
- Misrepresentation in, or intentional omission from, the financial
statement of events, transaction or other significant information.
- Intentional misapplication of accounting principles relation to amounts,
classification, manner of presentation or disclosure.
+ Misstatements resulting from misappropriation of assets involves the
theft of an entity’s assets and is often perpetrated by employees or others
internal to the organization. Misappropriation of assets can be accomplished in
a variety of ways including:
- Embezzling receipts. For example, misappropriating collections on
accounts receivable of diverting receipts in respect of written – off account to
personal bank accounts.
- Stealing physical assets or intellectual property. For example, stealing
inventory for personal use or for sale.
Fraud risk factors related to fraudulent financial reporting and
misappropriation of assets can be classified among the three conditions
generally present when fraud exist. That are an incentive/pressure to perpetrate
fraud, an opportunity to carry out the fraud and attitude/rationalization to
justify the fraudulent action. For example:
Incentive or pressure to commit fraudulent financial reporting may exist
when management is under pressure, from sources outside or inside the entity,
to achieve an expected earnings target or financial outcome.
A perceived opportunity to commit fraud may exist when an individual
believes internal control can be overridden. For example, due to the individual
is in a position of trust or has knowledge of specific deficiencies in internal
control.
76
Error refers to unintentional mistakes in financial statements, which
results in a misrepresentation of financial statement. Errors may be arisen from
the following situations:
+ Mathematical or clerical mistakes in the underlying records;
+ Omitting the transactions;
+ Misapplication of accounting standards, principles, procedures and
policies and financial regulations.
The different between fraud and error is whether the underlying action
that results in the misstatement of the financial statements is intentional or
unintentional. Fraud is often more difficult to detect because management or
the employees perpetrating the fraud attempt to conceal the fraud.
According to ISA 240, the auditor’s responsibilities relating to fraud in
an audit of financial statements recognizes misstatement that is a difference
between the amount, classification, presentation or disclosure of a reported
financial item and the amount, classification, presentation or disclosure that is
required for the item to be in accordance with the applicable financial reporting
framework. that misstatement in the financial statements can arise from either
fraud or error. Where the auditor expresses an opinion on whether the financial
statement are presented fairly, in all material respect, or give a true and fair
view, misstatements also include those adjustment of amounts, classifications,
presentation or disclosure that, in the auditor’s judgment, are necessary for the
financial statement to be presented fairly.
5.1.2. Factors affect frauds and errors
When planning and performing audit, the auditor should consider some
circumstances that indicate the possibility of fraud and error. Some
circumstances or events which increase to the risk of fraud and error are
include:
+ The doubt concerning management’s integrity. When auditor raise a
question of management’s integrity, it means that the possibility of the risk of
material misstatement incurred by fraud and error is higher. Some
circumstances regarding to management’s integrity are as follow:
- Unusual delays by the entity in providing requested information;
77
- An unwillingness to add or revise disclosures in the financial statement
to make them more complete and understandable;
- An unwillingness to address identified deficiencies in internal control
on a timely basis;
- Unwillingness by management to permit the auditor to meet privately
with those charge with governance.
+ Unusual pressures within or on an entity. If there a lot of unusual
pressures on an entity, the possibility of incurring risk of material misstatement
due to fraud or error is higher. For example:
- Undue time pressures imposed by management to resolve complex
issues.
- Management have incentive or pressure to materially misstate financial
statements due to financial stability or profitability is threatened by economic,
industry, or entity operating conditions.
- Excessive pressure for management to meet debt repayment or other
debt covenant requirements.
- Financial stability or profitability is threatened by economic, industry
or entity operation condition;
- Excessive pressure exists for management to meet requirements or
expectations of third parties;
- Management or the Board of director’s personal financial situation is
threatened by the entity’s financial performance.
+ Unusual transactions and events. If a lot of unusual transactions and
events incurred, the auditor will assess the risk of fraud and errors are higher
for example:
- Significant unexplained items on reconciliations.
- Large numbers of credit entries and other adjustments made to accounts
receivable records.
- Missing inventory or physical assets of significant magnitude.
+ Difficulties in obtaining sufficient appropriate audit evidence, for
example:
78
- Missing document.
- Unavailability of other than photocopied or electronically transmitted
documents when documents in original form are expected to exist.
- Unusual discrepancies between the entity’s records and confirmation replies
- Unexplained or inadequately explained differences between the
accounts receivable sub – ledger and the control account or between the
customer statements and the accounts receivable sub – ledger.
+ Factors unique to computer information system environment relating
to the above conditions and events, for example:
- Denial of access to key IT operations staff and facilities, including
security, operation and system development personnel.
- Unwillingness to facilitate auditor access to key electronic files for
testing through the use of computer assisted audit techniques.
5.1.3. Management's responsibility for frauds and errors
The management or directors of client have a primary responsibility for
the prevent and detection risk. In other words, the responsibility for the
prevention, detection and handling of fraud and error in the entity rests with the
management through the implementation and continued operation of adequate
accounting and internal control system.
The directors should be aware of the potential for fraud and error and
this should features an element of their risk assessment and corporate
governance procedures. However, it is impossible to eliminate the possibility of
fraud and error because of the inherent limitations of the accounting and
internal control systems. When the auditor reporting of Fraud and Error, which
he (or she) found out, the entity should take the remedial action regarding fraud
and error that the auditor considers necessary, even when they are not material
to the financial statements. If the entity does not take the remedial action, the
auditor and the audit firm should express an appropriate report or withdrawal
from an Engagement.
5.1.4. Auditor’s responsibility for frauds and errors
The auditor is responsible for obtaining reasonable assurance that the
financial statement, taken as a whole, are free from material misstatement,
79
whether caused by fraud or error. Therefore, the auditor has some responsibility
for considering the risk of material misstatement due to fraud or error.
However, the auditor and the audit firm are not and cannot be held responsible
for the prevention of fraud and error in the client entity.
The objective of an audit of financial statements is to express an opinion
whether the financial statements are prepared, in all material respects, in
accordance with the accepted accounting standard systems whether they
comply with the fair view. Therefore, through an audit, the auditor and the
audit firm have responsibility for the detection and assessment of their effects
on the financial statements. However, owning to the inherent limitation of an
audit, there is an unavoidable risk that some material misstatement of the
financial statement may not be detected, even though the audit is properly
planned and performed in according ISAs. The potential effects of inherent
limitation are particularly significant in the case of misstatement resulting from
fraud. The risk of not detecting a material misstatement resulting from fraud is
higher than the risk of not detecting one resulting from error. The auditor’s
ability to detect a fraud depends on factors such as the skilfulness of the
perpetrator, the frequency and extent of manipulation, the degree of collusion
involved, the relative size of individual amounts manipulated and the seniority
of those individuals involved. While the auditor may be able to identify
potential opportunities for fraud to be perpetrated, it is difficult for the auditor
to determine whether misstatements in judgment areas such as accounting
estimates are caused by fraud or error.
Furthermore, the risk of the auditor not detecting a material misstatement
resulting from management fraud is greater than for employee fraud. Because
management is frequently in a position to directly or indirectly manipulate
accounting records which present fraudulent financial information or override
control procedures designed to prevent similar frauds by other employees. The
auditor’s responsibility in an audit is as follow:
In planning audit, the auditor and the audit firm should assess the risk
that fraud and error may exit that materially impact the financial statement as a
whole by conducting risk assessment procedures. The auditor shall make
inquires of management regarding management’s assessment of the risk that
the financial statement may be materially misstated due to fraud or
management’s process for identifying and responding to the risk of fraud in the
80
entity, management’s communication to employees and those charged with
governance regarding to the risk of fraud…In accordance with ISA 315
Identifying and assessing the risks of material misstatement through
understanding the entity and its environment, the auditor shall identify and
assess the risks of material misstatement due to fraud at the financial statement
and at the assertion level for classes of transactions, account balances and
disclosures. The auditor shall treat those assessed risk of material due to fraud
as significant risk. Based on the result of risk assessment, the auditor should
design audit procedures to obtain reasonable assurance that fraud and error that
are material to the financial statements taken as a whole are detected.
In performing audit, the auditor seeks sufficient appropriate audit
evidence that fraud and error which may be material to the financial statements
have not occurred or that, if they have occurred, the effect of fraud is properly
reflected in the financial statements or the error is corrected. The auditor should
point out the impacts of such fraud and error on the financial statements. If the
auditor and the audit firm believe the indicated fraud or error could have a
material effect on financial statements, the auditor should perform appropriate
modified or additional procedures.
Performing modified or additional procedures would ordinarily enable
the auditor to confirm or dispel a suspicion of fraud or error. Where suspicion
of fraud and error is not dispelled by the results of modified or additional
procedures, the auditor and the audit firm should discuss the matter with
management and consider whether the matter has effected on the financial
statements and the audit report.
The auditor and the audit firm should also communicate factual findings
to the management, those charge with governance of the entity as soon as
practicable prior to the date of publication of the audited financial statements or
the issuance of the audit report. In the case of risk related to management
override of control, the auditor should do additional audit procedures because
management is in a unique position to perpetrate fraud. Management’s ability
to manipulate accounting records and prepare fraudulent financial statements
by averring controls that otherwise appear to be operating effectively
In the final audit, if the auditor and the audit firm conclude that the fraud
or error has a material effect on the financial statements and has not been
properly reflected or corrected in the financial statements, the auditor should
81
express a qualified or an adverse opinion. The auditor and the audit firm should
clearly state in the audit report fraud and error that may be material to the
financial statements even though they are adequately reflected in financial
statements.
In an audit, the auditor is responsible for maintaining professional
scepticism throughout the audit, considering the potential for management
override of control and recognizing the fact that audit procedures that are
effective for detecting error may not be effective in detecting fraud. When such
a risk occurs that causes material impact on the financial statements, the auditor
would consider compliance with principles and audit procedures undertaken in
the circumstances and the suitability of the audit report based on the results of
those audit procedures.
5.2. MATERIALITY IN PLANNING AND PERFORMING AN AUDIT
5.2.1. Nature of materiality in an audit
Financial reporting frameworks often discuss the concept of materiality
in the context of preparing and presenting financial statement. The Conceptual
Framework for Financial Reporting (IASB 2014, par.11) considers information
to be material if omitting or misstating it could influence decisions that users
make on the basis of the financial information. In line with the IFRS
Framework, the auditing standards consider misstatements in the financial
statement to be material if they can individually or in aggregate be expected to
influence the economic decisions of users taken on the basis of the financial
statement. These definitions have mentioned about the auditor’s consideration
of materiality that reflects what the auditor perceives as the view of a
reasonable person who is relying on the financial statement.
ISA 320 Materiality in planning and performing an audit require
auditors to decide on the combined amount of misstatements in the financial
statement that they would consider material early in the audit as they as
developing the overall strategy for the audit. It refer to this as the preliminary
materiality. The preliminary judgment about materiality is thus the maximum
amount by which the auditor believes the statements could be misstated and
still not affect the decision of reasonable users. During the audit, auditors often
change the preliminary judgment about materiality.
82
Another concepts need to be considered, that is performance materiality.
Performance materiality means the amount or amounts set by the auditor at less
than materiality for the financial statement as a whole to reduce to an
appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeds materiality for the financial statements as a
whole. In another words, performance materiality also refer to the amount or
amounts set by the auditor at less than the materiality level or levels for
particular classes of transactions, account balances or disclosures.
Materiality is used in all phases of the audit of financial statement and as
such is pervasive throughout the audit process, from planning the audit to
evaluating the results of audit testing when formulating the audit opinion.
Because auditors are responsible for determine whether financial statements are
materially stated, they must, upon discovering a material misstatement, bring it
to the client’s attention so that a correction can be made. If the client refuses to
correct the statements, the auditor must issue a qualified or an adverse opinion,
depending on the materiality of the misstatement. Setting up an appropriate
materiality level is to help the auditor determine the nature, timing and extent
of audit procedures.
The auditor’s determination of materiality is a matter of professional
judgment and is affected by the auditor’s perception of the financial
information needs of users of the financial statement as a group. The possible
effect of misstatements on specific individual users, whose needs may vary
widely, is not considered. When applying judgment in assessing whether
misstatements in the financial statement are material, the auditor is required to
consider both the size (quantity) and nature of misstatement (quality).
Materiality depends on the size of the item or error judged in the
particular circumstances of its omission or misstatement. The materiality
amount determined by the auditor does not necessarily establish a threshold
below which misstatement will always be evaluated as immaterial.
The circumstances and nature of some misstatements may result in them
being material if they are below materiality. A number of qualitative factors
which might cause a low value misstatement to be material, including, for
example, whether a misstatement: (a) changes a loss into a profit or vice versa;
(b) mask a change in earnings or other trend; (c) affect ratios used to evaluate
the entity’s financial results; (d) affects compliance with debt covenants; or (e)
83
increase management compensation. These qualitative factor focus on the
subjective intentions and motivations of those involved in making disclosure
decisions, without reference to the economic significance of the information in
question.
To summarize, judgment about materiality should consider both
quantitative and qualitative factor, as qualitative factors regarding the nature
and circumstance of a quantitatively small misstatement may render the
misstatement material. It can be concluded that as a result of the interaction of
quantitative and qualitative considerations in materially judgments,
misstatement of relatively small amount can have a material effect on the
financial statement.
5.2.2. Application materiality in audit
The concept of materiality is applied by the auditor both in planning,
performing the audit and in evaluating the effect of identified misstatements on
the audit and of uncorrected misstatement on the financial statements.
There are five closely related steps in applying materiality:
Step 1: Set preliminary judgment about materiality;
Step 2: Allocate preliminary judgment about materiality to segments;
Step 3: Estimate total misstatement in each segment;
Step 4: Estimate the combined misstatement;
Step 5:Compare combined estimate with preliminary on revised
judgment about materiality.
Step 1: Set preliminary judgment about materiality
The auditor should decide early in the audit the combined amount of
misstatements in the financial statement that would be considered material. It is
called a preliminary judgment about materiality because it is a professional
judgment and may change during the audit if circumstances change. This
judgment is one of the most important decisions the auditor makes. It requires
considerable professional judgment. These judgment provide a basis for
determining the nature, timing and extent of risk assessment procedures,
identifying, assessing the risks of material misstatements and determining the
nature, timing and extent of further audit procedures.
84
A percentage is often applied to a chosen benchmark as a starting point
in determining materiality for the financial statement as a whole. Factors that
may affect the identification of an appropriate benchmark include the
following:
+ The elements of the financial statement, for example assets, liabilities,
equity, revenue, expense.
+ Whether there are items on which the attention of the users of the
particular entity’s financial statements. For example, for the purpose of
evaluating financial performance users may tend to focus on profit, revenue or
net asset,
+ The nature of the entity, the industry and economic environment in
which the entity operates.
+ The entity’s ownership structure and the way it is financed. For
example, if an entity is financed solely by debt rather than equity, users may
put more emphasis on assets and claims on them.
+ The relative volatility of the benchmark;
Some examples of percentages applied to benchmarks that might be
considered include the following:
- For a profit oriented entity, 3 to 5 percent of profit before tax from
continuing operations, or 5 percent of total revenue.
- For a not for profit entity, 5 percent of total expense or total revenues.
- For an entity in the mutual fund industry, 5 percent of net asset value.
Based on amount of materiality, the auditor should determine
performance materiality. Performance materiality is the amount or amounts set
by the auditor at less than materiality for the financial statements as a whole to
reduce to an appropriately low level the probability that the aggregate of
uncorrected and undetected misstatements exceeds materiality for the financial
statement as a whole. Performance materiality also refers to the amount or
amounts set by the auditor at less than the materiality level or level for
particular classes of transactions, account balances or disclosures. Performance
materiality is to be distinguished from tolerable misstatement.
85
In planning the audit, the auditor solely detect individually material
misstatements overlooks the fact that the aggregate of individually immaterial
misstatements may cause the financial statements to be materially misstated
and leaves no margin for possible undetected misstatement. Performance
materiality is set to reduce an appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements as a whole. Similarly,
performance materiality relating to a materiality level determined for a
particular class of transactions, account balance or disclosure. The
determination of performance materiality is not a simple mechanical
calculation and involves the exercise of professional judgment. It is affected by
the auditor’s understanding of the entity, updated during the performance of the
risk assessment procedures and the nature and extent of misstatements
identified in previous audits and thereby the auditor’s expectations in relation
to misstatements in the current period.
The auditor will frequently change the preliminary judgment about
materiality and accordingly performance materiality during the audit. It is
called as revised judgment about materiality.
Step 2: Allocate preliminary judgment about materiality to segments
Allocating the preliminary judgment about materiality to segments is
necessary because evidence is accumulated by segments rather than for the
financial statement as a whole. If auditors have a preliminary judgment about
materiality for each segment; it helps them decide the appropriate audit
evidence to accumulate.
Most auditor allocate materiality to balance sheet, rather than income
statement accounts because the income statement have an equal effect on the
balance sheet due to the double-entry bookkeeping system. Therefore, the
auditor can allocate materiality to either income statement on balance sheet
accounts. When auditors allocate the preliminary judgment about materiality to
account balances, the materiality allocated to any given account balance is
referred to as tolerable misstatement.
In practice, it is often difficult to predict in advance which classes of
transactions, account balances or disclosures are most likely to be misstated,
and whether misstatements are likely to be overstatements or understatements.
Factors that may indicate the existence of one or more particular classes of
86
transactions, account balances or disclosures for which misstatements of lesser
amount than materiality for the financial statements as a whole could
reasonably be expected to influence the economic decisions of users taken on
the basis of the financial statement include the following:
+ Whether law, regulation or the applicable financial reporting
framework affect user’s expectations regarding the measurement or disclosure
of certain item .
+ The key disclosures in relation to the industry in which the entity
operates.
+ Whether attention is focused on a particular aspect of the entity’s
business that is separately disclosed in the financial statement.
Similarly, the relative costs of auditing different account balances often
can not be determined. It is therefore a difficult professional judgment to
allocate the preliminary judgment about materiality to accounts. Accordingly,
many accounting firms have developed rigorous guidelines and sophisticated
statistical methods for doing so.
Step 3: Estimate total misstatement in each segment;
The first two steps in applying materiality involve planning and the last
three steps result from performing audit tests.
When the auditor performs audit procedures for each segment of the
audit, a worksheet is kept of all misstatements found. Misstatement in an
accounts can be of two types known misstatement and likely misstatement.
Known misstatements are those where the auditor can determine the
amount of the misstatement in the account. There are two types of likely
misstatements. The first are misstatements that arise from differences between
management’s and the auditor’s judgment about estimate of account balance.
The second are projections of misstatements based on the auditor’s test of a
sample from a population. These misstatements are used to estimate the total
misstatement in the segment to the total is referred to as an estimate or often a
projection because only a sample, rather than the entire population, was
audited. And there is a risk that the sample do not accurately represent the
population.
87
Step 4: Estimate the combined misstatement;
The projected misstatement amounts for each class of transaction,
account balance are combined on the worksheet.
Step 5: Compare combined estimate with preliminary on revised
judgment about materiality.
In this step, the auditor should compare the combined misstatement to
materiality.
- If the estimated combined misstatement is below the preliminary
judgment, the financial statements are acceptable.
- If the estimated combined misstatement exceeds the preliminary
judgment, the financial statements are not acceptable. The auditor can either
determine whether the estimated misstatement actually exceeds that amount by
performing additional audit procedures or require the client to make an
adjustment for estimated misstatements. If additional audit procedures are
performed, they would be concentrated in the account.
If the client refuses to adjust the financial statements and the results of
extended audit procedures do not enable the auditor to conclude that the
aggregate of uncorrected misstatements if not material, the auditor should
consider the appropriate modification to the audit report in accordance with
auditing standard “the Auditor’s report on financial statements”.
When the auditor has completed the audit, he or she must be confident
that the combined misstatements in all accounts are less than the preliminary
judgment about materiality, if the financial statements are acceptable.
5.3.RISKS IN AN AUDIT
Risk is the first fundamental concept that underlies the audit process.
Because of the nature of an audit, evidence and the characteristic of
management fraud, an auditor can only provide reasonable assurance, as
opposed to absolute assurance, that the financial statements are free of material
misstatement. This risk is referred to as audit risk and it is defined as follow:
5.3.1. Audit risk
Audit risk is the risk that the auditor expresses an inappropriate audit
opinion when the financial statements are materially misstated.
88
Some examples of inappropriate audit opinion include the following:
+ Issuing an unqualified audit report where a qualification is reasonably
justified.
+ Issuing a qualified audit opinion where no qualification is necessary;
+ Failing to emphasize a significant mater in the audit report;
+ Providing an opinion on financial statements where no such opinion
may be reasonably given due to a significant limitation of scope in the
performance of the audit.
In practice, auditor can not detect all material misstatements in the
financial statements because of many reasons even when the auditor has
complied with generally accepted auditing standards. To reduce audit risk, the
auditor would decide on a lower acceptable audit risk.
Acceptable audit risk is a measure of how willing the auditor is to accept
that the financial statements may be materially misstated after the audit is
completed and unqualified opinion has been given. When the auditor set up a
lower acceptable audit risk, it means that the auditor wants to be more certain
that the financial statements are not materially misstated. As the audit
progresses, additional information about the client is obtained, acceptable risk
may be modified.
When deciding the appropriate acceptable audit risk for an audit, the
auditor should consider about engagement risk and then use engagement risk to
modify acceptable audit risk. Some factors affecting on engagement risk are the
degree to which external users rely on the financial statement, the likelihood
that a client will have financial difficulties after the audit report is issued and
the integrity of management.
+ The degree to which external users rely on the statement. Auditor can
more easily justify the cost of additional evidence when the loss to users from
material misstatement are relied on by external users:
- Client’s size. The larger a client’s operations, the more widely the
statements are used. The client’s size, measured by total assets or total revenue,
will have an effect on acceptable audit risk.
- Distribution of ownership. The statement of publicly held corporations
are normally relied on by many more users than those of closely held
corporations.
89
- Nature and amount of liabilities. When statements include a large
amount of liabilities, they are more likely to be used extensively by actual and
potential creditors than when there are few liabilities.
+ The likelihood that a client will have financial difficulties after the
audit report is issued. If a client is forced to file for bankruptcy or suffers a
significant loss after completion of an audit, auditors face a greater chance of
being required to defend the quality of the audit than if the client were under no
financial strain. The natural tendency for those who lose money in a bankruptcy
or because of a stock price reversal, is to file suit against the auditor. This can
result both from the honest belief that the auditor failed to conduct an adequate
audit and from the user’s desire to recover part of their loss regardless of the
adequacy of the audit work. In situation in which the auditor believe the chance
of financial failure or loss is high and a corresponding increase in engagement
risk occurs, acceptable audit risk should be reduced. It is difficult for an auditor
to predict financial failure before it occurs, but certain factors are good
indicators of its increased probability, for example, liquidity position, profit
(losses) in previous years, method of financing growth, nature of the client’s
operation, competence of management.
+ The auditor’s evaluation of management’s integrity. If a client has
questionable integrity, the auditor is likely to assess a lower acceptable audit
risk.
To summarized, in simple terms, audit risk is the risk that an auditor will
issue an unqualified opinion on materially misstated financial misstatement.
The auditor should perform the audit to reduce audit risk to a sufficiently low
level for expressing an opinion on the financial statements. In considering audit
risk at the overall financial statement level, the auditor consider risk of material
misstatement that relate pervasively to the financial statement and potentially
affect many assertions.
While the auditor is ultimately concerned with audit risk at the financial
statement level, as a practical mater audit risk must be considered at more
detailed levels through the course of the audit, including the account balance,
class of transaction or disclosure level. In other words, consideration of audit
risk at the assertion level means that the auditor must consider the risk that the
auditor will conclude that an assertion for a particular account balance,
transaction or disclosure is fairly state, when in fact it is materially misstated.
90
Thus, at the account balance, class of transaction, or disclosure level,
audit risk consist of the risk of material misstatement and detection risk.
5.3.1.1. The risk of material misstatement
In accordance with ISA 200 Overall objectives of the independent
auditor and the conduct of an audit in accordance with international standard
on auditing,risk of material misstatement is the risk that the financial
statements are materially misstated prior to audit.. It means that these risk
exists independently of the audit. The auditor has no direct control over this
risk. Its level is a function of the auditee and its environment. Consequently, it
is sometimes referred to as auditee risk.
The risk of material misstatement form the theoretical starting point for
designing further audit procedures and the auditor must assess the risk of
material misstatement in order to determine the acceptable level of detection
risk given a planned level of audit risk.
The auditor shall identify and assess the risks of material at the financial
statement level and the assertion level for classes of transactions, account
balances and disclosures to provide a basis for designing and performing
further audit procedures.
The risk of material at the financial statement level refer to risks that
relate more pervasively to the financial statements as a whole and potentially
affect many assertions. Risks of this nature are not necessarily risks identifiable
with specific assertions at the class of transactions, account balance or
disclosure lever. They represent circumstances that may increase the risks of
material misstatement at the assertion level. Financial statement level risk may
be especially relevant to the auditor’s consideration of the risks of material
misstatement arising from fraud or deficient control environment.
The risk of material at the assertion level is the risk that can go wrong at
the assertions of each class of transaction, account balance and disclosure. The
auditor should assess risks of material misstatement at the assertion level
because such consideration directly assists in determining the nature, timing
and extent of further audit procedures at the assertion level necessary to obtain
sufficient appropriate audit evidence. This consist of two components: inherent
risk and control risk, described as follows at the assertion level:
+ Inherent risk is the susceptibility of an account balance or class of
transactions to misstatement that could be material individually or when
91
aggregated with misstatement in other balances or classes, assuming that there
were no related internal controls.In other words, inherent risk is the risk posed by
an error or omission in a financial statement due to a factor other than a failure of
control. It should be kept in mind that inherent risk refers to all misstatement,
including misstatement that are prevented, detected and corrected by the internal
controls. Inherent risk encompasses, therefore, the risk that all possible forms of
errors and fraud could occur. Some examples of inherent that exist in all
organizations deal greatly with human error. For example, an organization cannot
stop an employee from making an honest mistake while entering a journal entry or
other type of entry into the accounting system.
+ Control risk is the risk that a material misstatement, could occur in an
account balance on class of transactions and that could be material individually or
when aggregated with misstatement in other balances or classes, will not be
prevented or detected and corrected on a timely basis by the accounting and
internal control systems. Control risk is one of the most important concepts of
auditing. The auditor should attempt to predict the areas where misstatements are
most and least likely in. This information affects the total amount of evidence that
the auditor is required to accumulate and influences on how the auditor’s efforts to
gather the evidence are allocated among the segments of the audit.
To properly assess the risks of material misstatement, auditors perform
risk assessment procedures. The auditor should obtain an understanding of
management’s objectives and strategies and the related business risks that may
result in material misstatement of the financial statement. Business risk is a risk
resulting from significant conditions, events, circumstances, action or inactions
that could adversely affect an entity’s ability to achieve its objective and
execute its strategies, or from the setting of inappropriate objectives and
strategies. Business activities, strategies, objectives and the business
environment are ever-changing, and the dynamic and complex nature of
business causes business risks. For example, risk arise from the development of
a new product because the product may fail or because flaws in the product
may result in lawsuits or damage to the company’s reputation. Management
develops approaches to address business risk by implementing a risk
assessment process.Business risk is a broader concept than the risk of
materially misstated financial statement. However, most business risks have the
potential to affect the financial statement either immediately or in the long run.
Auditor need to identify business risk and understand the potential
92
misstatements. For example, an audit client selling good or service in a
declining industry with a shrinking customer base faces pressure to maintain
historical profit margins, which increases the risk of misstatement associated
with the valuation of assets such as receivable. In such a case, the auditor
should consider the likelihood that the client will not remain financially viable
and whether the going concern assumption is still appropriate.
To identify business risk, the auditor should obtain understanding of the
entity and its environment, including internal control to assess the business risk
faced by the entity, how those risks are controlled or not controlled, the auditor
assess the risk of material misstatement at the assertion level. Table 5.1
presents an overview of the auditor’s assessment of business risk and the risk of
material misstatement.
Table 5.1 An overview of the auditor’s assessment of business risk
and the risk of material misstatement
Perform risk assessment procedures
Industry, Nature of Objective Measurement Internal

regulatory the entity strategies and review control
and & of financial
external business performance
factor risk
Identify business risk that may result in

material misstatements in the financial
statement
Evaluate the entity’s responses to those

business risk and obtain evidence of their
implementation
Assess the risk of material misstatement at

the financial statement and assertion level
93
5.3.1.2. Detection risk
Detection risk is the risk that misstatement exists in an account balance
or class of transactions that could be material individually or when aggregated
with misstatements in other balances or classes that the auditor and the audit
firm fail to detect.
Detection risk is related to the effectiveness of an auditing procedure and
of its application by the auditor. It arises partly from uncertainties that exist
when the auditor does not examine all components of an account balance or
class of transaction (sampling risk). Additional risk is present because an
auditor might select an inappropriate auditing procedure, misinterpret the audit
results or otherwise introduce human error into the process (non sampling risk).
Detection risk may involve the following factors:
+ Properness of scope of an audit;
+ Efficiency, properness and effectiveness of auditing methods of an audit;
+ Auditor’s professions, skills and experiences.
In planning audit, the auditor should predict the level of detection risk. It
is called as planned detection risk. This risk depends on the other risk such as
acceptable audit risk, inherent risk and control risk.
The determined level of detection risk assists the auditor in judging if
sufficient, appropriate audit evidence is obtained. The auditor is able to control
detection risk that includes both sampling and non sampling risk through the
performance of audit procedures.
5.3.2. Overview of audit risk model
The primary way that auditors deal with risk is planning audit evidence
is through the application of the audit risk model. The audit risk model
decomposes the audit risk into risk of material misstatement; the risk that the
financial statement are materially misstated prior to audit; and detection risk.
Risk of material misstatement consists of two component: inherent risk which
reflects the susceptibility of an assertion about a class of transaction, account
balance and disclosure in the financial statement to a material misstatement
before consideration of any related controls and control risk.
94
Audit risk model assumes that for a material misstatement to exist in the
audited financial statements a misstatement must occur (IR), controls do not
detect it (CR) and it is not detected by the auditor (DR)
AR= RMM x DR
AR: Audit risk
RMM: Risk of material misstatement
DR: Detection risk
Expressing the audit risk model is a way of conveying the inverse
relationship between the assessed risk and detection risk. For example, when
inherent risk is assessed as high and control risk is low, planned (acceptable)
level of detection risk needs to be medium to reduce audit risk to an acceptable
level. On the other hand, when inherent risk is low and control risk is medium,
the auditor can accept detection risk as higher and till reduce audit risk to an
acceptable level.
Thus, for a given level of audit risk, the acceptable level of detection risk
bears an inverse relationship to the assessed risk of material misstatement at
assertion level. The compensatory nature of audit risk model implies that lower
risk in any one component of audit risk will offset higher risk in a combination
of the other risk component. In other words, in order to maintain overall audit
risk at an acceptable level when the risk of material misstatement is high, the
auditor must reduce detection risk. So, the auditors may use a model helpful for
purpose of applying a risk driven audit approach, when assessing risk at
assertion level. The audit risk model is used for planning purposes formula
follow:
AAR= RMM x PDR
PDR = AAR/RMM
Where:
AAR: Acceptable audit risk
PDR: Planned detection risk
RMM; Risk of material misstatement
To summarize, three steps are involved in the auditor’s use of the audit
risk model at the account balance, class of transaction, or disclosure level:
95
+ Setting an acceptable level of audit risk
+ Assessing the risk of material misstatement.
+ Solving the audit risk equation for the appropriate level of detection risk
In applying the audit risk model in this manner, the auditor determines
each component of the model using either quantitative or qualitative term. In
step 1, the auditor sets audit risk for each account balance, class of transaction,
or disclosure in such a way that, at the completion of the engagement, an
opinion can be issued on the financial statement with an acceptable level of
audit risk. Step 2 requires that the auditor assess the risk of material
misstatement. The auditor may directly assess the risk of material misstatement
– inherent risk and control risk. To assess the risk of material misstatement, the
auditor evaluates the entity’s business risk and how those business risk could
lead to material misstatement.
Any change in the risk of material misstatement that the auditor believes
exist will impact the nature, timing and extent of the work that will have to be
done by the auditor in order to reduce detection risk to a level that will result in
the planned level of audit risk. More specifically with reference to the extent
of audit work, it the auditor assesses the risk of material misstatement as low,
the acceptable level of detection risk is correspondingly higher and less audit
work will be required. As a result, it can be deduced that even where the risk
exists that the financial statement may be materially misstated prior to audit,
the auditor can still provide an unqualified opinion by appropriately adjusting
the nature, timing and extent of audit testing.
The auditor uses the planned level of detection risk or design the audit
procedures that will reduce audit risk to an acceptable level. Planned detection
risk determines the amount of substantive evidence that the auditor plans to
accumulate. Planned detection risk is reduced by increasing substantive testing
accordingly, accordingly additional information about the client is obtained.
However, it is not appropriate for an auditor to rely completely on their
assessment of the risk of material misstatement without performing substantive
procedures of account balances where material misstatements could exist. In
other words, even if the risk of material misstatement is judged to be very low,
the auditor must still perform some substantive procedures before concluding
that an account balance is not materially misstated.
96
5.4. RELATIONSHIP AMONG MATERIALITY, RISK, AND AUDIT
EVIDENCE
There is an inverse relationship between materiality and the level of
audit risk. That is, the higher the materiality level, the lower the audit risk and
vice versa. The auditor takes the inverse relationship between materiality and
audit risk into account when determining the nature, timing and extent of audit
procedures. The auditor’s assessment of materiality and audit risk may be
different at the time of initially planning the engagement from at the time of
evaluating the results of audit procedures. This could be because of a change in
circumstances or because of a change in the auditor’s knowledge as a result of
performing audit procedures. For example, if audit procedures are performed
prior to period end, the auditor will anticipate the results of operations and the
financial position. If actual results of operations and financial position are
substantially different, the assessment of materiality and audit risk also change.
Additionally, the auditor may, in planning the audit work, intentionally set the
acceptable materially level at a lower level than is intended to be used to
evaluate the results of the audit. This may be done to reduce the likelihood of
undiscovered misstatement and to provide the auditor with a margin of safety
when evaluating the effect of misstatement discovered during the audit.
The audit risk model articulates the relationship between risk and audit
evidence. The audit risk model is used to better plan and perform audit
procedures to respond to the assessed risk of material misstatement by focusing
the nature, timing and extent of audit procedures on those areas where the risk
of misstatement is the greatest in order to reduce the risk of material
misstatement to an acceptable level and achieve an efficient and effective
outcome.
Lastly, there is a direct relationship between materiality and the amount
of audit evidence. That is, the higher the level of audit risk, the higher the
amount of audit evidence and vice versa. The extent of audit testing must be
sufficient to enable the auditor to assess the fair presentation of the financial
statements on which the auditor is to express an opinion, based on the results of
the audit evidence obtained from those tests. In other words, sufficient testing
should be carried out to provide evidence of the existence of any material
misstatement in the financial statement and the extent of testing is dependent
on the materiality concept. The extent of audit evidence required to obtain
97
reasonable assurance that the financial statements do not contain a material
misstatement varies inversely with the auditor’s materiality judgment; the
lower materiality the greater the extent of audit evidence and effort required
and vice versa.
It is therefore possible to deduce that in the audit context, materiality
relates to the level of audit evidence required to obtain reasonable assurance
that the financial statements do not contain a material misstatement.
Accordingly, the auditor’s judgment of materiality directly influences the
determination of the extent of evidence to be collected to support the audit
opinion and helps to guild the planning judgment the nature, timing and extent
of audit testing.
98
1. Explain clearly the nature of fraud and error.
2. Distinguish between fraud and error? Are fraud and error material
misstatement?
3. State some circumstance that indicate the possibility of fraud and
error.
4. Explain clearly the responsibly of management and auditor.
5. Define the meaning of the term materiality.
6. How to apply materiality in an audit?
6. Explain what is meant by the term acceptable audit risk.
7. State some factors that effect inherent risk/control risk/detection risk.
9. Define the audit risk model and explain each term in the model.
10. Explain clearly the relationship between materiality and risk.
Case study
1. Phuong Dong is a client of your firm in a long term. It manufactures
bathroom fitting and fixture, which is sell to a range of wholesalers on credit.
You are the audit senior. During the course of your conservation with the
finance director, you establish that a major new customer the company had
included in its budget went bankrupt during the year.
Require:
Identify any potential the risk of material misstatement for the audit of
Phuong Dong and explain why you believe they are risk
2. You are involved with the audit of Than Cong, a small company. You
have been carrying out procedures to gain an understanding of the entity. The
following have come to your attention:
The company offers standard credit terms to its customer of 60 days
from the date of invoice. Statements are sent to customer on a monthly basis.
However, Thanh Cong does not employ a credit controller and other than
sending the statements on a monthly basis, it does not otherwise communicate
with its customers on a systematic basis. On occasion, the sale ledger clerk may
telephone a customer if the company has not received a payment for some time.
99
Some customers pay regularly according to the credit terms offered to them,
but others pay on a very haphazard basis and do not provide a remittance
advice. Sales ledger receipts are entered onto the sales ledger but not matched
to invoices remitted. The company does not produce an aged list of balance
Require:
From the above information, assess the risk of material misstatement
arising in the financial statements. Outline the potential materiality of the risk
and discuss factors in the likelihood of the risks arising.
3. Thanh Dat Co develops, manufactures and sells a range of
pharmaceuticals and has a wide customer base across Europe and Asia. You are
the audit manager of Ocean Co and you are planning the audit of Thanh Dat Co
whose financial year end is 31 Dec. You attended a planning meeting with the
finance director and engagement partner and are now reviewing the meeting
notes in order to produce the audit strategy and plan. Revenue for the year is
forecast at $35 million.
During the year the company has spent $2 million on developing several
new products. Some of these are in the early stages of development whilst
others are nearing completion. The finance director has confirmed that all
projects are likely to be successful and so he is intending to capitalize the full
$2 million.
Once products have completed the development stage, Abrahams begins
manufacturing them. At the year end it is anticipated that there will be
significant levels of work in progress. In addition the company uses a standard
costing method to value inventory; the standard costs are set when a product is
first manufactured and are not usually updated. In order to fulfil customer
orders promptly, Thanh Dat Co has warehouses for finished goods located
across Europe and Asia; approximately one third of these are third party
warehouses where Thanh Dat just rents space.
In September a new accounting package was introduced. This is a
bespoke system developed by the information technology (IT) manager. The
old and new packages were not run in parallel as it was felt that this would be
too onerous for the accounting team. Two months after the system changeover
the IT manager left the company; a new manager has been recruited but is not
due to start work until December.
100
In order to fund the development of new products, Abrahams has
restructured its finance and raised $1 million through issuing shares at a
premium and $3.5 million through a long-term loan. There are bank covenants
attached to the loan, the main one relating to a minimum level of total assets. If
these covenants are breached then the loan becomes immediately repayable.
The company has a policy of revaluing land and buildings, and the finance
director has announced that all land and buildings will be revalue as at the year
end.
The reporting timetable for audit completion of Thanh Dat Co is quite
short, and the finance director would like to report results even earlier this year.
Required:
Using the information provided, identify and describe FIVE audit risks
and explain the auditor's response to each risk in planning the audit of Thanh
Dat Co.
4.Hoang Ha Co operates an airline business. The company's year end is
31 Dec 20XX.
You are the audit senior and you have started planning the audit. Your
manager has asked you to have a meeting with the client and to identify any
relevant audit risks so that the audit plan can be completed. From your meeting
you ascertain the following:
In order to expand their flight network, Hoang Ha Co will need to
acquire more airplanes; they have placed orders for another six planes at an
estimated total cost of $30m and the company is not sure whether these planes
will be received by the year end. In addition the company has spent an
estimated $17m on refurbishing their existing planes. In order to fund the
expansion Hoang Ha Co has applied for a loan of $20m. It has yet to hear from
the bank as to whether it will lend them the money.
The company receives bookings from travel agents as well as directly via
their website. The travel agents are given a 90-day credit period to pay Hoang
Ha Co, however, due to difficult trading conditions a number of the receivables
are struggling to pay. The website was launched one year ago and has
consistently encountered difficulties with customer complaints that tickets have
been booked and paid for online but Hoang Ha Co has no record of them and
hence has sold the seat to another customer.
101
Hoang Ha Co used to sell tickets via a large call centre located near to
their head office. However, in may they closed it down and made the large
workforce redundant.
Required:
Using the information provided, describe FIVE audit risks and explain
the auditor's response to each risk in planning the audit of Hoang Ha Co.
102
CHAPTER 6
INTERNAL CONTROL - AN OVERVIEW
LEARNING OBJECTIVE
1. Define the internal control and each of its components
2. Clarify the relationship among management, internal control and internal
audit in an entity
3. Explain the reasons why the auditor understand the internal control
4. Describe the inherent limitation of internal control
5. Identify the process of understanding of the internal control
INTRODUCTION
After gaining understanding of the entity and its activities, established a
desired level of audit risk, the auditor obtain a detailed knowledge of the
entity’s internal control and evaluate the effectiveness of its internal controls.
Once the auditor has assessed the level of reliance, he can place on the entity’s
internal controls to eliminate misstatements, the audit programme can be
designed, that is, the nature, timing and extent of audit procedures to be
performed during the rest of the audit can be planned in detail.
In this chapter, we examine what is meant by internal control and how
this system are designed and operate, its inherent limitation. We explore some
conceptual aspects of internal control and discuss how the auditor gains
knowledge of the client’s internal control. Before concluding the chapter, we
consider the process auditors conduct in order to determine whether the internal
controls on which the plan to rely are operating effectively as their preliminary
evaluation suggested and assess the control risk.
CONTENT
6.1. NATURE OF INTERNAL CONTROL
6.1.1. History and development of internal control
The responsibility of the entity's top management is to built, maintain
and develop their business activities effectively and obtain entity's governance
objectives. The management process consists of basic content such as planning,
organization, supplying resources, administration and control. In the context of
an organization, control is considered as both of content and important function
of management process in an entity. These process is operated continuously at
every levels in the organization in order to achieve enterprise's targets
103
including control objectives. Controls beyond the entity's activities are divided
into external control and internal control. Internal control has appeared and
participated in the management process as well as affected each of elements of
this process. There has been a variety of definitions of internal control through
its long historical evolution since the accounting and auditing appeared. The
term "internal control" was traditionally considered as "accounting controls".
An ancient view of internal control focused only on financial reporting and
was often discussed as a subject of an external audit until the twentieth century.
The global finance crisis as well as business and accounting scandals in the
1980s leading to the collapse of many companies especially to banks in the
world challenged the adequacy of financial reporting systems. A
comprehensive approach to internal control (emphasizing operational
effectiveness and efficiency, compliance with law and regulations, reliability
information) has been researched and provided by the COSO (a committee of
Commission Tread way was established in 1985 in the USA with the aim of
investigating the causes of fraudulent financial reporting and making
recommendations to reduce its likelihood). COSO created the 1992 COSO-
control framework and revised new COSO-control framework in 2013 and
widely accepted in practice by other professional group around the world (such
as IAASB, INTOSAI, IIA, COCO, ICAEW, AICPA). According to COSO
Definition, the term "internal control" is defined "as a process, effected by an
entity's board of director, management and other personnel, designed to provide
reasonable assurance regarding the achievement of objectives in the following
categories:
1. Effectiveness and efficiency of operations;
2. Reliability of financial reporting;
3. Compliance with applicable laws and regulations."
According to New COSO Framework for external financial reporting
purposes, new COSO definition has clarified the requirement for effective
internal control, the important of technology, the enhancement of governance
concepts, and focusing on risk of fraud. Similarly, ISA and VSA 315 Identify
and assessing the risks of material misstatement through understanding the
entity and its environment also state that "Internal control – the process
designed, implemented and maintained by those charge with governance,
management and other personnel to provide reasonable assurance about the
104
achievement of an entity's objectives with regard to reliability of financial
reporting, effectiveness and efficiency of operations, and compliance with
applicable laws and regulations. The term "controls" refers to any aspect of one
or more of the components of internal control."
Management responsibility for internal control
Management is responsible for establishing and maintaining the entity’s
internal control. Management typically has the following concerns in designing
and operating an effective internal control. In case of achieving information
objective, management is responsible for the preparation of financial
statements in accordance with applicable accounting framework such as
generally accepted accounting standards, laws and regulations relating to
financial statements. This means internal control has gained reasonable
assurance about reliability of financial reporting. In other cases of achieving
operational and compliant objectives, management has duty on building and
exercising resources and activities basing on control requirements and
procedures in order to get their targets. However, management designs and
operates internal control after considering both the costs and benefits of the
controls. Thus, in case of internal control operating effectively, there may exist
inherent limitation of it.
Inherent limitations of internal control
The first reason is about the conflict between costs to built as well as
exercise internal control and benefits from internal control's results in practice.
Ideally, entity always wants to minimize costs and maximize benefits so fraud
and error can be appear everywhere in the enterprise's activities no matter how
effective internal control is. Secondly, internal controls are affected by the
people and technology. The effectiveness of internal control is always limited
by the competence and ability of people using it. Opportunities for fraud, error
or collusion always exit around entity's activities, thus it can not prevent all of
misstatements even when the internal control operates effectively. Because of
the above inherent limitations, internal control can provide an entity with only
reasonable, but not absolute assurance about achieving information, operation
and compliance objectives.
The reasons why the external auditor understand the internal control
The auditor must understand the entity's internal control to consider how
internal control design and operate to determine the audit works. In the context
105
of audit of financial statements, "an understanding of internal control assist the
auditor in identifying types of potential misstatements and factors that affect
the risks of material misstatements, and in designing the nature, timing, and
extent of further audit procedures" (ISA 315.12). In the performance audit, in
order to assess the risk of fraud, the auditor should obtain an understanding of
relevant internal control to examine whether there are signs of irregularities that
hamper performance, the entity's action to address any recommendations to
reduce fraud (ISSAI 300, 37). In the compliance audit, the auditor understand
the internal control to identify types of control which the auditor focuses on and
assesses the risk that they may not prevent or detect material instances of non-
compliance, especially consider whether internal control are in harmony with
control environment so as to ensure compliance with the authorities in all
material respects (ISSAI 400,53).
6.1.2. Relationship among management, internal control and internal
audit in an entity
Management in an organization is a process of using resources effectively
to achieve targets. Internal control is a part of the management process and it has
impact on elements of that process. Internal auditing is a continuous process that
occurs in parallel with management activities and is an important function of
management. It helps managers to achieve their goals in management and
operation. To reach these goals of internal control, the manager must apply many
supporting tools, including internal auditing. Internal auditing is required to
understand the demand of managers, to think as managers and to help them
achieve their goals of internal control.
6.2. COMPONENTS OF INTERNAL CONTROL
COSO components of internal control has five (5) components including
the following: control environment; risk assessment, control activities,
information and communication; and monitoring activities (controls). The
COSO components are accepted widely by other professional bodies when they
define the elements of internal control for audit purpose. The following
components of internal control can be discussed in context of management in
the entity and in the audit.
6.2.1 Control environment
Control environment means the understanding, attitude, awareness and
actions of members of the boards of Management and Directors regarding the
106
internal control system and its importance in the entity. According to ISA 315,
control environment includes the governance and management functions and
the attitudes, awareness, and actions of those charged with governance and
management concerning the entity's internal control and its importance in the
entity. The control environment sets the tone of an organization, influencing the
control consciousness of its people. An effective control environment will help
the sub-components operate strongly and may be reduce risks of material
misstatements.
Elements of control environment include the following (principles):
1. Demonstrates commitment to integrity and ethical values: This principle
focuses on the role of top management to set the tone of an organization;
establish standards of conduct; evaluate adherence to standards to conduct;
and address deviations in timely manner.
2. Exercises oversight responsibility: This principle focuses on matters such as
oversight responsibility including oversight for the system of internal control.
3. Establishes structure, authority and responsibility: This principle focuses on
matters such as organizational structure, establishing reporting lines, assigning
and limiting authorities and responsibilities.
4. Demonstrates commitment to competence: This principle focuses on matters
such as establishing policies and practices; evaluating competence and
addressing shortcomings; attracting and developing individuals; planning and
preparing for succession.
5. Enforces accountability: This principle focuses on matters such as enforcing
accountability through structures, authorities and responsibility; evaluating
performance and rewards or disciplines individual…
6. Other factors including management philosophy and operating style; internal
audit function; external impacts, such as Government policies, and higher
levels and professional bodies’ instruction .
In an audit of financial statements, the auditor must understand the
control environment to evaluate the top management's understanding, attitude,
awareness and actions regarding the internal control system and its importance
in the entity. This helps the auditor to assess the risks of material
misstatements. The auditor needs to know that a strong control environment
can reduce frauds and errors but not prevent absolutely these misstatements.
107
Audit evidence for control environment may be obtained from procedures such
as inquires, observation and inspection of documents.
6.2.2 Risk assessment
Risk assessment is a process in which the top management identifies and
analyzes risks relevant to specific objectives (for example, identifies business
risks relevant to financial reporting objective; or identifies non-compliance
risks relevant to compliance objective); assesses fraud risk; and identifies
significant change and decides actions to address those risks. While
management assesses risks as a part of designing and performing internal
control to reduce frauds and errors, the auditor assesses risks to decide actions
in the audit. The auditor understand risk assessment to evaluate the process of
assessing and responding to risks of management, especially risks of material
misstatement for financial reporting purposes. Risks relevant to reliable
financial reporting can arise or change due to changes in operating
environment; new personnel; new information systems; rapid growth; new
technology; or new business model, products, or activities; corporate
restructuring; expanded foreign operations; new accounting pronouncements or
other financial reporting requirements. (New COSO Internal control
framework). Audit evidence for risk assessment may be obtained from using
questionnaires and discussion with management about the process of risk
assessment.
6.2.3. Control activities
Control activities are the policies and procedures that help ensure that
management directives are carried out. Control activities are classified into the
following five (5) types:
1. Authorization; (ISA 315 Appendix 1.10)
2. Performance reviews; ( ISA 315 Appendix 1.9)
3. Information processing including Application controls and General IT
controls; ( ISA 315 Appendix 1.9)
4. Physical controls (Safeguarding of Assets); (ISA 315 Appendix 1.9 )
5. Segregation of duties.(ISA 315 Appendix 1.9)
The management need to select and develop control activities, especially
general control activities over technology and deploys through policies and
procedures to support the achievement of objectives. For the audit of financial
108
statement, the auditor shall obtain an understanding of Control Activities
relevant to audit to assess the risks of material misstatements at the assertion
level and design further audit procedures responsive to assessed risk (including
risk arising from information technology). (ISA 315.20).
6.2.4. Information and Communication
The component focuses on how management uses relevant information
and communicates internally and externally with the board of director. For the
relevant information, the management identifies information requirements,
sources of data and processes relevant data into information as well as
maintains quality throughout processing. For the communication, management
focuses on the communication lines, method, and the persons in charged of
communication. The entity need to consider the cost and benefit when
designing and operating information and communication components. For the
financial reporting purposes, information and communication system, which
includes the accounting system, is to initiate, record, process and report the
entity's transactions and maintain accountability for the related assets.
The auditor shall obtain an understanding of the Information system,
including the related business processes to identify how to initiate, record,
process and report the entity's transactions and consider whether misstatements
can be occur if the entity does not comply with the generally accepted
accounting principles or standards. The auditor may focus on the relevant
controls within Information system relating to risks for material classes of
transactions, account balances, and disclosures and determines whether they are
designed to address the risks of material misstatements. For the communication
system, the auditor shall obtain an understanding of how the entity
communicates between management and those charged with governance; and
with regulatory authorities. The audit evidence from the information and
communication will help the auditor to decide transaction-related audit
objectives in an audit of financial statements.
6.2.5. Monitoring Activities (Controls)
Monitoring activities conducts ongoing and/or separate evaluation of the
quality of the internal control as well as evaluates and communicates
deficiencies to parties responsible for corrective action. According to ISA 315,
monitoring of controls is a process to assess the effective of internal control
109
performance on a timely basis and taking necessary remedial actions.
Management can use internal audit function to monitor activities (or controls).
The auditor understand the monitoring factor to determine whether controls are
operating as intended and modified when needed.
6.3. THE PROCESS OF UNDERSTANDING OF THE INTERNAL
CONTROL IN AN AUDIT AND ASSESSMENT OF CONTROL RISK
According to the internal control's auditing standard, the auditor must
understand the internal control for every audit. The process of understanding
of the internal control and assessment of control risk (especially for audit of
financial statements and audit of internal control for financial reporting)
consists of five phases, including:
- Phase 1: Obtain an understanding of designing and implementing
entity's internal control
- Phase 2: Assess control risk
- Phase 3: Test of control
- Phase 4: Decide planned detection risk and substantive procedures
- Phase 5: Report on internal control
The following contents will discuss in detail the process in each of phases.
Phase 1: Obtain an understanding of designing and implementing
entity's internal control
ISA 315 states that the auditor shall obtain an understanding of the
entity's including its internal control. After understanding the entity's business
and industry, the auditor must understand the internal control as a part of risk
assessment procedures. The procedures to obtain an understanding of internal
control will be used for all controls indentified in this phase, including to make
inquiry of entity personnel; examine documents and records, observe entity
activities and operations to gather audit evidence relating to what internal
control is designed and how it has been implemented in practice. Narratives,
questionnaire and flowchart are three types of audit evidence that the auditor
uses to document internal control. Walk-through test will be used to understand
the internal control, especially for information system to assure that the
controls designed by management have been operated. Audit evidence from the
procedures to obtain an understanding will help the auditor to assess control
risk in the next phase.
110
Phase 2: Assess control risk
After obtaining an understanding of internal control both of designing
and operation, the auditor shall make a preliminary assessment of control risk
as a part of assessment of risks of material misstatements at financial
statements level and assertion level. Before deciding the level of control risk,
the auditor shall identify existing controls suitable for specific audits to which
the assessment applies. Only the key controls, which will be sufficient to
achieve the specific audit objectives, shall be identified and evaluated by the
auditor. For the control deficiencies,significantdeficiencies and material
weaknesses will be noted to communicate to those charged with governance
and management letter. The auditor can assess control risk for assertion level
(specific audit objective for each transactions), especially for assertion relating
to fraud . The level of control risk will help the auditor to apply tests of
controls. This work is usually done in the planning phase. Control risk is
evaluated at low or moderate level when the auditor has sufficient evidence to
conclude that the internal control may be designed suitably to prevent the
material misstatements, and auditor can continue to test the effectiveness of
those controls by tests of control. In an audit of financial statements, an
understanding of internal control will help the auditor assess the auditable of
financial statements, identify the potential material misstatements and all risks
relating to an audit, and plan the nature, scope and extent of the audit
procedures.
Phase 3: Design and Implement tests of controls
The procedures to test the effectiveness of controls in support of a
reduced assessed control risk are called tests of controls. According to ISA 330
The auditor’s responses to assessed risks, the auditor carries out tests of control
under following circumstances:
- When the auditor is intending to rely on controls to reduce audit risk; or
-When the auditor is unable to derive sufficient evidence from
substantive procedures
The auditor can choose to perform tests of controls concurrently with
risk assessment procedures because it is efficient to do so. Audit evidence
gather from risk assessment procedures, including test of control, support the
risk assessment.
111
Phase 4: Decide planned detection risk and substantive tests
The result assessment of control risk and tests of control will help the
auditor determine the planned detection risk. Based on the audit risk matrix, in
order to achieve the acceptable audit risk, from the risk of material
misstatements including control risk the auditor decide the level of planned
detection risk and determine the nature, timing and extent of substantive
procedures in the implementing phase.
Phase 5: Report on internal control
All the comments of the auditor about the internal control and control
risk decisions will be documented in the audit files. The auditor can
communicate significant deficiencies and material weaknesses in writing to
those charged with governance or note in the management letter as
consultative audit opinions. In some specific cases, the auditor must prepare a
report on the internal control according to related rules and regulations.
112
1. Define internal control and describe important elements of the
definition.
2. How does internal control benefit an organization?
3. How are the concepts of risk and internal control related?
4. Identify the components of internal control and describe the
prerequisite for designing and implementing internal control over financial
reporting.
5. List the internal control principles, and give the example for each
principle.
6. Why do external auditors need to understand their client’s internal
control over financial reporting?
7. Identify the sources from which auditors can obtain understanding of
client's internal control over financial reporting.
8. How could the result of internal control risk assessment affect the
audit approach?
True or false questions
Is the following statement true or false?
1. Effective internal control provide the auditor with an absolute
assurance that an organization will achieve its objective of reliable reporting.
2. The control environment is considered as the foundation for all other
components of internal control.
3. Only organizations in high-risk industries face a risk that they will not
achieve their objective of reliable financial reporting.
4. An organization's risk assessment process should identify risks to
reliable financial reporting from both internal and external sources.
5. There is one set of control activities that all organizations should
implement.
6. An organization's accounting system is part of its information and
communication component of internal control.
7. An organization needs information from both internal and external
sources to carry out its internal control responsibilities.
8. If management identifies even one material weakness in internal
control, then management will conclude that the organization’s internal control
over financial reporting is not effective.
113
9. Management will classify a control deficiency as a material weakness
only if there has been a material misstatement in the financial statements.
10. Tests of control are designed to detect material misstatements in the
11. The auditor is responsible for reporting all deficiencies to management
in writing.
12. Internal control questionnaires are used to determine whether there are
controls which prevent or detect specified errors or omissions.
1. The quality of an organization’s internal controls affects which of the
following?
a. Reliability of financial data.
b. Ability of management to make good decisions.
c. Ability of the organization to remain in business.
d. Approach used by the auditor in auditing the financial statements.
e. All of the above.
2. Which of the following creates an opportunity for committing fraudulent
financial reporting in an organization?
a. Management demands financial success.
b. Poor internal control.
c. Commitments tied to debt covenants.
d. Management is aggressive in its application of accounting rules.
3. Which of the following statements regarding internal control is false?
a. Internal control is a process consisting of ongoing tasks and activities.
b. Internal control is primarily about policy manuals, forms, and
procedures.
c. Internal control is geared toward the achievement of multiple objectives.
d. A limitation of internal control is faulty human judgment.
e. All of the above statements are true.
114
4. Which of the following would not be considered a principle of an
organization’s control environment?
a. Independence and competence of the board.
b. Competence of accounting personnel.
c. Structures, reporting lines, and authorities and responsibilities.
d. Commitment to integrity and ethical values.
e. They would all be considered principles of the control environment.
5. Segregation of duties is best achieved in which of the following
scenarios?
a. Employees perform only one job, even though they might have access to
other records.
b. The internal audit department performs an independent test of
transactions throughout the year and reports any errors to departmental
managers.
c. The person responsible for reconciling the bank account is responsible
for cash disbursements but not for cash receipts.
d. The payroll department cannot add employees to the payroll or change
pay rates without the explicit authorization of the personnel department."
6. Which one of the following represents a control deficiency?
a. A missing control that is required for achieving objectives.
b. A control that operates as designed.
c. A control that provides reasonable, but not absolute assurance, about the
reliability of financial reporting.
d. An immaterial individual misstatement in internal control.
7. Which of the following methods of recording an accounting and controls
system is a series of questions used to determine whether controls exist which
meet specific control objectives?
a. Internal control questionnaire
b. Internal control evaluation questionnaire
c. Flowchart
115
8. One of the control objectives of the sales system of B Co is to ensure that
goods and services are sold to credit-worthy customers.
Which of the following control activities would assist B Co in achieving
this objective?
a. All sales orders are based on authorized price lists.
b. Credit limits are checked before sales orders are accepted.
c. Overdue debts are chased each month by the credit controller.
d. The aged-debt listing is reviewed by the finance director on a monthly
basis.
9. Which of the following is not a test of control?
a. Inspection of purchase order documentation to confirm that it has been
authorized
b. Review of monthly bank reconciliations performed by the audit client
c. Examination of purchase invoices for evidence of mathematical accuracy
checks
d. Agreement of the cost of non-current asset additions to purchase
documentation
10. The external auditor has identified a deficiency in the internal controls
of S Co.
Which of the following factors would indicate that the deficiency is a
significant deficiency?
(1) The likelihood of the deficiency leading to material misstatement is low
(2) There is a risk of fraud
(3) The number of transactions affected by the deficiency is low
(4) The deficiency interacts with other deficiencies identified
a. (1) and (2)
b. (1) and (3)
c. (2) and (4)
d. (3) and (4)
116
11. Which of the following statements is true regarding the controls in a
small company?
(1) The external auditor will never be able to rely on the controls in a small
company.
(2) Segregation of duties may be inadequate due to staff numbers.
(3) Evidence of the operation of controls is more likely to be available in
documentary form.
(4) The external auditor will assess the attitudes, awareness and actions of
management.
a. (1) and (3)
b. (1) and (4)
c. (2) and (3)
d. (2) and (4)
12. During the course of the audit the auditor may identify deficiencies in
internal control which must be reported to management.
Which of the following statements is correct regarding the report to
management sent by the auditor?
(1) The report must include a description of the deficiencies and an
explanation of their potential effects.
(2) The report includes an explanation of the purpose of the audit.
(3) The report states that the results of the audit work have enabled the
auditor to express an opinion on the operating effectiveness of internal control.
a. (1) and (2) only
b. (1) and (3) only
c. (2) and (3) only
d. (1), (2) and (3)
117
CHAPTER 7
AUDIT EVIDENCE
LEARNING OBJECTIVES
1. Contrast audit evidence with evidence used by other professions.
2. Identify the four audit evidence decisions that are needed to create an audit
program.
3. Specify the characteristics that determine the persuasiveness of evidence.
4. Identify and apply the eight types of evidence used in auditing.
INTRODUCTION
This chapter covers one of the fundamental audit concepts: audit
evidence. Audit evidence is any information used by the auditor in arriving at
the conclusions on which the audit opinion is based. Understanding the nature
and characteristics of evidence is fundamental to effective auditing and is a key
part of the conceptual concepts that you acquire in this book.
On a typical audit most of the auditor’s work involves and evaluating
evidence using procedures such as inspection of records and confirmations to
obtain audit evidence and determine appropriate audit opinion. To perform task
effectively and efficiency, an auditor must thoroughly understand the important
aspects of audit evidence. This includes understanding the sufficiency and
appropriate of audit evidence, types of audit procedures. Each of these topics is
covered in this chapter.
CONTENTS
7.1. NATURE OF AUDIT EVIDENCE
Audit evidence was defined as any information used by the auditor to
determine whether the information being audited is stated in accordance with
the established criteria.
Audit evidence is information gathered or used by the auditor to support
his or her opinion. The nature of the evidence relates to the types of
information available to the auditor. In financial statement auditing, this
information refers to accounting records and other available information. In
performance audit, this information relates to economy, efficiency and
effectiveness of the audited operation. In compliance audit, this information
refers to compliance with regulation of audited entity.
118
Accounting records include records of initial entries and supporting
records, such as invoices, contracts, ledgers, journal entries, and other
adjustments to financial statements. Nowadays, accounting records are
initiated, recorded, processed and reported in electronic form. As a result, these
changes directly affect the way the auditor collects audit evidence.
The auditor may use other information as audit evidence such as board
meeting minutes, confirmations, industry analysts’ reports, control manuals,
and information obtained by the auditor from audit procedures such as inquiry,
observation, inspection.
7.2.REQUIREMENT OF AUDIT EVIDENCE
In order to issue an appropriate audit opinion, the auditor must obtain
sufficient appropriate evidence. The auditor can decide when he or she is
persuaded to issue an audit report by combining all evidence obtained from the
entire audit. The two determinants of the persuasiveness of evidence are
appropriateness and sufficiency.
7.2.1. Sufficiency
Sufficiency is the measure of the quantity of evidence obtained.
Sufficiency of evidenceis measured primarily by the sample size the
auditor selects which is determined by several factors such as the auditor’s
expectation of misstatements and the effectiveness of the client’s internal
controls.
If the auditor concludes that there is a strong likelihood of material
misstatement in the financial statements, the auditor will sample more items in
this audit than when the likelihood of material misstatement is low. Similarly,
if the auditor concludes that a client has effective rather than ineffective
internal controls, a smaller sample will be collected in the audit.
The individual items tested also affect the sufficiency of evidence.
Samples containing population items with large dollar values, items with a
strong likelihood of misstatement, and items that are representative of the
population are usually considered sufficient. In contrast, most auditors usually
consider samples insufficient that contain only the largest dollar items from the
population unless these items make up a large portion of the total population
amount.
119
Sufficiency of evidence is also affected by experience and professional
judgment of the auditor. If the auditor has more experience, the quantity of
audit evidence is less than the quantity of audit evidence which obtained by the
auditor has less experience.
7.2.2. Appropriateness
Appropriateness of evidence is the measure of the quantity of audit
evidence. The quantity of audit evidence is affected by the level of risk and the
quality of evidence obtained. The level of risk in the area being audited will
affect the quantity of audit evidence required. The quality of evidence obtained
also affects the quantity of audit evidence. If the evidence is high quality, the
auditor may need less of it than if it were poor quality.
Relevance of EvidenceEvidence must pertain to or be relevant to the
audit objective that the auditor is testing before it can be appropriate. Relevance
can be considered only in terms of specific audit objectives, because evidence
may be relevant for one audit objective but not for another. Most evidence is
relevant for more than one, but not all, audit objectives.
Reliability of Evidencerefers to the degree to which evidence can be
believable or worthy of trust. Like relevance, if evidence is considered reliable,
it is a great help in persuading the auditor that the financial statements are fairly
stated. Reliability, and therefore appropriateness, depends on the following five
characteristics of reliable evidence:
QUALITY OF EVIDENCE
Audit evidence from external sources is more reliable

External than that obtained from the entity's records because it is
from an independent source.
Evidence obtained directly by auditors is more reliable

Auditor
than that obtained indirectly or by inference.
Evidence obtained from the entity's records is more

Entity reliable when the related control system operates
effectively.
Written Evidence in the form of documents (paper or electronic)
120
or written representations is more reliable than oral
representations, since oral representations can be
retracted.
Original documents are more reliable than photocopies

Originals
or facsimiles, which can easily be altered by the client.
7.2.3. Audit evidence decision

The persuasiveness of evidence can be evaluated only after considering
the combination of appropriateness and sufficiency, including the effects of the
factors influencing appropriateness and sufficiency. A large sample of evidence
provided by an independent party is not persuasive unless it is relevant to the
audit objective being tested. A large sample of evidence that is relevant but not
objective is also not persuasive. Similarly, a small sample of only one or two
pieces of highly appropriate evidence also typically lacks persuasiveness.
When determining the persuasiveness of evidence, the auditor must evaluate
the degree to which both appropriateness and sufficiency, including all factors
influencing them, have been met. The auditor must therefore obtain a sufficient
amount of relevant and reliable evidence about inventory. This means deciding
which procedures to use for auditing inventory, as well as determining the
sample size and items to select from the population to satisfy the sufficiency
requirement.
Persuasiveness and Cost
In making decisions about evidence for a given audit, both cost and
persuasiveness must be considered. It is rare when only one type of evidence is
available for verifying information. The persuasiveness and cost of all
alternatives should be considered before selecting the best type or types of
evidence. The auditor’s goal is to obtain a sufficient amount of appropriate
evidence at the lowest possible total cost. However, cost is never an adequate
justification for omitting a necessary procedure or not gathering an adequate
sample size.
7.3. PROCEDURES FOR OBTAINING AUDIT EVIDENCE
The auditor can obtain audit evidence through the following procedures:
• Physical examination  
121
• Confirmation  
• Documentation  
• Analytical procedures  
• Inquiries of the client  
• Recalculation  
• Reperformance  
• Observation  
PROCEDURES
Inspection of tangible assets that are recorded in the

accounting records confirms existence, but does not
Inspection of necessarily confirm rights and obligations or valuation.
tangible assets
Confirmation that assets seen are recorded in accounting
records gives evidence of completeness.
This is the examination of documents and records, both

internal and external, in paper, electronic or other forms.
This procedure provides evidence of varying reliability,
Inspection of
depending on the nature, source and effectiveness of
documentation
controls over production (if internal). Inspection can
or records
provide evidence of existence (e.g. a document
constituting a financial instrument), but not necessarily of
ownership or value.
This involves watching a procedure or process being

performed (for example, post opening). It is of limited
use, as it only confirms the procedure took place when the
Observation
auditor was watching, and because the act of being
observed could affect how the procedure or process was
performed.
This involves seeking information from client staff or

external sources.
Inquiry
Strength of evidence depends on the knowledge and
integrity of the source of information. Inquiries alone do
122
not provide sufficient audit evidence to detect a material
misstatement at assertion level, nor is it sufficient to test
the operating effectiveness of controls.
This is the process of obtaining a representation of

Confirmation information or of an existing condition directly from a
third party e.g. confirmation from bank of bank balances.
This consists of checking the mathematical accuracy of

Recalculation documents or records and can be performed through the
use of IT.
This is the auditor's independent execution of procedures

Reperformance or controls that were originally performed as part of the
entity's internal control.
Evaluating and comparing financial and/or non-financial

data for plausible relationships. Also include the
Analytical
investigation of identified fluctuations and relationships
procedures
that are inconsistent with other relevant information or
deviate significantly from predicted amounts.
7.3.1 Inspection
Inspection consists of examining records, documents, financial
statements or tangible assets. Inspection includes documentation and physical
examination.
Physical examination is the inspection or count by the auditor of a
tangible asset. Physical examination, which is a direct means of verifying that
an asset actually exists, is regarded as one of the most reliable and useful types
of audit evidence. Generally, physical examination is an objective means of
ascertaining both the quantity and the description of the asset. In some case, it
is also a useful method for evaluating an asset’s condition or quality. However,
physical examination is not sufficient evidence to verify that existing assets are
owned by the client, and in many cases the auditor is not qualified to judge
qualitative factors such as obsolescence or authenticity. Also, proper valuation
for financial statement purposes usually cannot be determined by physical
examination.
123
Documentation is the auditor’s examination of the client’s documents
and records to substantiate the information that is or should be included in the
financial statements. Documents can be conveniently classified as internal and
external. Such documentation provides audit evidence of varying degrees of
reliability depending on their nature and source.
Four major categories of documentary audit evidence, which provide
different degrees of reliability to the auditor, are:
+ Documentary audit evidence created and held by third parties;
+ Documentary audit evidence created by third parties and held by the
entity;
+ Documentary audit evidence created by the entity and held by third
parties; and
+ Documentary audit evidence created and held by the entity;
When auditors use documentation to support recorded transactions or
amounts, it is often referred to as vouching. To vouch recorded acquisition
transactions, the auditor might, for example, trace from the acquisition journal
for supporting vendor’s invoices and receiving reports and thereby satisfy the
existence objective. If the auditor traces from receiving reports to the
acquisition journal to satisfy the completeness objective, it would not be
appropriate to call it vouching.
7.3.2 Observation
Observation consists of looking at a process or procedure being
performed by others (use of the senses to assess certain activities).
Throughout the audit there are many opportunities to exercise sight,
hearing, touch, and smell to evaluate a wide range of things. For example, the
auditor may tour the plant to obtain a general impression of the client’s
facilities, observe whether equipment is rusty to evaluate whether it is obsolete,
and watch individuals perform accounting tasks to determine whether the
person assigned a responsibility is performing it.
Observation is rarely sufficient by itself. It is necessary to follow up
initial impressions with other kinds of corroborative evidence. Nevertheless,
observation is useful in most parts of the audit.
124
7.3.3 Inquiry
Inquiry consists of seeking information from knowledgeable persons
inside or outside the entity.
Inquiries, which may be formal written inquiries, direct interviews or
exchange of notes, would provide the auditor with information or with
additional information which corroborates available audit evidence.
When the auditor obtains evidence through inquiry, it is normally
necessary to obtain further corroborating evidence through other procedures.
As an illustration, when the auditor wants to obtain information about the
client’s method of recording and controlling accounting transactions, he or she
usually begins by asking the client how the internal controls operate. Later, the
auditor performs audit tests using inspection (documentation) and observation
to determine if the transactions are recorded and authorized in the manner
stated.
7.3.4 Confirmation
Confirmation consists of the response to an inquiry to corroborate
information contained in the accounting records. Confirmation describes the
receipt of a written or oral response from an independent third party verifying
the accuracy of information that was requested by the auditor. Because
confirmations come from sources independent of the client, they are a highly
regarded and often used type of evidence. However, confirmations are
relatively costly to obtain and may cause some inconvenience to those asked to
supply them. Therefore, they are not used in every instance in which they are
applicable. Because of the high reliability of confirmations, auditors typically
obtain written responses rather than oral ones whenever it is practical. Written
confirmation are easier for supervisors to review, and they provide better
support if it is necessary to demonstrate that a confirmation was received.
Whether or not confirmations should be used depends on the reliability
needs of the situation as well as the alternative evidence available.
There are three common types of confirmations used by auditors. The
first type is positive confirmation with a request for information to be supplied
by the recipient. The second is positive confirmation with the information to be
confirmed included on the form. This type of confirmation is considered less
reliable than the first one, because the recipient may sign the confirmation and
125
return it without carefully examining the information. The third type is negative
confirmation. A negative confirmation means that the recipient is requested to
respond only when the information is incorrect. Because confirmations are
considered significant evidence only when returned, negative confirmations are
considered less competent than positive confirmations.
To be considered reliable evidence, confirmations must be controlled by
the auditor from the time they are prepared until they are returned. If the client
controls the preparation of the confirmation, does the mailing, or receives the
responses, the auditor has lost control and with it independence, and thus the
reliability of the evidence is reduced.
7.3.5 Computation
Computation consists of checking the arithmetical accuracy of source
documents, accounting records, financial statements and related documents or
of performed independent calculations.
7.3.6 Analytical procedures
Analytical procedures consist of the analysis of significant data,
information, and ratios whereby to investigate trends, fluctuations and
relationships that are inconsistent with other relevant information in deviation
from predicted amounts.
For certain immaterial accounts, analytical procedures may be the only
evidence needed. For other accounts, other types of evidence may be reduced
when analytical procedures indicate that an account balance appears
reasonable. In some cases, analytical procedures are also used to isolate
accounts on transactions that should be investigated more extensively to help in
deciding whether additional verification is needed. An example is comparison
of the current period’s total repair expense with previous year’s and
investigation of the difference, if it is significant, to determine the cause of the
increase or decrease.
It has been concluded that analytical procedures are important. It is
essential that they are required during the planning, performing and completion
phases on all audits. For certain audit objectives or small account balances,
analytical procedures alone may be sufficient evidence. In most cases,
however, additional evidence beyond analytical procedures is also necessary to
satisfy the requirement for sufficient and competent evidence.
126
Question 1:
Which of the following techniques is generally accepted to be the most
efficient to obtain evidence regarding the existence of bank balances?
A Reperformance  
B Confirmation  
C Analytical procedures  
D Observation
Question 2:
Audit evidence requires audit evidence to be sufficient and appropriate.
Evidence is appropriate if it is both relevant and reliable.  
Required  
Explain six factors that influence the sufficiency and reliability of audit
evidence.
Question 3:
PAPA Co manufactures chemicals and has a factory and four offsite
storage locations for finished goods.
PAPA Co's year end was 30 April 2015. The final audit is almost
complete and the financial statements and audit report are due to be signed next
week. Revenue for the year is $55 million and profit before taxation is $5.6
million.
The following two events have occurred subsequent to the year end. No
amendments or disclosures have been made in the financial statements.
Event 1 – Defective chemicals
PAPA Co undertakes extensive quality control checks prior to dispatch
of any chemicals. Testing on 3 May 2015 found that a batch of chemicals
produced in April was defective. The cost of this batch was $0.85 million. In its
current condition it can be sold at a scrap value of $0.1 million. The costs of
correcting the defect are too significant for PAPA Co's management to consider
this an alternative option.
127
Event 2 – Explosion
An explosion occurred at the smallest of the four offsite storage locations
on 20 May 2013. This resulted in some damage to inventory and property, plant
and equipment. PAPA Co's management have investigated the cause of the
explosion and believe that they are unlikely to be able to claim on their
insurance. Management of PAPA Co has estimated that the value of damaged
inventory and property, plant and equipment was $0.9 million and it now has
no scrap value.
Required
For each of the two events above:
(i) Explain whether the financial statements require amendment.  
(ii) Describe audit procedures that should be performed in order to form
a conclusion on any required amendment.  
Question 4:
Corbo Co (Cor) operates a chain of hotels across the country. Cor
employs in excess of 250 permanent employees and its year end is 31 August
20X4. You are the audit supervisor of Viol & Co, which has audited Cor for a
number of years.
At Cor, permanent employees work a standard number of hours per week
as specified in their employment contract. However, when the hotels are busy,
staff can be requested by management to work additional shifts as overtime.
This can either be paid on a monthly basis or taken as days off.
The overtime is recorded manually, and the resulting gross and net pay
of each employee is then calculated automatically by the payroll system.
Wages are increased by the rate of inflation each year and the clerks are
responsible for updating the standing data in the payroll system.
Employees are paid on a monthly basis by bank transfer for their
contracted weekly hours and for any overtime worked in the previous month.
The payroll package produces a list of payments per employee; this links into
the bank system to produce a list of automatic payments.
Trombone deducts employment taxes from its employees' wages on a
monthly basis and pays these to the local taxation authorities in the following
128
month. At the year end the financial statements will contain an accrual for
income tax payable on employment income.
Required
(a) Describe substantive procedures you should perform at the final
audit to confirm the completeness and accuracy of Cor's payroll expense.
(b) Describe the audit procedures required in respect of the year end
accrual for tax payable on employment  
129
PART THREE: AUDIT TESTS AND SAMPLING
CHAPTER 8: AUDIT TESTS
CHAPTER 9: AUDIT SAMPLING
CHAPTER 10: AUDIT IN AN EDP SYSTEM
CHAPTER 8
AUDIT TESTS
LEARNING OBJECTIVE
1.Overview of general audit methodology, including the definition of audit
methodology, the contents and the importance of audit methodology.
2.Clarify the nature of audit test and classify three types of audit test, including
risk assessment procedures, tests of controls and substantive tests.
INTRODUCTION
The financial statements of corporate entity comprise a set of statements
by the entity’s directors which take together provide a picture of the entity’s
financial position, the results of its operations and its cash flow. These
statements are presented as account balances, a statement of accounting
policies and nots to the financial statements. The accounting policies and notes
explain, among other things, the bases on which the financial statements has
been prepared.
The auditor is required to express an opinion on whether or not the
financial statements give a true and fiar view of the entity’s state of affiairs and
its profit or loss. To accomplish this, the auditor obtain audit evidence by an
appropriate audit methodology with appropriate audit procedures including test
of control and substantive procedures.
In this chapter, we examine the significance of audit methodology and its
content and dicuss the nature of audit test, impact of risk assessment on audit
tests. We also explore impact on internal control evaluation on testing on
substantive procedures testing. More particularly, we discuss specific analytical
procedures and procedures used for testing the details of the financial statement
balances – whether this should be through testing the transactions which
generate the balances or testing the balances directly.
130
CONTENTS
8.1. GENERAL AUDIT METHODOLOGY
8.1.1. Definition of audit methodology
Auditing methodologies consist of measures, manners and procedures
applied in the audit to complete the purpose of audit. These methods are
products of the scientific awareness about auditing process and the client’s
practical business and manufacture activities. The appropriate auditing methods
are significant tool to improve quality and effectiveness of auditing process. On
the other hand, the auditing process is a condition to establish auditing methods
scientifically and effectively.
Theoretical fundamental of audit method is a dialectical materialism, in
which requires a consideration of issues within popular relationship, motion
and mutual impact. Audit should not only be done by review invoices and
documents or materials. These data, documents and financial statements are
only images of information recorded from receipts, which may be impractical.
Audit is not as simple as receipts and documents based on inspection.
Therefore, it should be avoided to acknowledge that an audit process is a
process of accounting inspection.
For those reasons, the audit method applied in audit process is an overall
application of collecting methods such as: inspection, comparison, calculation,
examination, review, analysis, supervision, investigation, verification,
interview, inquiry, and confirmation, etc.).
Audit approach is broader concept than audit methodologies. Audit
approach can be seen as the map auditor’s use in audit process to achieve audit
objective. The purpose of the audit approach is to assist the auditor to obtain
sufficient and appropriate audit evidence in order to justify the auditor’s
opinion. The importance and role that an approach can play in ensuring
adherence to the responsibilities of auditors in the performance of the audit.
There are a lot of audit approaches, for examples, systems - based approach,
risk - based audit approaches. Systems - based approach requires auditors to
assess the effectiveness of the internal control of an entity, and then to direct
substantive procedures primarily to those areas where it is consider that system
objectives will not meet. Reduced testing is carried out in those areas where it
is considered system objectives will be met. Besides, in the risk-based
131
approach, audit resources are directed towards those areas of the financial
statements that may contain misstatements as a consequence of risks faced by
the business.
Essentially there are four different audit approaches:
+ The substantive procedure approach.
+ The balance sheet approach.
+ The system - based approach.
+ The risk - based approach
a. The substantive procedures approach
This is also referred to as the vouching approach or the direct verification
approach. In this approach, audit resource are targeted on testing large volumes
of transactions and account balances without any particular focus on specified
areas of the financial statement.
b. The balance sheet approach
In this approach, substantive procedures are focused on balance sheet
accounts, with only very limited procedures being carried out on income
statement. The justification for this approach is the notion that if the relevant
management assertions for all balance sheet accounts are tested and verified,
then the profit/loss figure reported for the accounting period will not be
material misstated
c. The system – based approach
System – based approach is applied in an audit in which the nature and
depth of the testing depends on the auditor’s assessment of the internal control
system and these assessments form the main part of the audit. In other words,
this approach required auditors to assess the effectiveness of the internal
controls of an entity, and then to direct substantive procedures primarily to
those areas where it is considered that systems objectives will not be met.
Reduced testing is carried out in those areas where it is considered systems
objectives will be met.
d. The risk – based approach
A new audit approaches have already been developed which are not only
efficient but also effective and helps developing a comfortable working
132
relationship between practitioner and the client. That is risk – based approach,
is the one that is nowadays used by audit firms to complete audit assignments.
In this approach, audit resources are directed towards those areas of the
financial statement that may contain misstatement (either by error or omission)
as a consequence of the risks faced by the business. An overview level,
performing a risk – based audit involves three main steps.
The first step requires the auditor to obtain an understanding of the entity
and its environment and to assess the risks of material misstatement by
performing risk assessment procedures. Given the nature of the audit process,
every audit assignment presents a different challenge to an audit firm, with no
two audit assignments being the same. For examples, no two entity are the
same in term of business sector, location, size, employees, governance issues,
and complexity of operation. However, it is generally accepted that for most
entities of size, the risk – based audit approach will minimize the possibility of
audit objective not being met. Consequently, ISA 315 Identifying and
Assessing the risk of material misstatement through understanding the entity
and its environment, compels auditors to adopt a risk – based approach to audit.
In so doing, it requires auditor to make risk assessment of material
misstatement, including internal controls.
As the auditor is required to focus on the entity and its environment
when making risk assessment, this is known as the “top down” approach to
identify risks. The word “top refers” to the day to day operations of the entity
and the environment in which it operates; “down” refers to the financial
statement of the entity. In summary, this approach requires auditors to identify
the key day to day risk faced by a business, to consider the impact these risk
could have on the financial statement, and then to plan their audit procedures
accordingly.
For this reason, the approach is often referred to as the “business risk
approach”. When adopting this approach, in order to facilitate the identification
of risks and the assessment of their effect on the financial statement, risks are
categorized as financial risk, compliance risk, operational risks.
The second step requires the auditor to use that knowledge to assess the
risk of material misstatement at both the overall financial statement level and at
assertion level for classes of transactions, account balance and disclosure.
133
The third step requires the auditor to obtain audit evidence by designing
and performing audit procedures that respond to the assessed risk of material
misstatement for the relevant classes of transactions, account balance and
disclosure. To conduct a risk – based audit, the auditor should be a continuous,
dynamic and recursive process of risk assessment, with a corresponding update
to the risk response that the auditor implements to obtain sufficient appropriate
audit evidence.
The underlying principle of the risk – based approach is that the auditor
should devote more resources to classes of transactions, account balance and
disclosure that are likely to be misstated and less to those that are less likely to
be misstated. The adoption of a risk – based approach is associated with
changes in the scope of the auditor’s planning and risk assessment processes
and in the related evidence gathering procedures.
To summarize, the risk – based audit approach provides a framework for
enhanced audit efficiency and effectiveness through the focus of audit
procedures to respond to assessed risks, both the overall financial statement
level and at assertion level. In determining a sufficient and appropriate audit
response to the auditor’s understanding and assessment of client risks, the risk
– based approach also improve audit quality.
8.1.2. Contents of audit methodology
The audit method applied in audit process is an overall application of
collecting methods such as: inspection, comparison, calculation, examination,
review, analysis, supervision, investigation, verification, interview, inquiry, and
confirmation, etc.). The application of audit method is implemented over 5
steps:
Step 1: The auditor based on the logical relationship between account
balanced and a class of transaction on the financial statement to choose
material items (choosing research topic), because of the auditor’s opinions
about the materiality, timing and cost audit.
Step 2: The auditor based on the chosen topic to give assumptions on the
possible mistakes and choose the most possible assumption (according to
his/her experience and logics).
Step 3: Based on optional supposing in step 2, auditor collects evidence
to prove the supposing.
134
Step 4: Auditor analyzes and evaluates the evidence to confirm about
assumptions. He/she may collect more evidence to prove for it.
Step 5: Auditor comments in the audit reports about the proved
supposing. Following the steps in general auditing method helps auditor
eliminate the audit risks, leading the audit work to right direction, increasing
effectiveness and saving.
Auditing is to apply specific professional methods to reach the
destination. In writing process and supervising arising economic professions in
financial statement, there are two auditing methods: substantive auditing
method (basic testing - checking audit data from accounting system) and test of
control (assessment and evaluation policies, principles and control procedures
from internal control system).
8.1.3. The important of audit methodology
The only defence auditors have against the anger of stakeholder in
instances of corporate failures is sufficient, appropriate audit evidence that can
prove their innocence. This audit evidence should be the result of well –
planned and well – performed audit. The audit method is therefore a crucial
component in the performance of an audit. The audit methodology have
developed due to the needs of client and the business environment. The
improvement of audit methodologies is therefore important.
An audit methodology should be designed to provide reasonable assurance
that the financial statement, taken as a whole, are free from material misstatement.
If the auditor should not design and implement an inappropriate audit method,
the audit risk will be occurred. It may leads to express wrongly opinion about
the truth and fair of financial statement in all material respects. This is impact
directly on audit quality and accordingly, the interested parties may not give a
suitable decision making.
In summary, audit method plays important role in performing audit.
Chosen types of audit method depends on the professional judgment of auditor
and need to be considered carefully.
8.2. AUDITS TESTS
Audit tests are the key concept in audit. It is necessary to understand the
nature and contents of audit test.
135
8.2.1. Nature of audit tests
Audit test are procedures applied to a sample within a population. The
purpose of an audit test is to assure that no material exceptions are included in
the sample. The result of these tests are to allow the auditor to collect sufficient
appropriate audit evidence to be able to conclude with reasonable assurance
that the financial statement are free of material misstatement.
In developing an overall audit plan, auditors use three types of audit test
to determine whether financial statement are fairly stated. Those are risk
assessment procedures, test of control and test detailed of transaction and
account balance.
The auditor should do risk assessment procedure to understand the entity
and its environment and assess the risk of material misstatement, represented
by the combination of inherent risk and control risk. The other two types of test
represent further audit procedures performed in response to the risk identified.
If the client’s internal control is good, there is a reduced likelihood that
there will be an error in the financial statement and the auditor will reduce the
amount of audit work to be carried out. If the internal control system is poor,
the auditor will have to perform much more work as the audit is the only
defence left against a material misstatement appearing in the financial
statement.
Therefore, the auditor must assess the effectiveness of the internal
control. This means investigating both its design and operation. The operation
of the internal controls is assessed by carrying out test of control. Besides, the
auditor must also obtain additional direct evidence about the amount shown in
the financial statement. This evidence is obtained using test detailed of
transaction and balance.
8.2.2. Risk assessment procedures
Risk assessment procedures are performed to assess the risk of material
misstatement at the financial statement and assertion level through obtaining an
understanding of the entity and its environment, including the entity’s internal
control. The auditor’s understanding includes knowledge about the following
categories:
136
+ Industry, regulatory and other external factors. Obtaining an
understanding of these factor assists the auditor in identifying risk of material
misstatements. Some industries are subject to risk of material misstatement as a
result of unique accounting estimates. For example, a property and insurance
company needs to establish loss reserve based on historical data that may be
subject to misstatement
+ Nature of the entity. The nature of an entity refers to the client’s
operations, its ownership, governance, the types of investments that it is
making and plans to make, the way the entity is structured and how it is
financed. An understanding of the nature of an entity give the auditor a better
idea of what to expect in the financial statements. For example, an entity with a
complex structure may give rise to a risk of material misstatement as a result of
the accounting for investments in joint ventures, subsidiaries, equity investment
or variable interest entities.
+ Objectives and strategies and related business risk. The auditor must
identify and understand the entity’s objective and strategies to achieve its
objective and the business risk associated with those objective and strategy
+ Measurement and review of the entity’s financial performance,
Internally generated information used by management to measure and review
the entity’s financial performance may include key performance indicator
(KPIs). When the auditor intends to make use of the performance measures for
the purpose of the audit, the auditor should consider whether the information
provided is reliable and trustworthy and whether it is sufficiently detailed or
precise.
+ Internal control. The auditor should understand a number of internal
control’s components such as control environment, control activities,
monitoring control, risk assessment, information and communication. A major
part of the auditor’s risk assessment procedures are done to obtain an
understanding internal control.
The risk assessment procedures shall include the following:
+ Inquiries of management and of others within the entity who in the
auditor’s judgment may have information that is likely to assist in identifying
risk of material misstatement. Depending on the circumstance, the auditor
might make inquiries of those charged with governance, internal audit
137
personnel, employees involved in initiating, authorizing, processing or
recording complex or unusual transactions, in – house legal counsel,
production, marketing, sales and other personnel. For example, inquiries
directed to the in – house legal counsel about issues such as litigation,
compliance with laws and regulations and the meaning of contract terms…
+ Analytical procedures. Auditors perform preliminary analytical
procedures to better understand the client’s business and to assess client
business risk. Such preliminary test can reveal unusual changes in ratios
compared to prior year, or to industry averages, and help auditor indentify areas
with increased risk of material misstatement that require further attention
during the audit. For example, that an auditor computes a client’s inventory
turnover ratio for the last five years. The result of this analysis is compared to
industry data.
+ Observation and inspection. These procedures may support inquiries of
management and others, and may also provide information about the entity and
its environment. Observation and inspection include audit procedures such as:
- Observation of entity activities and operations.
- Inspection of documents, records and internal control manuals.
- Visit to the entity’s premises and plant facilitates.…
Nowadays, most entities have applied information technology (IT) to
record and process business transactions. In this context, the auditor should
gather information about the entity’s information technology and their impact
on assessment the risk of material misstatement. Clearly, if IT system fail,
organizations can be paralyzed by the inability to retrieve information or by the
use of unreliable information caused by processing errors. These risk increase
the likelihood of material misstatement in the financial statement. This is a
reason why the auditor must be knowledge about general and application
controls, whether the client’s use of IT is simple or complex. The six
categories of general controls have an entity – wide effect on all IT function.
Those are administration of the IT function, separation of IT duties, system
development, physical and online security, back up and contingency planning.
Application controls are designed for each software application and are
intended to help a company satisfy the six transaction- related audit objective.
It falls into three categories: input, processing and output.
138
The auditor should do the similar procedures to gather information about
general and application control, for example, analytical procedures, observation
and inspection.
8.2.3. Tests of controls
Tests of controls are performed to obtain audit evidence about the
effectiveness of the accounting and the internal controls.
Most assessments, evaluation and inspection depends on client’s control
principles and procedures. The client’s internal control principles and procedures
are efficient when the internal controls are operated strongly and effectively.
The evidence, which are gathered by using tests of control, must relate to:
+ The design of the accounting and internal controls, that is, whether
they are suitably designed to prevent or detect and correct material
misstatements; and
+ Operation of the accounting and internal controls throughout the
period, that is, whether they are operated continuously, and effectively. In
designing and performing test of control, the auditor shall obtain audit evidence
about the operating effectiveness of the controls, including:
- How the controls were applied at relevant times during the period under
audit;
- The consistency with which they were applied;
- By whom or by what means they were applied;
Test of control cannot be applied in all audit. The auditor shall design
and perform test of controls to obtain sufficient appropriate audit evidence as to
the operating effectiveness of relevant controls if:
+ The auditor’s assessment of risks of material misstatement at the
assertion level includes an expectation that the controls are operating
effectively (that is the auditor intends to rely on the operating effectiveness of
controls in determining the nature, timing and extents of substantive
procedures).
+ In some cases, the auditor may find it impossible to design effective
substantive procedures that by themselves provide sufficient appropriate audit
evidence at the assertion level. This may occur when an entity conducts its
business using IT and no documentation of transactions is produced or
139
maintained, other than through the information technology system. In such
case, the auditor should perform test of relevant controls.
AS5 recognizes that the more extensively a control is tested, the greater
the evidence obtained for that test. However, the standard does not provide any
detailed guidance on what constitutes a sufficient sample for testing the
operating effectiveness of the control. This left to the auditor as a matter of
professional judgment. The auditor should consider the following factors when
deciding on the extent of testing: nature of the control, frequency of operation
and importance of the control.
If the results of test of control prove that the internal controls is operated
strongly and effectively, the extent of substantive tests will be less and vice
versa. When evaluating the operating effectiveness of relevant controls, the
auditor shall evaluate whether misstatement that have been detected by
substantive procedures indicate that controls are not operating effectively.
In addition, the auditor may design a test of controls to be performed
concurrently with a test of details on the same transaction. Although the
purpose of a test of controls is different from the purpose of a test of details,
both may be accomplished concurrently by performing a test of controls and a
test of details on the same transaction, also known as a dual purpose test.
There are two techniques to be applied in this method, including walk-
through test and test detailed of controls.
a. Walk-through test
Walk-through test is a test that is applied for the same transactions from
theirs beginning to the end of the system in order to evaluate the steps of
control applied in the audit client’s system.
The walk-through test is normally applied to one or a few transaction and
follows that transaction through the entire process. For example, the auditor
may select one sales transaction for a system walkthrough of the credit
approval process, then follow the credit approval process from initiation of the
sale transaction through the granting of credit.
Three commonly used methods of documenting the understanding of
internal controls are: narratives, flowcharts, and internal control questionnaires.
140
A narrative is a written description of a client’s internal controls. An
internal control flowchart is a diagram of the client’s documents and their
sequential flow in the organization. An adequate flowchart includes the same
four characteristic identified for narratives. An internal control questionnaire
asks a series of question about the controls in each audit area as a means of
identifying internal control deficiencies.
These may be used separately or in combination depending specific
situations.
The inspection helps the auditor obtain an understanding of internal
control and assess preliminary control risk. If the control risk is assessed less
high (low or medium), the auditor can perform test detailed of controls.
b. Test detailed of controls
Tests detailed of controls are performed to obtain audit evidence about
the effectiveness of control procedures and principles throughout all, or at least
most, of the period under audit. The result of this method is used to determine
the content and scope of substantive tests.
An auditor evaluates the operating effectiveness of a control by
determining whether the control is operating as designed and whether the
person performing the control possesses the necessary authority and
competence to perform the control effectively. In testing the operating the
effectiveness of controls, the auditor needs to consider the scope of testing. For
each control selected for testing, the evidence necessary to persuade the auditor
that the control is effective depends on the risk associated with the control. The
risk associated with a control consists of the risk that the control might not be
effective and if not effective, the risk that a material weakness would result. As
the risk associated with the control being tested increases, the quality and/or
quantity of the evidence that the auditor should obtain also increase.
The procedures to test detailed of control include:
- Make inquiries of client personnel;
- Observe control-related activities;
- Reperform client procedures;
- Inspection/examine documents.
141
8.2.4. Substantive tests
The second test is substantive tests. It is the most important test in an
audit.Substantive tests are designed and applied to collect sufficient competent
audit evidence that provided and processed by the accounting system. A
substantive test is a procedure designed to test for a dollar (or monetary)
misstatements directly affecting the correctness of financial statement accounts.
The purpose of this method is for collecting audit evidence to detect
material misstatements in the financial statements. All of auditor’s experiences,
analyzing and evaluations are based on figure, information in financial
statement and supplement of accounting system. Substantive tests are only
relevant to monetary value.
This method is applied in most of the audit, however scope and level
depend on the effectiveness of internal controls. When the internal control is
sufficient, for a high quality auditing, auditor has to collaborate closely
between substantive tests and tests of control.
The content of substantive tests consists of analytical procedures and test
detail of transactions and balances.
8.2.4.1. Analytical procedures
Analytical procedures are defined as evaluation of figures and
information on financial statements through analysis of plausible relationships
among financial and nonfinancial data.
Analytical procedures may be performed at any three times during an
audit, including planning, implementing and completing phase.
In the planning phase, analytical procedures are performed to obtain an
understanding of the business and its environment, to help assess the risk of
material misstatement in order to determine the nature, timing and extent of
audit procedures to be performed. In particularly, this procedures also help the
auditor identify the existence of unusual transactions or events and amount,
ratios and trend that might indicate matters that have audit implication. Unusual
or unexpected relationships that are identify may assist the auditor in
identifying risks of material misstatement, especially risks of material
misstatement due to fraud.
142
In implementing phase, they are performed to obtain audit evidence and
are often done in conjunction with other audit tests. It is used as substantive
procedures when auditor consider that the use of analytical procedures can be
more effective or efficient than test of detail in reducing the risk of material
misstatement at the assertion level to an acceptably low level.
Analytical procedures are also requires to be done during the completion
stage and help the auditor have a final “objective look” at the audited financial
statements. The auditor must evaluate the appropriate audit evidence and to reach
conclusions about true and fair presentation of financial statements. The
conclusions drawn from the results of analytical procedures designed and
performed are intended to corroborate conclusions formed during the audit of
individual components or elements of the financial statements. This assists the
auditor to draw reasonable conclusion on which the auditor’s opinion..
There are several types of analytical procedures commonly used:
+ Trend analysis: the analysis of changes in an account over time.
Auditor evaluates the fluctuation of each account including: to compare client
data of this term with similar prior-period data; to compare client data with
client-determined expected results (may use nonfinancial data); or to compare
client’s practical data with industry data.
+ Ratio analysis: depends on the relationships and percentages among
different account balances or class of transactions for comparison and
evaluation.
Auditor can apply one or some common financial ratios during planning
and final review of the audited financial statements. For examples:
(1) Short-term debt-paying ability ratios include: current ratio, quick
ratio, cash ratio;
(2) Short-term liquidity ratios include; average accounts receivable
turnover, average days to collect, average inventory turnover, average days to
sell, average days to convert inventory to cash;
(3) Operating and performance ratios include: efficiency ratio, profit
margin ratio, profitability ratio, return on total assets ratio, return on common
equity ratio, etc.
143
+ Reasonableness testing: the analysis of accounts, or changes in
accounts between accounting period, that involves the development of a model
to form an expectation based on financial data, nonfinancial data or both.
Each of the types uses a different method to form an expectation. They
are ranked from lowest in order of their inherent precision. If the auditor needs
a high level of assurance from a substantive analytical procedure, the auditor
should develop a relatively precise expectation by selecting an appropriate
analytical procedure. Thus, determining which type of substantive analytical
procedure to use is a matter of professional judgment.
8.2.4.2.Test of detail of transactions, account balances and disclosure
Test detail of transactions, account balancesand disclosureis to evaluate
the client’s recording of transactions by verifying the dollar amounts of
transactions (called substantive tests of transaction) and test for monetary
misstatements in the account balances in the financial statements (called tests
of details of balances and disclosure).
Regardless the result of risk assessment, the auditor must do test detail to
verify and the dollar amount of transaction, account balance and disclosures in
the financial statement. In nature, when conducting test detail of transactions,
account balance and disclosures, the auditor should use series of audit
procedures, for example confirmation, physical examination, recalculation,
documentation…
The contents of this method include:
(1) Contents of substantive tests of transaction
The auditor must obtain sufficient competent evidence to support all
management assertions in the financial statements. Thus the purpose of
substantive tests of transaction is to satisfy transaction-related audit objectives.
These objectives include:
- Occurrence: Transactions and events that have been recorded have
occurred and pertain to the entity.
- Completeness: All transactions and events that should have been
recorded have been recorded.
- Accuracy: Amount and other data relating to recorded transactions and
events have been recorded appropriately.
144
- Cut-off: Transactions and events have been recorded in the correct
accounting period.
- Classification: Transactions and events have been recorded in the proper
account;
Substantive test of transactions test for errors or fraud in individual
transactions. For example, an auditor may examine a large purchase of
inventory by testing that the cost of the goods included on the vendor’s invoice
is properly recorded in the inventory and accounts payable accounts. This gives
the auditor evidence about the occurrence, completeness and accuracy
assertion.
(2) Contents of tests of details of balances and disclosure
Test of details of account balance and disclosure focus on the items that
are contained in the financial statement account balances and disclosures.
These important tests establish whether any material misstatement are included
in the accounts or disclosures in the financial statement. For example, the
auditor may test accounts payable. To test the details of the accounts payable
account, the auditor can examine a sample of the individual vendor invoices
that make the ending balance in accounts payable. In examining this
documentation, the auditor is concerned with testing the existence and
valuation assertions. Additionally, the auditor may send confirmations to
vendors with zero balances in their accounts in order to test the completeness
assertion.
The purpose of tests of details of balances is to meet balance-related
audit objectives. These objectives include:
- Existence: Asset, liabilities and equity exist;
- Right and Obligations: the entity holds or controls to the right to assets
and liabilities are obligations of the entity;
- Completeness: all assets, liabilities and equity that should have been
recorded have been recorded;
- Valuation and allocation: Assets, liabilities and equity interests are
included in the financial statement at appropriate amounts and any resulting
valuation or allocation adjustments are appropriately recorded.
145
The purpose of tests of details of presentation and disclosure is to meet
these objectives, including:
- Occurrence,and rights and obligations: Disclosed events, transactions,
and other matters have occurred and pertain to the entity;
- Completeness: All disclosures that should have been included in the
financial statements have been included.
- Classification and understandability: Financial information is
appropriately presented and described ,and disclosure are clearly expressed.
- Accuracy and valuation: Financial and other information are disclosed
fairly and at appropriate amounts.
There is a close relationship between the general review of the client’s
circumstances, results of understanding internal control, analytical procedures,
substantive tests of transaction and test of details of account balances. The
combination of each of tests depends on the auditor’s experiences, timing, cost,
and other conditions of the audit.
Summary
To drawn conclusion about the reliance of financial statement, the
auditor should do audit methods to gather sufficient appropriate audit evidence.
So, this chapter has mentioned about audit methodology, audit approach and
audit tests. It has also clarified a number of audit tests which are applied in
each phase of an audit. Making decision on chosen audit tests is an auditor’s
professional judgment and need to considered carefully according to auditing
standards.
146
REVIEW QUESTIONSAND PROBLEMS
1. What is the nature of audit methodology?
2. Distinguish between audit methodology and audit approach.
3. What are the three types of tests auditors use to determine whether
financial statements are fairly stated?
4. What is the purpose of risk assessment procedures?
5. Distinguish between a test of control and a substantive test.
6. What are the purposes of analytical procedures during three phase of
the audit?
7. Explain clearly the relationship between audit risk and audit
procedures.
8. When are test of control required on an audit?
9. What types of analytical procedures are useful in an audit?
Case study
1. You are the audit senior responsible for the audit of Dung Hoa Co, a
company that runs a chain of fast food restaurants. You aware that a major risk
of their sector is that poor food quality might result in damage claims by
customers.
You had satisfied yourself at the interim audit that the company’s control
risk as regards purchase of food and its preparation in the kitchen was low.
However, during your final audit it comes to your attention that one month
before the year end, a customer has sued the company for personal injury
caused by food poisoning, claiming an amount of $200,000 in compensation.
This amount is material to the stated profit of the company, but management
believes that it has good defences against the claim
Required
State two audit procedures you should carry out during control testing to
satisfy yourself that control risk in this area is low
2. Van Hoa Co is a window cleaning company. Customer’s windows are
cleaned monthly, the window cleaner then posts a stamped addressed envelope
for payment through the customer’s front door.
147
Van Hoa has a large number of receivable balances and these customers
pay by cheque or cash, which is received in the stamped addressed envelopes in
the post. The following procedures are applied to the cash received cycle:
a. A junior clerk from the accounts department opens the post and if any
cheques or cash have been sent, she records the receipts in the cash received
log and then places all the monies into the locked small catch box.
b. The contents of the cash box are counted each day and every few days
these sums are banked by which ever member of the fiancé team is available.
c. The cashier records the detail of the cash received log into cash
receipts day book and also updates the sale ledger.
d. Usually on a monthly basis the cashier performs a bank reconciliation,
which he then files, if he misses a month then he catches the up in the
following month’s reconciliation.
Require
For the cash cycle of Van Hoa:
(i) List tests of controls the auditor of Van Hoa would perform to assess
if the controls are operating effectively
(ii) List substantive procedures an auditor would perform in verifying a
company’s bank balance.
3. Minh Lan Co (M&L) is a listed company which is manufacturer of
electrical equipment. M&L is a largest company in the electrical equipment
industry. You are the audit manager of K&H and you are planning the audit of
M&L. K&H has audited M&L for many years. In prior year, the auditor
concluded that M&L has sophisticated internal control and low inherent risk.
In current year, the auditor has recognized that controls have not changed
since they were last tested.
Require:
Which types of test should you select to perform? And the extent of each
test.
148
CHAPTER 9
AUDIT SAMPLING
LEARNING OBJECTVES
1. The Importance of audit sampling
2. Definition of audit sampling and related concepts
3. Sampling steps
4. Determine whether the misstatement is an anomaly
5. Sampling in Tests of Controls
6. Sampling in Substantive Tests of Details
INTRODUCTION
This chapter mentions the following contents:
• Auditor providers usually seek evidence from less than 100% of items
of the balance or transaction being tested.
• Every item in the population of items being sampled must have an
equal chance of being selected in the sample.
• The greater the risk of the area being sampled, the higher the sample
size will be.
• When drawing conclusions from sampling, the auditor must indentify
which discovered misstatement affect the overall balance
• The purpose of sampling a set of items was to enable the auditors to
project the conclusion to the whole population.
• Auditors must consider the nature of the misstatement and whether it
is fair to project tat misstatement.
• If the projected misstatement exceeds tolerable misstatement then
sampling risk must be reassessed and further audit procedures must be
considered.
CONTENT
9.1. THE IMPORTANT OF AUDIT SAMPLING
It’s known that it may not be practical to examine all available evidence
due to its volume and uneconomisation. In those cases, a sample is selected to
evaluate against the audit criteria and help develop the audit conclusion.
The risk is that the sample may not be representative of the total set of
people, documents, practices, and records being assessed. As a result, the audit
149
conclusion may be different than if the auditor had examined the whole
population.
We may over-audit by taking samples that are too large and waste time
and resources. Or, we may under-audit by taking samples that are too small and
end up not detecting numerous nonconformities. For example, if the auditor
tests only 20% of trade receivables for existence at the reporting date by
confirming after-date cash, this is hardly representative of the population,
whereas, say, 75% would be much more representative.
The use of sampling is widely adopted in auditing because it offers the
opportunity for the auditor to obtain the minimum amount of audit evidence,
which is both sufficient and appropriate, in order to form valid conclusions on
the population. Audit sampling is also widely known to reduce the risk of the
working papers at the review stage of the audit.
It is important to apply the appropriate use of sampling, since it is closely
related to the confidence that people will place on the audit conclusion.
ISA 530 – Audit Sampling States that “the objective of the auditor, when
using audit sampling is to provide a reasonable basis for the auditor to draw
conclusion about the population from which the sample selected”. ISA relates
specially to audits, but all assurance providers may use sampling.
9.2. DEFINITION OF AUDIT SAMPLING AND RELATED CONCEPTS
a.A sample is a small part of anything, intended as representative of the
whole. It may not be practical to examine all available data. For example,
records may be too numerous or dispersed, or may be too time consuming or
costly.
So, sampling selects less than 100% of the items to obtain and evaluate
evidence to form an audit conclusion. The goal is confidence that the audit
objectives can be met. The risk is that the samples may not be representative of
the entire population. The conclusion may be different than if you were able to
examine the whole population.
b. Audit sampling (sampling) – The application of audit procedures to
less than 100% of items within a population of audit relevance such that all
sampling units have a chance of selection in order to provide the auditor with a
reasonable basis on which to draw conclusions about the entire population.
c.Population– The entire set of data from which a sample is selected and
about which the auditor wishes to draw conclusions”
150
ISA 530 – Paragraph 05recognizes that auditors will not ordinarily test
all the information available to them because this would be impractical as well
as uneconomical. Instead, the auditor will use sampling as an audit technique in
order to form their conclusions. It is important at the outset to understand that
some procedures that the auditor may adopt do not involve audit sampling,
100% testing of items within a population, for example. Auditors may deem
100% testing appropriate where there are a small number of high value items
that make up a population, or when there is a significant risk of material
misstatement and other audit procedures will not provide sufficient appropriate
audit evidence. However, auditors must appreciate that 100% examination is
highly unlikely in the case of tests of controls; such sampling is more common
for tests of detail (i.e., substantive testing).
d. “Sample risk - The risk that the auditor’s conclusion based on a
sample may be different from the conclusion if the entire population were
subjected to the same audit procedure.”
ISA 530 – Paragraph 05
ISA 530 recognizes that sampling risk can lead to two types of erroneous
conclusion:
1. The auditor concludes that controls are operating effectively, when in
fact they are not. Insofar as substantive testing is concerned (which is primarily
used to test for material misstatement), the auditor may conclude that a material
misstatement does not exist, when in fact it does. These erroneous conclusions
will more than likely lead to an incorrect opinion being formed by the auditor.
2. The auditor concludes that controls are not operating effectively, when in
fact they are. In terms of substantive testing, the auditor may conclude that a
material misstatement exists when, in fact, it does not. In contrast to leading to
an incorrect opinion, these errors of conclusion will lead to additional work,
which would otherwise be unnecessary leading to audit inefficiency.
e. “Non-Sampling risk- The risk that the auditor reaches an erroneous
conclusion for any reason not related to sampling risk”
ISA 530 – Paragraph 05
An example of such a situation would be where the auditor adopts
inappropriate audit procedures, or does not recognize a control deviation.
The ISA require a distinguish between statistical sampling and non-
statistical methods.
151
f. Statistical samplings an approach to sampling that has the following
two characteristics:
- Random selection of the sample items; and
- The use of probability theory to evaluate the sample result, including
measurement of sampling risks
g. Non-statistical samplings an approach to sampling that does not have
two above mentioned characteristics and are not considered as statics sampling.
Statistical sampling helps the auditor (a) to design an efficient sample,
(b) to measure the sufficiency of the audit evidence obtained, and (c) to
evaluate the sample results. By using statistical theory, the auditor can quantify
sampling risk to assist himself in limiting it to a level he considers acceptable.
However, statistical sampling involves additional costs of training auditors,
designing individual samples to meet the statistical requirements, and selecting
the items to be examined. Because either no statistical or statistical sampling
can provide sufficient audit evidence, the auditor chooses between them after
considering their relative cost and effectiveness in the circumstances.
9.3SAMPLING STEPS
Audit sampling typically involves these six steps:
6. Evaluating
5. Conduct
sampling
4. Sampling
3. Sampling activity
method
2. Audit scope size
1.Objectives
152
9.3.1 Step 1 - Determine Objectives
The first step of sampling steps is setting the objectives of the sampling
plan, e.g., auditor may want to reduce the audit disruption, yet have a
representative sample that provides confidence in the audit conclusions.
When designing the sample, ISA requires the auditor to consider the
purpose of the audit procedure and the characteristics of the population from
which the sample will be drawn which is the base for sampling and selection
methods consideration.
When designing an audit sample, audit should consider the specific
purpose to be achieved and even the combination of audit procedures that is
likely to be best achieve that purpose. For example, for “dual purpose testing”,
auditors should consider sample selected for testing to meet both control testing
purpose and substantive testing purpose.
It is also required to consider the nature and characteristics of the audit
evidence sought and possible deviation and misstatement conditions. This will
help them to define what constitutes a deviation or misstatement and what
population to use for sampling.
9.3.2 Step 2 - Define the extent and composition of the population
(audit scope)
a. Identification of population
A population means the entire set of data about which we wish to draw
conclusions based on the sample that is selected. It is important that the
population is appropriate to satisfy the established objective of the audit
procedures. When understanding the risks of material misstatement the
direction in which the population may be misstated may need to be considered.
For example, when there is a material misstatement with overstatement
direction, samples to be examined will be directly selected from the population
of audit interest. By selecting sample from such population we would
maximize our chances of detecting overstated items in the population. In
contrast, , when there is a material misstatement with understatement direction,
samples to be examined will be selected from independent population. Such
population may comprise items that ought to be recorded in the population of
audit interest.In addition to population understanding, we also need consider
153
the characters of population: sample unit representation including the
availability of individual elements; distribution of items in the population; zero
and negative value items; existence of subpopulations.
b. Sample units
Sample units are individual items constituting a population. The total
population of the sampling units could be manually prepared documents or
lists, documents generated from computer systems, or an electronic file
provided by the entity. The sampling unit can be any subdivision of a monetary
or nonmonetary population.
The sample unit is ordinarily determined based on the effectiveness of an
audit. For example, when preparing independent confirmation letter sent to
customers to confirm the outstanding receivable balances, if based on previous
history or industry trends, more responses are received when confirming
individual invoices, sample unit for an receivable test would likely be
individual outstanding invoice rather than each customer balance.
9.3.3 Step 3 - Determine sample size
ISA provides examples of factors that should be taken in to consideration
when determining sample sizes for control testing and detail testing
Tests of control Effects on

Factor sample size
An increase in the extent to which the auditor’s risk assessment Increase

takes into account relevant controls
Increase the tolerable rate of deviation Decrease
An increase in the expected rate of deviation of the population Increase
to be tested
An increase in the auditor’s desired level of assurance that the Increase
tolerable rate of deviation is not exceeded by the actual rate of
deviation in the population
An increase in the number of sampling units in the population Negligible effect
Tests of detail Effects on

Factor sample size
154
An increase in the auditor’s assessment of the risk of material Increase
misstatement
An increase in the use of other substantive procedures directed Decrease

at the same assertion
An increase in the auditor’s desired level of assurance that the Increase

tolerable rate of misstatement is not exceeded by the actual rate
of misstatement in the population
An increase in tolerable misstatement (**) Decrease
An increase in the amount of misstatement the auditor expects Increase

to find in the population
Stratification of the population when appropriate Decrease
The number of sampling units in the population Negligible

effect
(*) Tolerable rate of deviation– A rate of deviation from prescribed

internal control procedures set by the auditor in respect of which the auditor
seeks to obtain an appropriate level of assurance that the rate of deviation set
by the auditor is not exceeded by the actual rate of deviation in the population.
(*)Tolerable misstatement– A monetary amount set by the auditor in
respect of which the auditor seeks to obtain an appropriate level of assurance
that the monetary amount set by the auditor is not exceeded by the actual
misstatement in the population
9.3.4 Step 4 - Sampling method
ISA 530 recognizes that there are many methods of selecting a sample,
but it considers five principal methods of audit sampling as follows:
✓ Random selection
✓ Systematic selection
✓ Monetary unit sampling
✓ Haphazard selection, and
✓ Block selection.
155
a. Random Sampling
Random sampling gives each item in the sampled population an equal
chance of being selected. That means picking one item, has no impact on the
probability of any other item being selected. The sampling units could be
physical items, such as sales invoices or monetary units.
One random sampling method is to generate a random number for each
item to be sampled, sort these random numbers, and then take the top or bottom
X, where X is the sample size. Note that you can use the “=RAND()” function
in Excel to generate the random numbers.
b. Systematic Sampling
Systematic sampling selects every Nth item in the population as the sample.
For example, to sample 30 items out of a population of 360, the sampling
interval would be N=12.
Auditor would select a random starting point within the first interval,
e.g., between 1 and 12, you could randomly pick 7. Then, auditor would extract
every 12th item, i.e., 7, 19, on to 343, 355.
However, auditor have to ensure the systematic sampling interval does
not introduce bias. For example, if a warehouse has even locations on one side
of the aisle and odd locations on the other side, and auditor selected every 50th
item, and started at 20, he/she would never pick an odd location.
Random sampling would be more suitable for this scenario. Remember,
auditor judgment is still needed for statistical sampling. Systematic sampling is
most appropriate for looking over a period of time, since it ensures an even
spread of selected items in a sample of the timeframe under review.
c. Monetary unit sampling
The method of sampling is a value-weighted selection whereby sample
size, selection and evaluation will result in a conclusion in monetary amounts.
The objective of monetary unit sampling (MUS) is to determine the accuracy of
financial accounts. The steps involved in monetary unit sampling are to:
• Determine a sample size
• Select the sample
• Perform the audit procedures
• Evaluate the results and arriving at a conclusion about the population.
156
MUS is based on attribute sampling techniques and is often used in tests
of controls and appropriate when each sample can be placed into one of two
classifications – ‘exception’ or ‘no exception’. It turns monetary amounts into
units – for example, a receivable balance of $50 contains 50 sampling units.
Monetary balances can also be subject to varying degrees of exception –
for example, a payables balance of $7,000 can be understated by $7, $70, $700
or $7,000 and the auditor will clearly be interested in the larger misstatement.
d. Haphazard selection
It may be an alternative to random selection provided assurance
providers are satisfied that the sample is representative of the entire population.
This method requires care to the guard against making a selection that is
biased, for example towards items that are easily located as they may not be
representative. It should not be used is assurance providers are carrying out
statistical sampling.
e. Block selection
This method of sampling involves selecting a block (or blocks) of
contiguous items from within a population. Block selection is rarely used in
modern auditing merely because valid references cannot be made beyond the
period or block examined. In situations when the auditor uses block selection as
a sampling technique, many blocks should be selected to help minimize
sampling risk.
An example of block selection is where the auditor may examine all the
remittances from customers in the month of January. Similarly, the auditor may
only examine remittance advices that are numbered 300 to 340.
9.3.5 Step 5 - Drawing conclusions from sampling
The purpose of audit sampling is to enable conclusions to be drawn from
an entire population on the basis of testing samples selected from it.
Accordingly when the auditors have tested a sample of items, they must then
draw conclusions from that sample.
First, the auditors must consider whether the items in questions are true
misstatements, as they defined them before taking the test. For example, before
testing receivable balances, auditor identified that there was a disposing entry
between customer accounts. This error of accounting entry may cause
157
misstatement of each customer receivable balance but will not affect the
valuation of total receivable balances.
The qualitative aspects of misstatements are also considered that
includes the nature and cause of the misstatement. Auditors must also consider
any possible effects the misstatement may have on other parts of the audit
including the general effect on the financial statements and non the auditor’s
assessment on the accounting and internal control system.
9.4 DETERMINE WHETHER THE MISSTATEMENT IS AN ANOMALY
Definition of Anomaly: a misstatement or deviation that is not
representative of misstatements or deviations in the population.
To determine whether the misstatement or deviation is an anomaly, extra
work is required to be done by audit to prove that fact. The auditors will
estimate the probable misstatement in the population by extrapolating the
misstatements found in the sample. The auditors will estimate any further
misstatement that may not been detected because of the imprecision of the
technique (consideration of the qualitative aspects of the errors).
The auditor must also consider the effect of the projected misstatement
of other areas of audit. A comparison between projected population
misstatement to the tolerable misstatement taking account of other relevant
audit procedures.
If the projected population misstatement exceeds or is close to tolerable
misstatement, re-assessment on sampling risk is required, in such case auditor
may be required to extend audit procedures or perform alternative procedures.
However, after performing alternative procedures, if the actual misstatement
rate is still higher than the tolerable misstatement rate, auditors should re-assess
control risk for control testing or consider whether the financial statements
should be adjusted if the test is substantive test
In conclusion, if factual misstatements are detected in audit samples, the
monetary misstatements found in the audit sample are projected to the
population and consideration is given to the effect of the projected
misstatement on the particular audit objective and on other areas of the audit.
This projection is performed regardless of whether the audit sample was
statistically based or not.
158
The results of the examination of the sample items are evaluated in order
to form a conclusion about the population as a whole.
9.5. SAMPLING IN TESTS OF CONTROLS
9.5.1 Planning samples
Auditors should consider the following issues when perform planning
samples:
• The relationship of the sample to the objective of the test of controls.
• The maximum rate of deviations from prescribed controls that would
support his planned assessed level of control risk.
• The auditor's allowable risk of assessing control risk too low.
• Characteristics of the population, that is, the items comprising the
account balance or class of transactions of interest.
Sampling is applied when the auditors need to decide whether the rate of
deviation from a control procedures is no greater than tolerable rate (e.g.,
among 80 samples selected for effectiveness control testing, accepted deviation
is 01 sample only, accordingly tolerable rate is 1.25%).
However sampling concepts do not apply for some control testing (e.g.
automated application controls are generally tested 01 time or a few times
when effective (IT) general controls presents, and thus the concept of risk and
tolerable deviation are not relied on. Sampling may not apply to test some
documented controls or analyses of controls for determining the appropriate
segregation of duties. Sampling also may not apply to some tests directed
toward obtaining audit evidence about the operation of the control environment
or the accounting system, for example, inquiry or observation of explanation of
variances from budgets when the auditor does not desire to estimate the rate of
deviation from the prescribed control, or when examining the actions of those
charged with governance for assessing their effectiveness.
When designing samples for tests of controls the auditor ordinarily
should plan to evaluate operating effectiveness in terms of deviations from
prescribed controls, as to either the rate of such deviations or the monetary
amount of the related transactions.
The auditor should determine the maximum rate of deviations from the
prescribed control that he would be willing to accept without altering his
159
planned assessed level of control risk. This is the tolerable rate. In determining
the tolerable rate, the auditor should consider (a) the planned assessed level of
control risk, and (b) the degree of assurance desired by the audit evidence in the
sample.
For example, the more Assurance we intend to obtain from the operating
effectiveness of Controls, the lower our assessment of the Risk of Material
Misstatement will be, and the larger the sample size will need to be. In contrast,
if an increase in the tolerable rate of deviation is accepted, the sample size can
be decreased.
Sometimes, a combination of two or more controls is necessary to affect
the risk of material misstatement for an assertion, those controls should be
regarded as a single procedure, and deviations from any controls in
combination should be evaluated on that basis.
To determine the number of items to be selected for a particular sample
for a test of controls, the auditor should consider the tolerable rate of deviation
from the controls being tested, the likely rate of deviations, and the allowable
risk of assessing control risk too low. An auditor applies professional judgment
to relate these factors in determining the appropriate sample size.
9.5.2 Sample selection
Sample items should be selected in such a way that the sample cane
expected to be representative of the population. Therefore, all items in the
population should have an opportunity to be selected. Random-based selection
of items represents one means of obtaining such samples. Ideally, the auditor
should use a selection method that has the potential for selecting items from the
entire period under audit which includes interim and final audit periods.
9.5.3 Performance and evaluation
The objective of testing controls is achieved when audit procedures are
appropriately applied to each sample item. Deviations from prescribed policy
an procedure should be ordinarily considered when the auditor could not apply
the planned audit procedures or appropriate alternative procedures to selected
items and consider the reasons for limitation.
The deviation rate in the sample is the auditor's best estimate of the
deviation rate in the population from which it was selected. If the estimated
160
deviation rate is less than the tolerable rate for the population, the auditor
should consider the risk that such a result might be obtained even though the
true deviation rate for the population exceeds the tolerable rate for the
population.
In addition to the evaluation of the frequency of deviations from
pertinent procedures, consideration should be given to the qualitative aspects of
the deviations. These include (a) the nature and cause of the deviations, such as
whether they are due to error or fraud, and (b) the possible relationship of the
deviations to other phases of the audit.
If the auditor concludes that the sample results do not support the
planned assessed level of control risk for an assertion, he should re-evaluate the
nature, timing, and extent of substantive procedures based on a revised
consideration of the assessed level of control risk for the relevant financial
statement assertions.
9.6. SAMPLING IN SUBSTANTIVE TESTS OF DETAILS
9.6.1 Planning samples
Auditors should consider the following issues when perform planning
samples:
• The relationship of the sample to the relevant audit objective
• Preliminary judgments about materiality levels.
• The auditor's allowable risk of incorrect acceptance.
• Characteristics of the population, that is, the items comprising the
account balance or class of transactions of interest.
When planning a particular sample, the auditor should consider the
specific audit objective to be achieved and should determine that the audit
procedure, or combination of procedures, to be applied will achieve that
objective. For example when the auditor has plan to detect understatement of
expense and payable recorded for the year ended, an appropriate sampling plan
for detecting such understatement would be from the sources in which omitted
items are included. Accordingly, subsequent cash disbursements, unpaid
invoices, subsequent recorded purchasing entries… might be sampled for
understatement testing.
161
Evaluation in monetary terms of the results of a sample for a test of
details contributes directly to the auditor's purpose, since such an evaluation
can be related to the auditor's judgment of the monetary amount of
misstatements that would be material for the test.Tolerable misstatement is a
planning concept and is related to the auditor's determination of materiality for
planning the financial statement audit in such a way that tolerable
misstatement, combined for all of the tests in the entire audit, does not exceed
materiality for the financial statements. This means that auditors should
normally set tolerable misstatement for a specific audit procedure at less than
financial statement materiality so that when the results of the audit procedures
are aggregated, the required overall assurance is attained.
The auditor must obtain a sufficient understanding of the entity and its
environment, including its internal control to assess the risk of material
misstatement of the financial statements whether due to error or fraud, and to
design the nature, timing, and extent of further audit procedures. For example
sample size will be greater if identifying significant risk on tested population
and having plan of not relying controls. Sample size will be lower if identifying
significant risk on the same tested population but having plan of relying
controls.
During planning a statistical or no statistical sample may be used to
assist in planning the allowable risk of incorrect acceptance for a specific test
of details.
The sufficiency of tests of details for a particular account balance or
class of transactions is related to the individual importance of the items
examined as well as to the potential for material misstatement. When planning
a sample for a substantive test of details, the auditor uses his judgment to
determine which items, if any, in an account balance or class of transactions
should be individually examined and which items, if any, should be subject to
sampling. The auditor should examine those items for which, in his judgment,
acceptance of some sampling risk is not justified. For example, these may
include items for which potential misstatements could individually equal or
exceed the tolerable misstatement. Any items that the auditor has decided to
examine 100 percent are not part of the items subject to sampling. Other items
that, in the auditor's judgment, need to be tested to fulfil the audit objective but
need not be examined 100 percent, would be subject to sampling.
162
The auditor may be able to reduce the required sample size by separating
items subject to sampling into relatively homogeneous groups on the basis of
some characteristic related to the specific audit objective.
To determine the number of items to be selected in a sample for a
particular test of details, the auditor should consider the tolerable misstatement
and the expected misstatement, the audit risk, the characteristics of the
population, the assessed risk of material misstatement, and the assessed risk for
other substantive procedures related to the same assertion. An auditor who
applies statistical sampling uses formulas to compute sample size based on
these judgments. An auditor who applies no statistical sampling uses
professional judgment to relate these factors in determining the appropriate
sample size.
9.6.2 Samples selection
Sample items should be selected in such a way that the sample can be
expected to be representative of the population. Therefore, all items in the
population should have an opportunity to be selected. For example, haphazard
and random-based selection of items represents two means of obtaining such
samples.
Base on characteristic of population, professional judgment, one of the
five sample section methods noted in section 9.4 can be applied.
9.6.3 Evaluation
The three types of tests of details are:
• Tests of all items in the population
• No representative Selection
• Audit Sampling
The evaluation on the results of the tests of details performed depends on
whether the misstatement are detected and the types of tests of details are used.
In case auditor tests all items in the population, the Misstatement in the
population is equal to the amount of Factual Misstatement that we detected
while performing our tests of details.
In case auditor applies No representative Selection, the Misstatement in
the total population cannot be determined only from the No representative
Selection. Auditor can only form a conclusion with respect to that portion of
163
the population to which those audit procedures were applied to. Accordingly,
the Misstatement is equal to the amount of Factual Misstatement that we
detected while performing those tests of details.
In case auditor applies Audit sampling, auditor shall project
Misstatements found in the sample to the Population, this Projection may not
be sufficient to determine an amount to be recorded.
The auditor should project the misstatement results of the sample to the
items from which the sample was selected. There are several acceptable ways
to project misstatements from a sample. For example, an auditor may have
selected a sample of every twentieth item (50 items) from a population
containing one thousand items. If he discovered overstatements of $3,000 in
that sample, the auditor could project a $60,000 overstatement by dividing the
amount of misstatement in the sample by the fraction of total items from the
population included in the sample. The auditor should add that projection to the
misstatements discovered in any items examined 100 percent. This total
projected misstatement should be compared with the tolerable misstatement for
the account balance or class of transactions, and appropriate consideration
should be given to sampling risk. If the total projected misstatement is less than
tolerable misstatement for the account balance or class of transactions, the
auditor should consider the risk that such a result might be obtained even
though the true monetary misstatement for the population exceeds tolerable
misstatement. For example, if the tolerable misstatement in an account balance
of $1 million is $50,000 and the total projected misstatement based on an
appropriate sample is $10,000, he may be reasonably assured that there is an
acceptably low sampling risk that the true monetary misstatement for the
population exceeds tolerable misstatement. On the other hand, if the total
projected misstatement is close to the tolerable misstatement, the auditor may
conclude that there is an unacceptably high risk that the actual misstatements in
the population exceed the tolerable misstatement. An auditor uses professional
judgment in making such evaluations.
In addition, consideration should be given to the qualitative aspects of
the misstatements, which include:
• Do the discovered Misstatements contain suspicious or unusual
aspects that may indicate Fraud or Error?
164
• Is there a pattern of Misstatements that may indicate that the
population ought to have been defined as two or more populations?
• Has Management confirmed that apparent Misstatements are, in fact,
Misstatements and explained their causes?
If the sample results suggest that the auditor's planning assumptions were
incorrect, appropriate action should be taken. In some case other modified audit
tests are considered.
The auditor should relate the evaluation of the sample to other relevant
audit evidence when forming a conclusion about the related account balance or
class of transactions.
Projected misstatement results for all audit sampling applications and all
known misstatements from no sampling applications should be considered in
the aggregate along with other relevant audit evidence when the auditor
evaluates whether the financial statements taken as a whole may be materially
misstated.
165
1.Which of the following is an example of using statistical sampling?
a. Statistical sampling will be looked upon by the courts as providing superior
audit evidence.
b. Statistical sampling requires the auditor to make fewer judgmental decisions.
c. Statistical sampling aids the auditor in evaluating results.
d. Statistical sampling is more convenient to use than no statistical sampling.
2. Which of the following is not an example of no sampling risk?
a. Failing to evaluate results properly.
b. Use of an audit procedure inappropriate to achieve a given audit objective.
c. Obtaining an unrepresentative sample.
d. Failure to recognize an error.
3. Which of the following is an example of no statistical sampling?
a. Sequential sampling.
b. Attribute sampling.
c. Haphazard sampling.
d. Random sampling.
4. Which of the following is not an advantage of using statistical sampling?
a. Statistical sampling aids in the design of an efficient sample.
b. Statistical sampling allows the auditor to measure the sufficiency of the
evidential matter obtained.
c. Statistical sampling allows the auditor to greatly reduce substantive testing.
d. Statistical sampling provides a means for mathematically measuring the
degree of risk that results from examining only part of a population.
5. Which of the following best illustrates the concept of sampling risk?
a. An auditor may select audit procedures that are not appropriate to achieve
the specific objective.
b. The documents related to the chosen sample may not be available for
inspection.
c. A randomly chosen sample may not be representative of the population as a
whole.
d. An auditor may fail to recognize deviations in the documents examined.
166
6. An auditor examining inventory may appropriately apply sampling for
attributes in order to estimate the
a. Average price of inventory items.
b. Dollar value of inventory.
c. Percentage of slow-moving inventory items.
d. Physical quantity of inventory items.
7. Respectively, attribute sampling and variables sampling are
a. Quantitative and qualitative in nature.
b. Qualitative and quantitative in nature.
c. Both qualitative and quantitative in nature.
d. None of these.
8. The risk that the assessed level of control risk based on the sample is less
than the true operating effectiveness of the control structure policy or procedure
is termed
a. The risk of incorrect acceptance.
b. The risk of incorrect rejection.
c. The risk of assessing too low.
d. The risk of assessing too high.
9. The advantage of using statistical sampling techniques is that such
techniques
a. Mathematically measure risk.
b. Eliminate the need for judgmental decisions.
c. Are easier to use than other sampling techniques.
d. Have been established in the courts to be superior to no statistical sampling.
10. Which of the following is an element of sampling risk?
a. Choosing an audit procedure that is inconsistent with the audit objective.
b. Choosing a sample size that is too small to achieve the sampling objective.
c. Failing to detect a deviation on a document inspected by the auditor.
d. Failing to perform audit procedures that are required by the sampling plan.
11. Statistical sampling (SS) provides a technique for
a. Exactly defining materiality.
b. Greatly reducing the amount of substantive testing.
c. Eliminating judgment in testing.
167
d. Measuring the sufficiency of evidential matter.
12. Which of the following best describes the distinguishing feature of SS?
a. It reduces the problems associated with the auditor's judgment concerning
materiality.
b. It requires the examination of a smaller number of supporting documents.
c. It is evaluated in terms of two parameters: statistical mean and random
selection.
d. It provides a means for measuring mathematically the degree of uncertainty
that results from examining only part of a population.
13. If certain forms are not consecutively numbered
a. Selection of a random sample probably is not possible.
b. Systematic sampling may be appropriate.
c. Stratified sampling should be used.
d. Random number tables can not be used.
14. An auditor initially planned to use unrestricted random sampling with
replacement in the examination of accounts receivable. Later, the auditor
decided to use unrestricted random sampling without replacement. As a result
only of this decision, the sample size should
a. Increase.
b. Remain the same.
c. Decrease.
d. Be recalculated using a binomial distribution.
15. From prior experience, a CPA is aware of the fact that cash disbursements
contain a few unusually large disbursements. In using statistical sampling, the
CPA's best course of action is to
a. Eliminate any unusually large disbursements that appear in the sample.
b. Continue to draw new samples until no unusually large disbursements appear
in the sample.
c. Stratify the cash disbursements population so large disbursements are
reviewed separately.
d. Increase the sample size to lessen the effect of the unusually large
disbursements.
16. In examining cash disbursements, an auditor plans to choose a sample using
systematic selection with a random start. The primary advantage of such a
systematic selection is that population items
168
a. Which include irregularities will not be overlooked when the auditor
exercises compatible reciprocal options.
b. May occur in a systematic pattern, thus making the sample more
representative.
c. May occur more than once in a sample.
d. Do not have to be renumbered in order for the auditor to use the technique.
17. The auditor's failure to recognize a misstatement in an amount or a
deviation in an internal control, data-processing procedure is described as
a. Statistical error.
b. Sampling error.
c. Standard error.
d. No sampling error.
18. Which of the following statistical selection techniques is least desirable for
use by an auditor?
a. Systematic selection.
b. Stratified selection.
c. Block selection.
d. Sequential selection.
19. In attribute sampling, a 10% change in which of the following factors
normally will have the least effect on the size of a statistical sample?
a. Population size.
b. Tolerable deviation rate.
c. Risk of assessing too low.
d. Likely deviation rate.
20. If the auditor is concerned that a population may contain exceptions, the
determination of a sample size sufficient to include at least one such exception
is a characteristic of
a. Discovery sampling.
b. Variable sampling.
c. Random sampling.
d. Dollar-unit sampling.
21. An auditor plans to examine a sample of 20 checks for countersignatures as
prescribed by the client's internal control procedures. One of the checks in the
chosen sample of 20 cannot be found. The auditor should consider the reasons
for this limitation and
169
a. Evaluate the results as if the sample size had been 19.
b. Treat the missing check as a deviation when evaluating the sample.
c. Treat the missing check in the same manner as the majority of the other l9
checks, i.e. countersigned or not.
d. Choose another check to replace the missing check in the sample.
22. The tolerable rate of deviations for a test of controls is generally
a. Lower than the likely rate of deviations in the related accounting records.
b. Higher than the likely rate of deviations in the related accounting records.
c. Identical to the likely rate of deviations in the related accounting records.
d. Unrelated to the likely rate of deviations in the related accounting records.
23. The risk that the assessed level of control risk based on the sample is
greater than the true operating effectiveness of the control structure policy or
procedure is termed
a. Risk of assessing too high.
b. Risk of assessing too low.
c. Incorrect acceptance.
d. Incorrect rejection.
24. Jones, CPA, believes the industry-wide occurrence rate of client billing
errors is 3% and has established a maximum acceptable occurrence rate of 5%.
In the review of client invoices Jones should use
a. Discovery sampling.
b. Attribute sampling.
c. Stratified sampling.
d. Variable sampling.
25. In estimation sampling for attributes, which one of the following must be
known in order to appraise the results of the auditor's sample?
a. Estimated dollar value of the population.
b. Standard deviation of the values in the population.
c. Actual occurrence rate of the attribute in the population.
d. Sample size.
26. Given random selection, the same sample size, and the same tolerable
deviation rate for the testing of two unequal populations, the risk of assessing
control risk too low for the smaller population is
a. Higher than the risk of assessing too low for the larger population.
b. Lower than the risk of assessing too low for the larger population.
c. The same as the risk assessing too low for the larger population.
170
d. Indeterminable relative to the risk assessing too low for the larger
population.
27. If all other factors specified in an attribute sampling plan remain constant,
changing the specified tolerable deviation rate from 6% to 10%, and changing
the specified risk from 97% to 93%, would cause the required sample size to
a. Increase.
b. Remain the same.
c. Decrease.
d. Change by 4%.
28. When using statistical sampling for tests of controls, an auditor's evaluation
process would include a statistical conclusion about whether
a. Procedural deviation in the population were within an acceptable range.
b. Population characteristics occur at least once in the population.
c. Monetary misstatement is in excess of a certain predetermined amount.
d. The population total is not misstated by more than a fixed amount.
29. Discovery sampling should not be used if a CPA estimates that the
occurrence rate of a certain characteristic in a population being examined
exceeds approximately
a. 20%
b. 10%
c. 5%
d. 0%
30. If the size of the sample to be used in a particular test of attributes has not
been determined by utilizing statistical concepts, but the sample has been
chosen in accordance with random selection procedures
a. No inferences can be drawn from the sample.
b. The auditor has committed a no sampling error.
c. May not use statistical evaluation.
d. The auditor will have to evaluate the results by reference to the principles of
discovery sampling.
31. In assessing sampling risk, the risk of incorrect rejection and the risk of
assessing control risk too high relate to the
a. Efficiency of the audit.
b. Effectiveness of the audit.
c. Selection of the sample.
171
d. Audit quality control.
32. An underlying feature of random-based selection of items is that each
a. Stratum of the accounting population be given equal representation in the
sample.
b. Item in the accounting population be randomly ordered.
c. Item in the accounting population should have an opportunity to be selected.
d. Item must be systematically selected using replacement.
33. In estimation sampling for variables, which of the following must be known
in order to estimate the appropriate sample size required to meet the auditor's
needs in a given situation?
a. The qualitative aspects of misstatements.
b. The total dollar amount of the population.
c. The acceptable level of risk.
d. The estimated rate of deviation in the population.
34. To determine the number of items to be selected in a sample for a particular
substantive test of details, the auditor should consider all of the following
except
a. Tolerable misstatement.
b. Deviation rate.
c. Allowable risk of incorrect acceptance.
d. Characteristics of the population.
35. The size of a sample designed for dual purpose testing should be
a. The larger of the samples that would otherwise have been designed for the
two separate purposes.
b. The smaller of the samples that would otherwise have been designed for the
two separate purposes.
c. The combined total of the samples that would otherwise have been designed
for the two separate purposes.
d. More than the larger of the samples that would otherwise have been
designated for the two separate purposes, but less than the combined total of
the samples that would otherwise have been designed for the two separate
purposes.
36. The risk of incorrect acceptance and the risk of assessing control risk too
low relate to the
a. Preliminary estimates of materiality levels.
172
b. Allowable risk of tolerable misstatement.
c. Efficiency of the audit.
d. Effectiveness of the audit.
37. When assessing the tolerable rate, the auditor should consider that, while
deviations from control procedures increase the risk of material errors, such
deviations do not necessarily result in errors. This explains why
a. A recorded disbursement that does not show evidence of required approval
may nevertheless be a transaction that is properly authorized and recorded.
b. Deviations would result in errors in the accounting records only if the
deviations and the errors occurred on different transactions.
c. Deviations from pertinent control procedures at a given rate ordinarily would
be expected to result in errors at a higher rate.
d. A recorded disbursement that is properly authorized may nevertheless be a
transaction that contains a material error.
38. Which of the following statistical sampling plans does not use a fixed
sample size for tests of controls?
a. Dollar-unit sampling.
b. Sequential sampling.
c. PPS sampling.
d. Variables sampling.
39. Which of the following statements is correct concerning statistical sampling
in tests of controls?
a. The population size has little or no effect on determining sample size except
for very small populations.
b. The likely population deviation rate has little or no effect on determining
sample size except for very small populations.
c. As the population size doubles, the sample size also should double.
d. For a given tolerable rate, a larger sample size should be selected as the
likely population deviation rate decreases.
40. A number of factors influences the sample size for a substantive test of
details of an account balance. All other factors being equal, which of the
following would lead to a larger sample size?
a. Greater reliance on internal controls.
b. Greater reliance on analytical procedures.
c. Smaller expected frequency of misstatements.
d. Smaller measure of tolerable misstatements.
173
CHAPTER 10
AUDIT IN AN EDP SYSTEM
LEARNING OBJECTIVES
1. Describe how IT improves internal control.  
2. The importance of audit in an EDP system and the impact of IT on the
audit process
3. Explain how general controls and application controls reduce  IT risks.
4. Explain how to assess risk and gather audit evidence in an EDP system
5. Describe how to use CAATs in an EDP system
INTRODUCTION
People often assume “the information is correct because the computer
produced it”. However, auditors sometimes depend on the untested accuracy of
computer-generated output because they forget that computers perform only as
well as they are programmed. Before concluding that computer-generated
information is reliable, auditors must understand and test computer-based
controls. This chapter will examine how the client’s integration of information
technology (IT) into the accounting system affects risks and internal control,
how the client use IT to improves internal control by replacing manual controls
subject to human error. However, IT introduces risks, which the client can
manage by using controls specific to IT systems. In this chapter, we highlight
risks specific to IT systems, identify controls that can be implemented to
address those risks, and explain how IT-related controls affect the audit and
how the auditor use CAATs in auditing process.
CONTENT
10.1. OVERVIEW OF AN EDP SYSTEM IN AN ENTERPRISE
There are many definitions related to EDP. EDP is an infrequently used
term for what is today usually called "IS" (information services or systems) or
"MIS" (management information services or systems), is the processing
of data by a computer and its programs in an environment involving electronic
communication.
Electronic Data Processing (EDP) can refer to the use of automated
methods to process commercial data. Typically, this uses relatively simple,
repetitive activities to process large volumes of similar information.
174
In general, EDP is the use of computers in recording, classifying,
manipulating, and summarizing data.
Nowadays, the success of every business depends on certain factors.
Some of which are accurate analysis, choosing the right technology and the
future vision. Information technology is the only technology which provides
you the opportunity to analyze specific data and plan business. It also provides
you many tools which can solve complex problems and plan the scalability
(future growth) of the business. IT also has enabled the business to
communicate with millions of potential or existing customer in the real time. IT
provides many channels to communicate with the customer without going out
in snow or rain.
IT plays an important role in most entities, including small, family-
owned businesses to record and process business transactions. With the
development of information technology, many entities use accounting software
for their accounting. The development of businesses have increased
information needs; consequently, the accounting function’s use of complex IT
networks, the Internet, and centralized IT functions is now commonplace.
The development of information technology also helps reduce
misstatements by replacing manual procedures with automated controls that
apply checks and balances to each processed transaction. The human errors
occurring in manually processed transactions have reduced significantly.
Nowadays, computers now perform many internal control activities that once
were done by employees, such as checking credit limits of customers,
reconciling between good received notes and purchase invoices. Online
security controls in applications, databases, and operating systems can improve
separation of duties, which reduces opportunities for fraud.
The development of information technology also allows the information
provided to have better quality. Complex activities of business requires
complex IT activities and effective organization, procedures, and
documentation; as a result, information provided for management is of higher
quality and faster than in most manual systems. Once management is confident
that information produced by IT is reliable, management is likely to use the
information for better management decisions.
175
In order to manage risks related to information technology, IT controls
are normally implemented by entities. There are two types of controls related to
IT: general controls and application controls.
General IT controls are policies and procedures that are related to many
applications and support the effective functioning of application controls by
helping ensure the continued proper operation of information systems. They
commonly include controls over data centres and network operations, system
software acquisition, change and maintenance, access security, and application
system acquisition, development and maintenance. General IT controls that are
related to some or all applications are usually interdependent controls, i.e. their
operation is often essential to the effectiveness of application controls. As
application controls may be useless when general controls are ineffective, it
will be more efficient to review the design of general IT controls first before
reviewing the application controls.
Application controls are manual or automated procedures that typically
operate at a business process level. They can be preventative or detective in
nature and are designed to ensure the integrity of the accounting records.
Accordingly, they are related to procedures used to initiate, record, process and
report transactions or other financial data. For example: document counts, one-
for-one checking of processed output to source documents.
10.2. THE IMPORTANCE OF AUDIT IN AN EDP SYSTEM
The audit must have knowledge about general IT control and application
control to obtain an understanding of internal control to assess the complexity
of the IT system of the client. Knowledge of general controls increases the
auditor’s ability to assess and rely on effective application controls to reduce
control risk for related audit objectives. Knowledge of both general and
application IT controls is essential for the auditor.
Ineffective general controls create the potential for material
misstatements across all system applications, regardless of the quality of
individual application controls.
On the other hand, if general controls are effective, the auditor may be
able to place greater reliance on application controls whose functionality is
dependent on IT. Auditors can then test those application controls for operating
effectiveness and rely on the results to reduce substantive testing.
176
10.3. RISK ASSESSMENT AND EVIDENCE-GATHERING IN AN EDP
SYSTEM
IT can affect the company’s overall control risk. Many risks in manual
systems are reduced and in some cases eliminated. However, there are risks
specific to IT systems that can lead to substantial losses if ignored. If IT
systems fail, organizations can receive unreliable information caused by
processing errors. These risks increase the likelihood of material misstatements
in financial statements.
The inherent risks and control risks in a EDP environment may have
material impact on the financial statement. The risks may result from
deficiencies in pervasive computer information system activities such as
program development and maintenance, systems software support, operations,
physical CIS security, and control over access to special privilege utility
programs. These deficiencies would tend to have a material impact on all
application systems that are processed on the computer. The risks may also
increase the potential for errors or fraudulent activities in specific applications,
in specific data bases or master files, or in specific processing activities. For
example, errors are not uncommon in systems that perform complex logic or
calculations, or that must deal with many different exception conditions.
Systems that control cash disbursements or other liquid assets are susceptible to
fraudulent actions.
There are three specific risks to IT systems including:
• Risks to hardware and data  
• Reduced audit trail  
• Need for IT experience and separation of IT duties  
Risks to Hardware and Data
IT might create risks in protecting hardware and data. For example,
hardware or software may not function or may function improperly. Therefore,
it is critical to physically protect hardware, software, and related data from
physical damage that might result from inappropriate use or environmental
damage (such as fire, heat, humidity, or water). Another risk related to
hardware and data might be the risk of systematic error. In fact, procedures are
programmed into computer software, the computer processes information
177
consistently for all transactions until the programmed procedures are changed.
Unfortunately, flaws in software programming and changes to that software
affect the reliability of computer processing, often resulting in many significant
misstatements. This risk is increased if the system is not programmed to
recognize and flag unusual transactions. Unauthorized access may be initiated
through the computer, resulting in improper changes in software programs and
master files. Nowadays, much of the data in an IT system are stored in
centralized electronic files. This increases the risk of loss or destruction of
entire data files.
Reduced audit trial
Misstatements may not be detected with the increased use of IT due to
the loss of a visible audit trail, as well as reduced human involvement. In
addition, the computer replaces traditional types of authorizations in many IT
systems. Much of the information is entered directly into the computer, the use
of IT often reduces or even eliminates source documents and records that allow
the organization to trace accounting information. These documents and records
are called the audit trail. Because of the loss of the audit trail, other controls
must be put into place to replace the traditional ability to compare output
information with hard-copy data.  Furthermore, in many IT systems,
employees who deal with the initial processing of transactions never see the
final results. Therefore, they are less able to identify processing misstatements.
Advanced IT systems can often initiate transactions automatically, such as
calculating interest on savings accounts and ordering inventory when pre-
specified order levels are reached. Therefore, proper authorization depends on
software procedures and accurate master files used to make the authorization
decision.  
Needs for IT experience and separation of IT duties
IT systems reduce the traditional separation of duties (authorization,
record keeping, and custody) and create a need for additional IT experience. IT
developments enable combination activities from different parts of the
organization into one IT function. As a result, IT personnel might access the
software and master files to steal assets and information of the entity.
Furthermore, when the use of IT systems increases, the need for qualified IT
specialists increases. In fact, the reliability of an IT system and the information
178
it generates often depends on the ability of the organization to employ
personnel or hire consultants with appropriate technology knowledge and
experience.  
10.4. AUDIT WITH THE USE OF CAATs IN AN EDP SYSTEM
Computer-assisted audit techniques (CAATs) are the applications of
auditing procedures using the computer as an audit tool. There are two types of
CAATs: test data techniques and audit software.
10.4.1. Test data
Test data techniques are used in conducting audit procedures by entering
data into an entity's computer system, and comparing the results obtained with
pre-determined results.
Test data technique is primarily designed to test the effectiveness of
internal control procedures which are incorporated in the client’s computer
programs. This technique involves entering data into, and having the data
processed by, the client’s accounting system, and comparing the output with
predetermined results. The data may be used to test the effectiveness of control
procedures, such as online passwords which are designed to restrict access to
specified data and programs to authorized personnel. Alternatively, the data
may comprise a set of transactions representing all types of transactions
normally processed by the entity’s programs, and incorporating a variety of
errors. Some examples for test data:
• Test data used to test specific controls in computer programs, such as
online password and data access controls.
• Test transactions selected from previously processed transactions or
created by the auditors to test specific processing characteristics of an entity's
computer system. Such transactions are generally processed separately from the
entity's normal processing. Test data can for example be used to check the
controls that prevent the processing of invalid data by entering data with, say, a
non-existent customer code or worth an unreasonable amount, or a transaction
which may if processed break customer credit limits.  
Using test data has some advantages
• Test data provides evidence that the software or computer system used
by the client are working effectively by testing the program controls, and, in
some cases, there may be no other way to test some program controls.  
179
• Once the basic test data have been designed, the level of ongoing time
needed and costs incurred is likely to be relatively low until the client's systems
change.  
However, there are some problems with using test data, including:
• A significant problem with test data is that any resulting corruption of
data files has to be corrected. This is difficult with modern real-time systems,
which often have built-in (and highly desirable) controls to ensure that data
entered cannot be easily removed without leaving a mark.  
• Test data only tests the operation of the system at a single point of
time, and therefore the results do not prove that the program was in use
throughout the period under review.  
• Initial computer time and costs can be high and the client may change
its programs in subsequent years.  
10.4.2. Audit software
Audit software consists of computer programs used by the auditors, as
part of their auditing procedures, to process data of audit significance from the
entity's accounting system. In contrast to the test data techniques, which
requires the auditor to input test data to be processed by the clients' computer
programs, the audit software technique involves the auditor using audit
software to process the client’s accounting data.
It may consist of generalized audit software or custom audit software.
Audit software is used for substantive procedures. There are two types of audit
software: Generalized audit software and Custom audit software  
• Generalized audit software allows auditors to perform tests on
computer files and databases, such as reading and extracting data from a
client's systems for further testing, selecting data that meets certain criteria,
performing arithmetic calculations on data, facilitating audit sampling and
producing documents and reports.
• Custom audit software is written by auditors for specific tasks when
generalized audit software cannot be used.  
Audit software has some benefits:
180
• Audit software can perform faster calculations and comparisons than
those done manually.  
• Audit software makes it possible to test more transactions than when
simply manually scanning printouts. For example, audit software may facilitate
searches for exceptions, such as negative or very high quantities when auditing
inventory listings. The additional information will give the auditor increased
comfort that the figure being audited is reasonably stated.  
• Audit software may allow the actual computer files (the source files)
to be tested from the originating program, rather than printouts from spool or
previewed files which are dependent on other software (and therefore could
contain errors or could have been tampered with following export).  
• Using audit software is likely to be cost-effective in the long term if
the client does not change its systems.  
Difficulties of using audit software
• The costs of designing tests using audit software can be substantial,
as a great deal of planning time will be needed in order to gain an in-depth
understanding of the client's systems so that appropriate software can be
produced.  
• The audit costs in general may increase because experienced and
specially trained staff will be required to design the software, perform the
testing and review the results of the testing.  
• If errors are made in the design of the audit software, audit time, and
therefore costs, can be wasted in investigating anomalies that have arisen
because of flaws in how the software was put together rather than by errors in
the client's processing.  
• If audit software has been designed to carry out procedures during
live running of the client's systems, there is a risk that this disrupts the client's
systems. If the procedures are to be run when the system is not live, extra costs
will be incurred by carrying out procedures to verify that the version of the
system being tested is identical to that used by the client in live situations.  
181
REVIEWS QUESTIONSAND PROBLEMS
Question 1
You are the audit senior of Daffodil & Co and are responsible for the
audit of inventory for Magnolia Co, a glass manufacturer. You will be
attending the year-end inventory count on 31 December 2015.
In addition, your manager wishes to utilize computer-assisted audit
techniques for the first time for controls and substantive testing in auditing
Magnolia's inventory.
Required:For the audit of the inventory cycle and year-end inventory
balance of Magnolia: 
a) Describe four audit procedures that could be carried out using
computer-assisted audit techniques (CAATs).
b) Explain the potential advantages of using CAATs.  
c) Explain the potential disadvantages of using CAATs.  
Question 2
You are an audit manager for Cal & Co and are in charge of planning the
audit of Tirol Co for the year ended 30 June 2015. Your firm has recently
gained this audit following a competitive tender.
Tirol Co provides repair services to motor vehicles from 25 different
locations. All inventory, sales and purchasing systems are computerized, with
each location maintaining its own computer system. The software in each
location is the same because the programs were written specifically for Tirol
Co by a reputable software house. Data from each location is amalgamated on a
monthly basis at Tirol Co's head office to produce management and financial
accounts.
Tirol Co's internal audit department are going to assist with the statutory
audit. The chief internal auditor will provide you with documentation on the
computerised inventory systems at Tirol Co. The documentation provides
details of the software and shows diagrammatically how transactions are
processed through the inventory system. This documentation can be used to
significantly decrease the time needed to understand the computer systems and
enable audit software to be written for this year's audit.
182
Required
(a) Explain four benefits of using audit software in the audit of Tirol Co.
(b) Explain how you will evaluate the computer systems documentation
produced by the internal audit department in order to place reliance on it during
your audit.
183
PART FOUR: ORGANIZATION THE AUDIT PROCESS
CHAPTER 11: ORGANIZATION THE AUDIT PROCESS
CHAPTER 11
ORGANIZATION THE AUDIT PROCESS
LEARNING OBJECTIVES
1. Define the term organization the audit process
2. Describe the content, method, and steps of audit activities in preplan and
planning phase
3. Describe the content, method, and steps of audit activities in
implementing phase
4. Describe the content, method, and steps of audit activities in completing
phase
5. Clarify the auditor's responsibilities for going concern assumption,
subsequent events, documentation in an audit
6. Describe the content, method, and steps of audit activities in follow up
phase
INTRODUCTION
In order to form the opinion, the auditors must gather and evaluate
sufficient and appropriate audit evidence. This evidence is collected through
the audit process. Although the audit process is very similar in all audit, audited
entities differ in size, nature, complexity, objective of audit. In order to ensure
that audits are conducted effectively and efficiently they must carefully
planned, controlled, supervised and managed. This involves organization of
audit work to ensure they are properly staffed and documented.
In this chapter, we discuss the important administrative aspects of an
audit for three types of auditor – internal, external and state audit. We examine
the organization of audit contents, audit methods, and steps of audit activities in
preplan, planning, implementing, completing, and follow up stage of an audit;
the principle auditor’s responsibility when parts of an audit are performed by
other auditors or experts; and the importance of auditors directing, supervising
and reviewing work delegated to audit staff.
184
CONTENT
An audit can be conducted in the entity with big, average, or small sizes;
simple or complex economic financial activities; first or continue audits. The
contents and procedures may be different in these typical conditions but there
are four stages in the audit, including:
- Audit planning;
- Audit implementing;
- Completing the audit;
- Follow up (for internal and public sector audit).
Organization1 the auditing process can be understood as the way of
planning, conducting, completingand follow up the audit operations according to
specific phases (in line with the stages of the work’s progress) to achieve general
missions, functions or objectives of an audit organization. The implementation of
organization audit processcan be the selection of organizationaudit contents,
methods and phasesin practice. Moreover, the organization of audit process also
emphasizes on the persons who are responsible for works in each steps of the
audit.
Organization the audit contents: Depending on management requirement
for the subject matters, the auditor can identify and implement all three audit
contents or just one among these three contents, including: performance audit,
compliance audit or financial statements audit.
Organization the audit methods: It includes the identification and
implementation of all audit measures, tests and procedures to reach the audit
objectives. For financial statements audit, depending on the specific audit
approach, the auditor will use the tests of controls, substantive tests, and other
audit procedures to gather audit evidence. For performance audit, auditors apply a
number of popular methods such as: examination, interview, analysis,research,
observation, evaluation of typical case, re-modelling. For compliance audit,
auditors can combine some methods applied for financial statements audit and
performance audit, ex. research of documents, observation, interview,…to collect
the sufficient appropriate audit evidence.
1Organization as a system, is an organized collection of parts that are highly integrated in
order to accomplish an overall goal.Systems have inputs, processes, outputs and outcomes.
185
Organization the audit stages: This includes a set of interacting work
activities followed by the auditor from a beginning to a completion stage. The
organization the audit stages may vary depending upon the specific type of
audit, its objectives, nature, timing and other resources relating to audit.
Organization the staff organization in an audit can be understood as the
group of people and constituent components in an audit organization, which are
organized according to a specific structure to carry out the overall goals, tasks and
functions set out by the audit entity. The contents of staff organization in an audit
include: the model and organizational structure of audit firm; auditors and the
relation between auditors and other bodies in each audit entities, including:
independent audit firm, internal audit and state audit.
Organization the audit documentationrefers to the way in which the audit
firm organized collection of sufficientandappropriatedocumentation
onatimelybasis in ordertoenhanceauditqualitycontrol
andfacilitatestheeffectivereview
andevaluationoftheauditevidenceobtainedandconclusionsin each audit steps in
compliance with the auditing standards and other related regulations.
The audit process is effectively organized when: (i) The results of the
audit activity’s work in the process achieve the purpose and responsibility
included in the audit policy; (ii)The audit activity conforms with the auditing
standards; and ( i i i ) The individuals who are part of the audit activity
demonstrate conformance with the Code of Ethics and the auditing standards.
In order to understand the content of the organization the audit process
clearly, the following chapter will be described a set of interrelated work activities
through each of developmental phases in an audit process, especially for the
organization independent audit of financial statement process.Organization the
other audits will be focused on the main content feature.
11.1. PREPLAN THE AUDIT
Most preplanning takes places early in the engagement. An audit
organization must decide whether to accept or continue doing the audit for the
entity, obtain an engagement letter and select staff for the engagement. There
are three main reasons why the auditor should properly plan engagements: (i)
to enable the auditor to obtain sufficient and competent evidence for the
186
circumstance; (ii) to keep the audit costs reasonable; (iii) and to avoid
misunderstandings with the entity.
11.1.1. Audit engagement acceptance
For the independent audit, after receiving an offer letter from the client,
the audit firm must consider which clients is acceptable. Most auditors
investigate the company for a new client or evaluate existing client to
determine its acceptability. The auditor must perform
proceduresregardingthecontinuance of theclientrelationshipandthespecificaudit
engagement; and evaluateethicalrequirements,including
independencerequiredbystandard on quality control; and establish an
understanding of audit engagement.
In general, the auditor will obtain some important information such as:
- The prospective client’s standing in the business community, financial
stability…;
- Indentify client's reasons for audit;
- Consider the client's requirements for the audit such as: audit
objectives, scopes, timing,… in conformity with the professional standards;
- Prepare to obtain an engagement letter. This is an agreement between
the audit firm and the client for the conduct of the audit and related services;
VSA 21 Terms of Audit Engagementrequires the auditor and the entity to agree
on the terms of engagement. This letter to the client documents and confirms
the auditor's acceptance of the appointment, the objective and scope of the
audit, the extent of the responsibilities to the client and the form of any reports.
For the internal and state audit, there is no audit engagement acceptance
because the audit plan is arranged and approved before by the management
entity or legislature and government bodies as an annual audit planning. In
other words, internal and state audit belong to compulsory audit so the subject
matters are audited according to requirements of laws and regulations. They do
not normally have option of rejecting an assignment, even if the preconditions
are not met.
11.1.2. Select staff and facilities for the engagement
Assigning the appropriate staff to the engagement is important to meet
auditing standards and to promote audit efficiency. The number and quality of
187
audit staff needed on an engagement depends on the complexity and extent of
audit work anticipated. Staff should have experiences at several levels, and a
good understanding of the entity’s industry as well as financial statements.
Preparing facilities for the engagement such as: documents, working
papers, fees, transportations, and related others.
11.2. AUDIT PLANNING
The auditor and the audit organization should plan the audit work so that
the audit will be performed in an effective manner. Planning should be
developed for each audit. The extent of planning will vary according to the
different types of audits and auditors, size of the entity, the complexity of the
audit and the auditor's experience with the entity and knowledge of the
business. Planning has following components:
- Overall audit strategy;
- Audit plan.
11.2.1. Overall audit strategy
Overall audit strategy means the core direction, focal content, and
general approach developed at the top level of an audit based upon auditor's
knowledge of the entity's business operations and environment. This is an
important document to develop an audit plan. To make overall audit strategy,
the auditor will meet the client and collect the information about client's
business and industry, company's operations, internal control management…
Knowledge of the client’s business, operations, finance can be obtain in
different ways. These includes discussions with the previous or current
auditors, conferences with the client's personnel, or tour the plants and offices.
This will help auditor more effectively assess acceptable audit risk and inherent
risk.Theauditorshallestablishanoverallauditstrategythatsetsthescope,timing and
direction of the audit, and that guides the development of the audit plan.
According to ISA 300Planning of the audit of financial statements, in
establishingthe overall audit strategy, theauditor shall: (i) Identify
thecharacteristicsof theengagement that defineitsscope; (ii)
Ascertainthereportingobjectivesoftheengagementtoplanthetiming of theaudit
andthenature of thecommunicationsrequired; (iii)
Considerthefactorsthat,intheauditor’sprofessionaljudgment,are significant in
188
directingtheengagement team’sefforts; (iv)
Considertheresultsofpreliminaryengagementactivitiesand,where
applicable,whetherknowledgegainedonotherengagementsperformed by the
engagement partner for the entity is relevant; and (v)
Ascertainthenature,timingandextentofresourcesnecessaryto
performtheengagement.Similarly, ISSAI 200 Fundamental principles of
financial auditing gives the same requirements for auditor in public sectors.
For the compliance audit or performance audit, the auditor should select
audit topics through the state audit or internal audit's strategic planning process
by analysing potential topics and conducting research to identify risks and
problems. The audit topic should be significant and auditable in keeping with
the state audit or internal audit's mandate.
The overall audit strategy is prepared by theengagementpartnerand or the
Director (or leader) of the audit firm.
11.2.2. Audit plan
Audit plan means developing the overall audit strategy and detailed
approach for the expected nature, timing and extent of the audit procedures to
be performed by engagementteammembers. It is the objective of an audit plan
to enable the auditor to perform the audit in an efficient and timely manner. An
audit plan is developed for each audit and need to be sufficiently detailed to
guide the development of the audit
program.Planningfortheseauditprocedurestakesplace
overthecourseoftheauditastheauditplanfortheengagementdevelops.
Matters to be considered in developing the audit plan, including:
- Knowledge of the entity's environment including internal control
business such as general economic factors and industry conditions affecting the
entity's business; important characteristics of the entity; the competence of
management; Understanding the internal control systems, includingits
components, and its affects to material misstatement;
- Assessment of material misstatements for financial statements and
assertions level and the identification of significant material misstatement
areas; Identify the nature, timing, and the extent of planned risk assessment
procedures;
189
- Setting of materiality for each objectives.
After evaluating these aspects, the auditor will determine nature, timing,
and extent of procedures for each segments or overall financial statements; as
well as coordination, direction, supervision, and review the audit.
According to Internal Audit Standards, in planning the engagement
internal auditor must consider: (i) The objectives of the activity being reviewed
and the means by which the activity controls its performance; (ii) The
significant risks to the activity, its objectives, resources, and operations and the
means by which the potential impact of risk is kept to an acceptable level;(iii)
The adequacy and effectiveness of the activity's risk management and control
processes compared to a relevant control framework or model; and (iv) The
opportunities for making significant improvements to the activity's risk
management and control processes.
The following steps will discuss about the contents of risk-based audit
planning:
Step 1: Preparation for audit planning: this needs to base on the demand of
related parties to meet up and discuss about changes in regulations and operation
of the entity as well as inherent risks that need to be included in the working plan
of an audit.
Step 2: Selection of possible units to be audited. The content may include:
✓ Understanding of its operation environment (including both the entity's
internal control); this is an important part in applying the risk-based method as the
knowledge will help the auditor determine the material misstatements areas.
✓ Finding out which main areas/ business cycles have material impacts, the
account balances and disclosure (for financial statements audit); or finding out
non-compliance behaviours (for compliance audit); audited activities (for
performance audit). From these the main part of suspicious areas with materiality
errors might be circled.
✓ Recognizing the material misstatements caused by frauds based on the
chosen audit objects.
✓ Deciding the expected materiality level sufficiently to assess the effects
of the materiality errors discovered during the audit as well as those yet to be
discovered if they are to affect the auditor's opinions.
Step 3: Initiation of risk assessment for financial statements audit. The risk
190
assessment is based on the followings:
✓ Risks are classified into three levels: high, medium, and low in
equivalence with three change tendency: increasing, stable, and decreasing basing
on the level of inherent risks and determined control risks.
✓ The purpose of the risk assessment process is to draw up a risk matrix,
determining the audited units with high, medium or low risk profiles. From these,
a decision is to be made on the audit frequency and audit resource allocation.
Step 4: Improvement of risk-based audit planning
Basing on the determined risk levels, the auditor will propose (a) detailed
audit content; (b) expected procedures (methods) to collect evidences focusing on
suspicious risk areas with materiality misstatementsfor each audit objectives; (c)
planned audit program basing on the knowledge of auditor about risks with
materiality misstatements in each unit. The risk-based audit plan must be updated,
changed and modified accordingly to match the operations of entity and changes
in the risks. During the planning stage, the auditor needs to discuss with entity
regarding expected plan content or changes (if any).
Both the overall strategy and the audit plan need to be documented. They
must also be updated during the course of the audit.
11.2.3. Audit program
An audit program should be developed for each audit. It refers to a set of

instructions to the auditor and assistants involved in an audit and a means to
control and record the proper execution of the work. The audit program may
also contain the audit objective for each area, the nature, timing and extent of
planned audit procedures required to implement the audit plan. Normally, there
is an audit program for each component of the audit.
The audit plan and audit program should be revised as necessary during
the course of the audit because of changes in conditions or unexpected results
of audit procedures.
11.3. AUDIT IMPLEMENTING
In the audit implementing, the auditor will use audit methods and audit tests
to obtain sufficient appropriate audit evidence. In the audit of financial
statements, audit implementing can be done by performance of the tests detail
of controls and substantive tests. The objectives of this phase are to obtain
191
evidence in support of suitable and effective controls that contribute to the
auditor's assessed control risk, and the monetary misstatements of transactions,
account balances and disclosures in the financial statements. The results of
these tests will provide sufficient and reliable evidence to issue audit report.
11.3.1. Implementing tests detail of controls

Tests detail of controls are performed to obtain audit evidence about the
continuity and effectiveness of theinternal controls operating throughout the
period in the auditee.
In the planning phase, the auditor has just obtained a preliminary
understanding of the accounting and internal control, and focus attention on
both the design and operation of aspects of this system. That understanding is
to assess preliminary control risk at the assertions level, for each material
account balance, class of transaction, or disclosures.
In the implementing phase, based on the preliminary understanding, the
auditor must revaluate the effectiveness of the internal control system. Where
the auditor believes control polices and procedures are effectively designed,
and where it is efficient to do so, he or she will performed tests detail of
controls (for these specific internal controls). Thus the amount of additional
evidence required for tests detail of controls depends on the extent of evidence
obtained in gaining the understanding. When obtaining audit evidence from
tests detail of control, auditor should consider the sufficiency and
appropriateness of the audit evidence to support the assessed level of control
risk. The aspects of evidence are:
- The existence of suitably designed the accounting and internal control
system to prevent and/or detect and correct material misstatements; and
- The effective operation of the accounting and internal control system
throughout the relevant period.
The more effective internal controls are designed and operated (low/or
medium control risk after revaluated from the planning), the lower the nature,
timing and extent of the substantive procedures will be reduced.
11.3.2. Implementing substantive tests
192
Financial statements are the end product of the accounting process, in
conformity with accounting standards or generally accepted accounting
principles. These are the criteria (assertions) that management use to record
and disclose accounting information in financial statements. Audits are
performed by dividing the financial statements into smaller segments or
components. In order to issue financial statements audit report, the auditor
should give opinion about related types (or classes) of transactions, account
balances, and disclosures in the same segment. In other words, the auditor must
audit the criteria of information presented in financial statements or the
auditor's primary responsibility is to determine whether management assertions
about financial statements are justified. To accumulate evidence relating to
assertions of financial statements, the auditor must perform substantive tests.
This means test for the accounting process and accounting information related.
Substantive test is a procedure designed to test for dollar misstatements
directly affecting the correctness of financial statement balances. They are of
two types: analytical procedures and tests of details of transactions and
balances. The purpose of substantive tests is to determine whether all assertions
related audit objectives have been satisfied for each class of transactions or
account balances.
While evidence gained from analytical procedures can be used to
determine unusual fluctuations and focus on specific audit issues, evidence
gained from test details of transactions and account balances relate to the
process of recording, classification and summarization, and presentation them;
When obtaining audit evidence from substantive procedures, the auditor should
consider the sufficiency and appropriateness of audit evidence from such
procedures with any evidence from tests of control to support financial
statement assertions.
11.3.3. Analyzing, evaluating the evidence and making decision
The auditor should obtain sufficient appropriate audit evidence to be able
to draw reasonable conclusions on which to base the audit opinion on the
(segments) financial statements of the entity being audited. Procedures for
obtaining audit evidence are: inspection, observation, inquiry and confirmation,
computation, and analytical procedures. If unable to obtain sufficient
appropriate audit evidence, however, the auditor should perform another audit
procedures or express a suitable opinion.
193
The auditor can use evidence from the expert, the internal auditor, the
other related parties, or the management representation but he/she has to have
serious responsibility about these evidence.
If the evidence gained from the related parties are limited, the auditor
would consider performing procedures such as:
- Confirming the terms and amount of the transactions with the related
party;
- Inspecting evidence in possession of the related party;
- Confirming or discussing information with persons associated with the
transaction such as: bank, lawyer, guarantors, and agents.
During the audit process, the auditor can request a representation letter
from management. VSA 580.08 states that, when representations relate to
matter which are material to the financial statements, the auditor will need to:
- Seek corroborative audit evidence from sources inside or outside the
entity to judge the management representation;
- Evaluate whether the representations made by the director appear
reasonable and consistent with other audit evidence obtained; and
- Consider whether the individual making the representations can be
expected to be well informed on the particular matters.
Representations cannot be a substitute for an other audit evidence that
the auditor could obtain. If a representation is contradicted by other audit
evidence, the auditor should investigate the circumstance and, where necessary,
reconsider the reliability of the audit evidence gained and of other
representations made by the director.
VSA 500 states that the validity of evidence is a matter of professional
judgment. The auditor, in exercising that judgment, should consider about the
quality, consistency, independence, sufficiency and cost. And the quality of
evidence is determined by the process which creates the evidence. Thus the
auditor must therefore seek a balance of evidence and look for consistency
between sources when making a judgment on a financial report, as well as
notice the relationship between evidence-gathering procedures to decide the
nature, timing and extent of testing for next steps.
194
11.4. AUDIT COMPLETING
After the two phases are finished, it is necessary to review for contingent
liability and subsequent events, accumulate some additional evidence for the
financial statements, summarize the results, issue audit report, and complete
documentation.
11.4.1. Issue audit reports and management letter
11.4.1.1. Review going concern assumption
The going concern assumption is the basic principle for preparation and
disclosures of financial statements. An entity is assumed as going concern for
the foreseeable future, normally not exceeding one year after period end, that
is, the entity is assumed to have neither the intention nor the need to liquidate
or curtail materially the scale of its operations. Accordingly, assets and
liabilities are recorded on the basic that the entity will be able to realize its
assets and discharge its liabilities in the normal course of the business.
Management should make an assessment of an enterprise 's ability to continue
as a going concern. Financial statements should be prepared on a going concern
basic unless management intends to liquidate the enterprise or other reasons.
Accounting standard “Presentation of financial statements” states: When
preparing financial statements, management should make an assessment of an
enterprise’s ability to continue as a going concern. Financial statement should
be prepared on a going concern basis unless management intends to liquidate
the enterprise or to cease trading, or has no realistic alternative but to do so.
When management is aware, in making its assessment, of material uncertainties
related to events or conditions which may cast significant doubt upon the
enterprise’s ability to continue as a going concern, those uncertainties should
be disclosed. When the financial statements are not prepared on a going
concern basis, that fact should be disclosed, together with the basis on which
the financial statements are prepared and the reasons why the enterprise is not
considered to be a going concern.
Responsibility of the Auditor and the Audit firm
According to VSA 570 “Going concern”, the auditor and audit firm’s
responsibility is to consider the appropriateness of management’s use of the
going concern assumption in the preparation of the financial statements, and
consider whether there are material uncertainties about the entity’s ability to
195
continue as a going concern that need to be disclosed in the financial
statements.
In planning the audit, the auditor and the audit firm should consider
whether there are events or conditions which may cast significant doubt on the
entity’s ability to continue as a going concern.
The auditor and the audit firm should remain alert for evidence of events
or conditions which may cast significant doubt on the entity’s ability to
continue as a going concern throughout the audit.The auditor and the audit firm
should evaluate management’s assessment of the entity’s ability to continue as
a going concern.
When events or conditions have been identified which may cast
significant doubt on the entity’s ability to continue as a going concern, the
auditor and audit firm should:
+ Review management’s plans for future actions based on its going
concern assessment;
+ Gather sufficient appropriate audit evidence to confirm or dispel
whether or not a material uncertainty exists through carrying out procedures
considered necessary, including considering the effect of any plans of
management and other mitigating factors; and
+ Seek written representations from management regarding its plans for
future action.
When conclusions and reporting, the auditor and the audit firm should
determine if, in the auditor’s judgment, a material exists related to events or
conditions that alone or in aggregate, may ask significant doubt on the entity’s
ability to continue as a going concern.
If adequate disclosure is made in the financial statements, the auditor and
the audit firm should express an unqualified opinion but modify the auditor’s
report by adding an emphasis of matter paragraph that highlights the existence
of a material uncertain relating to the event or condition that may cast
significant doubt on the entity’s ability to continue as a going concern and
draws attention to the note in the financial statements. If adequate closure is not
made in the financial statement, the auditor and the audit firm should express a
196
qualified or adverse opinion, as appropriate, following auditing standard “The
auditor’s report on financial statements”.
In addition, during the auditing process, the auditor should review the
circumstance of events or conditions which may cast significant doubt about
the going concern such as: financial indications, operating indications, or other
indications before giving opinion about financial statements. When a question
arises concerning the appropriateness of the going concern basic, it may be
necessary to employ additional procedures, to modify or extent existing
procedures or to update earlier information. Analytical procedures, particularly
ratio analysis, are commonly used to address the appropriateness of the going
concern basis for an entity.
Based on the audit evidence obtained, the auditor and audit firm should
determine if, in the auditor's judgment, a material uncertainty exists related to
events or conditions that alone or in aggregate, may cast significant doubt on
the entity's ability to continue as a going concern. And depending on the
appropriateness of the going concern assumption or not, the auditor will issue
an audit report suitably.
11.4.1.2. Issue audit report
The report is considered the primary product of the audit process. Audit
report is a written document prepared and issued by the auditor and audit firm to
express their opinion on the financial statements of an entity being audited. The
requirements for issuing audit reports are derived from the auditing standards for
reporting. VSA 700 requires that the auditor and the audit firm should review
and assess the conclusions draw from the audit evidence obtained and use such
conclusions as the basic for the expression of an opinion on the financial
statements. The types of audit reports are discussed in chapter 3.
11.4.1.3. Management letter
To assist the entity to restructure the financial management and
improvements the internal control system, the auditor and audit firm may
circulate a management letter.
The management letter content discusses matters noticed in detail in term
of observation, implications, recommendations and management 's respond
associated therewith. Although the management letter represents part of the
audit engagement, its attachment to the audit report is not always required.
197
11.4.2. Completion documentation and review subsequent events
11.4.2.1.Completion documentation
After issuance audit report, the auditor must arrange all information and
document related to the audit in the audit file. According to the VSA 230-02,
the auditor should obtain and record in the audit file all document and
information which are important in providing evidence to support the audit
opinion and evidence that the audit was carried out in accordance with VSAs or
ISAs accepted in Vietnam. Documentation means the materials (working
paper) prepared, or obtained and retained, classified and used by the auditor.
The auditor should record in the working papers and keep in the audit
file information and documents in relation to:
- The audit planning;
- The audit performance: nature, timing, and extent of the audit
procedures conducted;
- The results of the procedures conducted; and
- The conclusions drawn from the audit evidence obtained.
Working papers also record the results from tests and reviews of the
quality control of an audit by authorized persons as regulated by the audit firm.
The working paper would adequately enable the auditor to form an
opinion and ensure to provide another auditor, who has no previous experience
with the audit, and the reviewer with an understanding of the worked
performed and the basic on which his/her opinion is shaped.
VSA 230.12 shows that, working papers should be prepared and
arranged into: permanent audit files and current audit files. Permanent audit
files include documents and materials containing general information on an
audit client, serving one or more audits concerning a number of fiscal years of
the client. And current audit files include documents and materials containing
specific information on an audit client, serving the audit of a single fiscal year.
Working papers are the property and the ownership of the audit firm.
These documentation should be retained for a period sufficient to meet the
needs of the practice and in accordance with legal requirements of records
retention and those established by the profession and each audit firm.
198
11.4.2.2. Review subsequent events
VSA 560.02-04 defined that the auditor should consider the effect of
subsequent events on the financial statements and on the audit report.
Subsequent events means intervening events causing impacts on the financial
statements that occur subsequent to period end up to the date of audit report,
and fact discovered after the date of audit report. Two types of events occurring
after period end are identified, namely:
- Those that provide further evidence of conditions that existed at period end;
and
- Those that are indicative of conditions that arose subsequent to period
end.
Subsequent events relating to the auditor and the audit firm 's
responsibility would be defined as occurring in the three phases:
- Events occurring up to the date of audit report
- Facts discovered after the date of audit report but before the financial
statements are issued.
- Facts discovered after the financial statements have been issued.
(1) Events occurring up to the date of audit report
The auditor should perform procedures designed to obtain sufficient
appropriate audit evidence that all events up to the date of audit report that may
require adjustment of, or disclosure in, the financial statements have been
identified.
When the auditor becomes aware of events which materially affect the
financial statements, the auditor should consider whether such events are
properly accounted for and adequately disclosed in the financial statements.
(2) Facts discovered after the date of audit report but before the
financial statements are issued
The auditor does not have any responsibility to perform procedures or
make any inquiry regarding the financial statements after the date of audit
report. Management has a responsibility to monitor events during that time and
to inform the auditor of any events that affect the financial report. The auditor
who becomes aware of these events and believes the financial report is
199
amended, should discuss this with management. If the financial report is
amended, the auditor should perform procedures that will able the preparation
of an audit report on the amended financial report. The action taken depends on
the circumstances and the legal rights available to the auditor. When
management does not amend the financial statement in circumstances where
the auditor believes they need to be amended and the audit report has not been
released to the entity, the auditor and the audit firm should express a qualified
opinion or an adverse opinion.
(3) Facts discovered after the financial statements have been issued
After the financial statements have been issued, the auditor has no
obligation to make any inquiry regarding any data or events covered by the
audited financial statements.
When, after the financial statements have been issued, the auditor
become aware of a fact that materially affect the financial report previously
reported upon and which existed but were known to the auditor at the date of
the auditor's report, may have caused the auditor to modify the audit report, the
auditor should consider whether the financial statements need revision, should
discuss the matter with management, and should take the action appropriate in
the circumstance. The new audit report has a new date, refers to the previous
report issued by the auditor and includes an emphasis of matter paragraph
which refers to the explanatory note for the reason of the revised financial
report./.
11.5. FOLLOW UP AND MONITOR OF AUDIT QUALITY
This phase is usually done by the internal audit or state audit
organization,including follow up and monitor of audit quality.
Follow up
The contents in this phase include: (i) Checking the deadline of report
submission and performance outcome compared to requirements in the audit
report; (ii) Examining the report content of the audited unit about the situation and
performance outcome of audit recommendations from the group of auditors; (iii)
Collecting evidence about how the audited unit carry out recommendations of the
group of auditors (iv) Reporting results of carrying out recommendation of
auditors by the audited unit to the Board of Management, the chief internal auditor
and the Board of Executive in the entity or the legislatures.
According to Internal Standard 2500.A1, the chief audit executive must
establish a follow-up process to monitor and ensure that management actions
200
have been effectively implemented or that senior management has accepted the
risk of not taking action. The internal audit activity must monitor the
disposition of results of consulting engagements to the extent agreed upon with
the client.
Monitor of audit quality
According to revised standards for audit quality practices, the assurance of
quality for auditing must include internal and independence evaluations. The
chief audit executive is the one responsible for monitoring and evaluating the
quality of auditing in an audit.The results of external and internal assessments
are communicated upon completion of such assessments and the results of
ongoing monitoring are communicated at least annually.
201
Short review questions
1. Identify the main work that auditors have to perform when conducting
an audit.
2. Why must auditors understand and assess client's internal controls
when planning an audit.
3. What is subsequent events after reporting date? What is auditors'
responsibilities to those events? How should auditors deal with those events?
4. Identify audit procedures that auditors should carry out when there is a
substantial doubt about the client's ability to continue as a going concern for a
reasonable period of time.
True or false questions: Is the following statement true or false?
1. Audit quality is achieved when the audit is performed in accordance
with VSA and when it provides reasonable assurance that the financial
statements have been presented in accordance with VSA and are not materially
misstated due to errors or fraud.
2. One of the key drivers of audit quality is the gross margin achieved by
the audit firm and the ability of the engagement partner to maintain those
margins over the duration of the audit engagement.
3. The engagement letter states the scope of the work to be done on the
audit so that there should be no doubt in the mind of the client, external auditor,
or the court system as to the expectations agreed to by the external auditor and
the client.
4. Performing analytical review procedures in the final review phase of
the audit is optional.
5. One of the purposes of a management representation letter is to
confirm oral responses obtained by the auditor earlier in the audit and the
continuing appropriateness of those responses.
6. The auditor is required to communicate certain issues with the audit
committee; this communication is important because the audit committee
serves as an independent subcommittee of the board of directors, and the audit
committee can also assist the auditor should a disagreement occur between the
auditor and management.
7. One of the issues that the auditor is required to communicate to the
audit committee is the competence, training, and industry specialization of each
202
of the highest ranking members of the engagement team (the partner, manager,
and audit senior).
8. The management letter helps to provide management comfort that the
auditor has done a quality job and that the auditor knows and understands the
client’s business.
9. Audit firms may discontinue serving a client because the client does
not fit the profile or growth strategy of the audit firm.
10. The going-concern evaluation is based on information obtained from
normal audit procedures performed to test management’s assertions; no
separate procedures are required, unless the auditor believes that there is
substantial doubt about the client’s ability to continue as a going concern.
1. Which of the following factors is not a driver of audit quality?
a. Audit firm culture.
b. Skills and personal qualities of client management.
c. Reliability and usefulness of audit reporting.
d. Factors outside the control of auditors.
2. The auditor discovers various errors in the client’s financial statements
during the audit. At the end of the audit, these misstatements are analyzed to
determine if they need to be recorded and corrected. In which situation could
management and the auditor decide not to correct the misstatement?
a. If, by correcting the misstatement, net income would increase rather
than decrease.
b. If, by correcting the misstatement, net income would decrease rather
than increase.
c. If the misstatement is material.
d. If the misstatement is immaterial.
3. In evaluating whether the client is a going concern, the auditor should ask
which of the following questions?
a. Are there indicators of going concern problems?
b. Is it likely that management can mitigate the problems?
203
c. Are disclosures about the problems adequate?
d. All of the above.
4. Which of the following statements concerning analytical review procedures
at the completion of the audit is false?
a. Analytical procedures help auditors assess the overall presentation of
the financial statements.
b. The auditor’s expectations in final analytical procedures should be
more precise than those for substantive analytics.
c. Auditing standards require the use of analytical procedures in the final
review phase of the audit to assist in identifying ending account relationships
that are unusual.
d. Ratio analysis, common-size analysis, and analysis of the dollar and
percentage changes in each income statement item over the previous year are
useful for performing final analytical procedures.
5. In completing the audit, the auditor must obtain a management
representation letter. Which of the following statements about the management
representation letter is false?
a. The management representation letter is intended to remind
management about its responsibility for the financial statements.
The management representation letter is prepared on the client’s
letterhead, is addressed to the auditor, and should be signed by the CEO and the
CFO.
c. Management’s refusal to sign the management representation letter is
considered such a violation of ethics and professionalism that auditors of
publicly traded clients must resign from the engagement immediately.
d. The contents of the management representation letter may be limited
to matters that are considered material to the financial statements and should
include representations about known fraud involving management or
employees.
6. Which of the following items is normally not present in the management
letter?
a. The auditor’s observations and recommendations to management.
204
b. Management’s response.
c. The issue of whether/how management responded to the management
letter related to the prior year’s audit.
d. What actions the auditor will take in the subsequent year audit to help
management address the identified weaknesses.
7. What are the purposes of planning the audit?
(1) To ensure appropriate attention is devoted to different areas of the
audit
(2) To identify potential problem areas
(3) To facilitate delegation of work to audit team members
(4) To ensure the audit is completed within budget and time restraints
a. (1), (2), (3) and (4)
b. (1), (3) and (4)
c. (1), (2) and (3)
d. (2) and (3)
8. Which of the following statements is/are true with respect to analytical
procedures?
(1) Analytical procedures can be used throughout the audit.
(2) Analytical procedures must be used as risk assessment procedures.
a. (1) only
b. (2) only
c. (1) and (2)
d. Neither (1) nor (2)
9. Which of the following must be included in an audit engagement letter?
a. Arrangements concerning the use of experts
b. Obligations to make audit working papers available to other parties
c. Expected form and content of any reports
d. Basis on which fees are computed
205
10. During the planning stages of the final audit, the auditor believes that the
probability of giving an inappropriate audit opinion is too high.
How should the auditor amend the audit plan to resolve this issue?
a. Increase the materiality level
b. Decrease the inherent risk
c. Decrease the detection risk
11. Auditors usually carry out their audit work at different stages known as the
interim audit and the final audit.
Which of the following statements, if any, is/are correct?
(1) Carrying out tests of control on the company's sales day books would
normally be undertaken during an interim audit.
(2) Review of aged receivables ledger to identify balances requiring
write down or allowance would
normally be undertaken during a final audit.
a. Neither (1) or (2)
b. Both (1) and (2)
c. (1) only
d. (2) only
12. As part of the review stage of an audit, the auditor will consider subsequent
events.
Up to which date does the auditor have an active responsibility to
perform procedures designed to identify subsequent events?
a. The reporting date
b. The date of the auditor's report
c. The date of issue of the financial statements
d. The date of approval of the financial statements "
13. M Co has a year end of 31 December 20X4. The auditor has identified that
management's assessment of M Co's ability to continue as a going concern
covers the period to 30 June 20X5.
What action should the auditor take?
a. Request that management extends the assessment period to 30
September 20X5
206
b. Request that management extends the assessment period to 31
December 20X5
c. Request that management extends the assessment period to 31
December 20X6
d. No action is required provided the auditor is satisfied with
management's assessment to 30 June 20X5
14. Q Co has a year end of 30 June 20X4. Management has assessed the ability
of the company to continue as a going concern based on the period to 30 June
20X5.
Which of the following procedures must the auditor perform to identify
factors that may affect Z Co's ability to continue as a going concern beyond 30
June 20X5?
a. Analysis of cash flow forecasts
b. Review of board minutes
c. Review of loan terms
d. Inquiry of management
15. M Co has a year end of 31 July 20X5. The auditor completed the audit
work on 10 September 20X5 and the auditor's report was signed on 30
September 20X5. The financial statements were issued on 1 November 20X5.
Which of the following would be the most appropriate date for the
directors to sign the written representations letter?
a. 31 July 20X5
b. 10 September 20X5
c. 30 September 20X5
d. 1 November 20X5
16. Which of the following statements regarding analytical procedures is
correct?
a. Analytical procedures must be used as part of the overall review of the
b. Analytical procedures may be used as part of the overall review of the
c. Analytical procedures are only used as risk assessment procedures.
207

gtring kiểm

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

gtring kiểm

Uploaded by

Copyright:

Available Formats

PREFACE

The economy of Vietnam is transforming remarkably in order to

The textbook was compiled by a group of experienced lecturers from

2.2.1.2. Conceptual framework approach

No VSAs Number and name of auditing standard ISAs

100- 199: Frameworks of ISAs

2 200 Overall objectives of the independent auditor and the 200

3 210 Agreeing the terms of audit engagements 210

4 220 Quality control for an audit of financial statements 220

5 230 Audit documentation 230

6 240 The auditor’s responsibilities relating to fraud in an 240

7 250 Consideration of Laws and regulations in an audit of 250

8 260 Communication with those charged with governance 260

9 265 Communicating deficiencies in internal control to 265

300-499: Risk assessment and related content

10 300 Planning an audit of financial statements 300

11 315 Identifying and assessing the risks of material 315

12 320 Materiality in planning and performing an audit 320

13 330 The auditor’s responses to assessed risks 330

14 402 Audit considerations relating to an entity using a 402

15 450 Evaluation of misstatements identified during the 450

500 – 599: Audit evidence

16 500 Audit evidence 500

17 501 Audit evidence – specific considerations for selected 501

18 505 External confirmations 505

19 510 Initial audit engagements – opening balances 510

20 520 Analytical procedures 520

21 530 Audit sampling 530

22 540 Auditing accounting estimates, including fair value 540

23 550 Related parties 550

24 560 Subsequent events 560

25 570 Going concern 570

600-699: Using other parties' document

27 600 Special considerations – audits of group financial 600

28 610 Using the work of internal auditors 610

29 620 Using the work of an auditor’s expert 620

700 – 799: Conclusion and reporting

30 700 Forming an opinion and reporting on financial 700

31 705 Modifications to the opinion in the independent 705

32 706 Emphasis of matter paragraphs and other matter 706

33 710 Comparative information – corresponding figures and 710

34 720 The auditor’s responsibilities relating to other 720

800 – 899: Other activities

35 800 Special considerations – audits of financial 800

36 805 Special considerations – audits of single financial 805

900- 999: Related services

910 Engagements to Review Financial Statements* -

920 Engagements to Perform Agreed - Upon Information* -

930 Engagements to Compile Financial Information* -

The private standard of Viet Nam **

Ethic code of IFAC with professional auditors

Some kinds of service which is declared by IAASB

ISQCs 1-99 International standard about quality

The international model about assurance contract

Audit and check Other assurance contract

ISAs 100 - 999 ISAEs 3000-3699

IAPSs 1000-1999 IAEPSs 3700-3999

The service concerned

ISREs 2000-2699 ISRSs 4000-4699

IREPSs 2700-2999 IRSPSs 4700-4999

The addressee will be determined by law or regulation but is

This part of the report describes the responsibilities of those

The report shall include a section entitled 'Auditor's