?NOTES Auditing-W

AUDITING
m
ACCOUNTING TECHNICIAN DIPLOMA
co
a.
ny
ke
ea
om
.s
w
w
ATD LEVEL III
w
STUDY TEXT
www.someakenya.com Contact: 0707 737 890 Page 1

CONTENT
1. Nature, purpose and scope of auditing
- Definition of auditing, auditor and an audit

- Explain the principles and processes of an audit
- Differences between auditing and accounting
- The types and timing of audits Consider internal versus external and a focus on the
complimentary role of internal to external, interim and final
- The users of audited financial statements and auditor reports
2. Planning for the audit
- Objectives of planning for the audit work

- Audit plan for a new client
- Audit plan for an existing client
- Developing an overall audit plan
- Limitations of audit plans
3. Internal control system
m
co
- Definition of internal controls and internal control systems
a.
ny
- Purpose of internal control system
ke
ea
- Designing an internal control system
om
- Benefits and limitations of internal control system
.s
w
w
- General controls on:
w
• Sales
• Purchases
• Cash and bank
• Inventory
4. Errors and fraud
- Definition of error and fraud

- Differences between error and fraud
- Types of errors and fraud
5. Audit evidence
- Nature and source of audit evidence

- Types of audit evidence
- Gathering audit evidence
- Reliance on the work on internal auditor
- Contents of audit working papers (excluding their preparation)
- Audit tests
• Compliance tests
• Substantive tests
• Analytical tests
6. Risk based audit
- Definition of audit risks

- Types of audit risks
7. Computerised auditing
- Benefits and drawbacks of computerised accounting systems

- Computer Aided Auditing Techniques (CAATs); Auditing around and through the computer
8. Auditor's report
- Purpose of the auditor's report

- Elements of the auditor's report
- Types of audit reports
9. Professional ethics
m
co
a.
- Importance of professional ethics
ny
ke
- Fundamental ethical principles
ea
om
.s
10. Emerging issues and trends
w
w
w

TOPICS PAGE NUMBER
Topic 1: Nature, purpose and scope of auditing……………………………………………….…5
Topic 2: Planning for the audit………………………………………………………………...…63
Topic 3: Internal control system ……………………………………………………………..…...78
Topic 4: Errors and fraud………………………………………………………………...……….99
Topic 5: Audit evidence…………………………………………………………………………108
Topic 6: Risk based audit………………………………………………………………………..132
Topic 7: Computerised auditing…………………………………………………………………138
Topic 8: Auditor's report……………………………………………………………..….……….161
Topic 9: Professional ethics………………………………………………………….…………..180
m
co
a.
ny
ke
ea
om
.s
w
Revised on: June 2016
w
w

TOPIC 1
NATURE, PURPOSE AND SCOPE OF AUDITING
DEFINITION OF AUDITING, AUDITOR AND AN AUDIT
Auditing
The Institute of Certified Public Accountants of Kenya (ICPAK) defines auditing as the independent
examination of and expression of opinion on, the financial statements of an enterprise by an
appointed auditor in pursuance of that appointment and in compliance with any relevant statutory
obligation,
Auditing the independent examination of and expression of opinion on, the financial statements of
an enterprise by an appointed auditor in pursuance of that appointment and in compliance with any
relevant statutory obligation
Auditor---"Auditor" is used to refer to the person or persons conducting the audit, usually the
engagement partner or other members of the engagement team, or, as applicable, the firm. Where an
m
co
ISA expressly intends that a requirement or responsibility be fulfilled by the engagement partner, the
a.
ny
term "engagement partner" rather than "auditor" is used. "Engagement partner" and "firm" are to be
ke
ea
read as referring to their public sector equivalents where relevant.
om
.s
w
An official whose job it is to carefully check the accuracy of business records. An auditor can be
w
w
either an independent auditor unaffiliated with the company being audited or a captive auditor, and
some are elected public officials. The term is sometimes synonymous with "comptroller." Auditors
are used to ensure that organizations are maintaining accurate and honest financial records and
statements
Audit This is the independent investigation into the quality of published accounting information.
An audit is the independent examination of and expression of an opinion on the financial statements
of an economic entity by appointed auditor in pursuance of that appointment and incompliance with
any relevant statutory obligation.
The objective of an audit is to enable the auditor express an opinion whether financial statements
show a true and fair view of the company state of affairs in accordance with an identified financial
reporting framework.

The purpose of an audit is not to provide additional information but rather it is intended to provide
the users of the accounts with assurance that the information provided to then by directors is reliable.
However, the users should not assume the auditor's opinion is one to efficiency with which
management has conducted the affairs of the entity.
CONDUCT OF AN AUDIT
Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with International Standards on Auditing (LAS 200)
The objective of an audit of financial statements is to enable the auditor to express an opinion on
whether the financial statements are prepared, in all material respects, in accordance with an
applicable financial reporting framework.
 This International Standard on Auditing (ISA200) deals with the independent auditor's overall
m
responsibilities when conducting an audit of financial statements in accordance with ISAs.
co
a.
Specifically, it sets out the overall objectives of the independent auditor, and explains the
ny
ke
nature and scope of an audit designed to enable the independent auditor to meet those
ea
objectives. It also explains the scope, authority and structure of the ISAs, and includes
om
requirements establishing the general responsibilities of the independent auditor applicable in
.s
w
all audits, including the obligation to comply with the ISAs. The independent auditor is
w
w
referred to as "the auditor" hereafter.
 ISAs are written in the context of an audit of financial statements by an auditor. They are to
be adapted as necessary in the circumstances when applied to audits of other historical
financial information. ISAs do not address the responsibilities of the auditor that may exist in
legislation, regulation or otherwise in connection with, for example, the offering of securities
to the public. :Such responsibilities may differ from those established in the ISAs.
Accordingly, while the ;auditor may find aspects of the ISAs helpful in such circumstances, it
is the responsibility of the Uuditor to ensure compliance with all relevant legal, regulatory or
professional obligations.

Scope of the Audit
The auditor's opinion on the financial statements deals with whether the financial statements are
prepared, in all material respects, in accordance with the applicable financial reporting framework.
Such an opinion is common to all audits of financial statements.
 The auditor's opinion therefore does not assure, for example, the future viability of the entity
nor the efficiency or effectiveness with which management has conducted the affairs of the
entity. In some jurisdictions, however, applicable law or regulation may require auditors to
provide opinions on other specific matters, such as the effectiveness of internal control, or the
consistency of a separate management report with the financial statements.
 While the ISAs include requirements and guidance in relation to such matters to the extent
that they are relevant to forming an opinion on the financial statements, the auditor would be
required to undertake further work if the auditor had additional responsibilities to provide
such opinions.
An Audit of Financial Statements
The purpose of an audit is to enhance the degree of confidence of intended users in the financial
statements. This is achieved by the expression of an opinion by the auditor on whether the financial
statements are prepared, in all material respects, in accordance with an applicable financial reporting
framework. In the case of most general purpose frameworks, that opinion is on whether the financial
m
co
statements are presented fairly, in all material respects, or give a true and fair view in accordance
a.
ny
with the framework. An audit conducted in accordance with ISAs and relevant ethical requirements
ke
ea
enables the auditor to form that opinion
om
.s
w
The financial statements subject to audit are those of the entity, prepared by management of The
w
w
entity with oversight from those charged with governance. ISAs do not impose responsibilities on
management or those charged with governance and do not override laws and regulations that govern
their responsibilities. However, an audit in accordance with ISAs is conducted on the premise that
management and, where appropriate, those charged with governance have acknowledged certain
responsibilities that are fundamental to the conduct of the audit. The audit of the financial statements
does not relieve management or those charged with governance of their responsibilities:
As the basis for the auditor's opinion, ISAs require the auditor to obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement, whether due to
fraud or error. Reasonable assurance is a high level of assurance. It is obtained when the auditor has
obtained sufficient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor
expresses an inappropriate opinion when the financial statements are materially misstated) to an
acceptably low level. However, reasonable assurance is not an absolute level of assurance, because
there are inherent limitations of an audit which result in most of the audit evidence on which the
auditor draws conclusions and bases the auditor's opinion being persuasive rather than conclusive.

The concept of materiality is applied by the auditor both in planning and performing the audit, and
in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if
any, on the financial statements. In general, misstatements, including omissions; are considered to be
material if, individually or in the aggregate, they could reasonably be expected to influence the
economic decisions of users taken on the basis of the financial statements. Judgments about
materiality are made in the light of surrounding circumstances, and are affected by the auditor's
perception of the financial information needs of users of the financial statements, and by the size or
nature of a misstatement, or a combination of both... The auditor's opinion deals with the financial
statements as a whole and therefore the auditor is not responsible for the detection of misstatements
that are not material to the financial statements as a whole.
The ISAs contain objectives, requirements and application and other explanatory material that are
designed to support the auditor in obtaining reasonable assurance. The ISAs require that the auditor
exercise professional judgment and maintain professional skepticism throughout the planning and
performance of the audit and, among other things:
 Identify and assess risks of material misstatement, whether due to fraud or error, based on an
understanding of the entity and its environment, including the entity's internal control.
 Obtain sufficient appropriate audit evidence about whether material misstatements exist,
m
through designing and implementing appropriate responses to the assessed risks.
co
a.
 Form an opinion on the financial statements based on conclusions drawn from the audit
ny
ke
evidence obtained.
ea
om
.s
w
The form of opinion expressed by the auditor will depend upon the applicable financial reporting
w
w
framework and any applicable law or regulation.
The auditor may also have certain other communication and reporting responsibilities to users,
management, those charged with governance, or parties outside the entity, in relation to matters
arising from the audit. These may be established by the ISAs or by applicable law or regulation.
Preparation of the Financial Statements
 Law or regulation may establish the responsibilities of management and, where appropriate,
those charged with governance in relation to financial reporting.
 However, the extent of these responsibilities, or the way in which they are described, may
differ across jurisdictions. Despite these differences, an audit in accordance with ISAs is
conducted on the premise that management and, where appropriate, those charged with
governance have acknowledged and understand that they have responsibility:
a) For the preparation of the financial statements in accordance with the applicable financial
reporting framework, including, where relevant, their fair presentation;

b) h) For such internal control as management and, where appropriate, those charged with
governance determine is necessary to enable the preparation of financial statements that
are free from material misstatement, whether due to fraud or error; and
c) To provide the auditor with:
i. Access to all information of which management and, where appropriate, those
charged with governance are aware that is relevant to the preparation of the
financial statements such as records, documentation and other matters;
ii. Additional information that the auditor may request from management and, where
appropriate, those charged with governance for the purpose of the audit; and
iii. Unrestricted access to persons within the entity from whom the auditor determines it
necessary to obtain audit evidence.
The preparation of the financial statements by management and, where appropriate, those charged
with governance requires:
• The identification of the applicable financial reporting framework, in the context of any
relevant laws or regulations.
• The preparation of the financial statements in accordance with that framework.
• The inclusion of an adequate description of that framework in the financial statements.
The preparation of the financial statements requires management to exercise judgment in making
m
co
accounting estimates that are reasonable in the circumstances, as well as to select and apply
a.
ny
appropriate accounting policies. These judgments are made in the context of the applicable financial
ke
ea
om
.s
The financial statements may be prepared in accordance with a financial reporting framework
w
w
w
designed to meet:
• The common financial information needs of a wide range of users (that is, "general purpose
financial statements"); or
• The financial information needs of specific users (that is, "special purpose financial
statements").
 The applicable financial reporting framework often encompasses financial reporting

standards established by an authorized or recognized standards setting organization, or
legislative or regulatory requirements. In some cases, the financial reporting framework may
encompass both financial reporting standards established by an authorized or recognized
standards setting organization and legislative or regulatory requirements.
 Other sources may provide direction on the application of the applicable financial reporting
framework. In some cases, the applicable financial reporting framework may encompass such
other sources, or may even consist only of such sources. Such other sources may include:
• The legal and ethical environment, including statutes, regulations, court decisions, and
professional ethical obligations in relation to accounting matters;

• Published accounting interpretations of varying authority issued by standards setting,
professional or regulatory organizations;
• Published views of varying authority on emerging accounting issues issued by standards
setting, professional or regulatory organizations;
• General and industry practices widely recognized and prevalent; and
• Accounting literature.
 Where conflicts exist between the financial reporting framework and the sources from which
direction on its application may be obtained, or among the sources that encompass the
financial reporting framework, the source with the highest authority prevails.
 The requirements of the applicable financial reporting framework determine the form and
content of the financial statements. Although the framework may not specify how to account
for or disclose all transactions or events, it ordinarily embodies sufficient broad principles
that can serve as a basis for developing and applying accounting policies that are consistent
with the concepts underlying the requirements of the framework.
 Some financial reporting frameworks are fair presentation frameworks, while others are
compliance frameworks. Financial reporting frameworks that encompass primarily the
financial reporting standards established by an organization that is authorized or recognized
to promulgate standards to be used by entities for preparing general purpose financial
statements are often designed to achieve fair presentation, for example, International
Financial Reporting Standards (IFRSs) issued by the International Accounting Standards
Board (IASB).
 The requirements of the applicable financial reporting framework also determine what
constitutes a complete set of financial statements. In the case of many frameworks, financial
m
co
statements are intended to provide information about the financial position, financial
a.
ny
performance and cash flows of an entity.
ke
 For such frameworks, a complete set of financial statements would include a balance sheet;
ea
om
an income statement; a statement of changes in equity; a cash flow statement; and related
.s
notes. For some other financial reporting frameworks, a single financial statement and the
w
w
w
related notes might constitute a complete set of financial statements:
• For example, the International Public Sector Accounting Standard (IPSAS), Financial
Reporting under the Cash Basis of Accounting, issued by the International Public Sector
Accounting Standards Board states that the primary financial statement is a statement of
cash receipts and payments when a public sector entity prepares its financial statements in
accordance with that IPSAS.
• Other examples of a single financial statement, each of which would include related notes,
are:
i. Balance sheet.
ii. Statement of income or statement of operations.
iii. Statement of retained earnings.
iv. Statement of cash flows
Statement of assets and liabilities that does not include owner's equity
i) Statement of changes in owners' equity.

ii) Statement of revenue and expenses.
iii) Statement of operations by product lines.

 ISA 210 establishes requirements and provides guidance on determining the acceptability of
the applicable financial reporting framework. ISA 800 deals with special considerations when
financial statements are prepared in accordance with a special purpose framework.
 Because of the significance of the premise to the conduct of an audit, the auditor is required
to obtain the agreement of management and, where appropriate, those charged with
governance that they acknowledge and understand that they have the responsibilities set out
earlier as a precondition for accepting the audit engagement.
Considerations Specific to Audits in the Public Sector
'The Mandates for audits of the financial statements of public sector entities may be broader than
those of other entities. As a result, the premise, relating to management's responsibilities, on which
an audit of the financial statements of a public sector entity is conducted may include additional
responsibilities, such as the responsibility for the execution of transactions and events in accordance
with law, regulation or other authority.
Form of the Auditor's Opinion
The opinion expressed 'by the auditor is on whether the financial statements are prepared, in all
material respects, in accordance with the applicable financial reporting framework. The form of the
auditor's opinion, however, will depend upon the applicable financial reporting framework and any
m
applicable law or regulation. Most financial reporting frameworks include requirements relating to
co
a.
the presentation of the financial statements; for such frameworks, preparation of the financial
ny
ke
statements in accordance with the applicable financial reporting framework includes presentation.
ea
om
Where the financial reporting framework is a fair presentation framework, as is generally the case
.s
w
w
for general purpose financial statements, the opinion required by the ISAs is on whether the
w
financial statements are presented fairly, in all material respects, or give a true and fair view. Where
the financial reporting framework is a compliance framework, the opinion required is on whether the
financial statements are prepared, in all material respects, in accordance with the framework. Unless
specifically stated otherwise, references in the ISAs to the auditor's opinion cover both forms o
opinion.
Overall Objectives of the Auditor
In conducting an audit of financial statements, the overall objectives of the auditor are:
a) To obtain reasonable assurance about whether the financial statements as a whole are free
from material misstatement, whether due to fraud or error, thereby enabling the auditor to
express an opinion on whether the financial statements are prepared, in all material respects,
in accordance with an applicable financial reporting framework; and
b) To report on the financial statements, and communicate as required by the ISAs, in
accordance with the auditor's findings.

In all cases when reasonable assurance cannot be obtained and a qualified opinion in the auditor's
report is insufficient in the circumstances for purposes of reporting to the intended users of the
financial statements, the ISAs require that the auditor disclaim an opinion or withdraw (or resign)
from the engagement, where withdrawal is possible under applicable law or regulation.
For purposes of the ISAs, the following terms have the meanings attributed below:
a) Applicable financial reporting framework — The financial reporting framework adopted

by management and, where appropriate, those charged with governance in the preparation of
the financial statements that is acceptable in view of the nature of the entity and the objective
of the financial statements, or that is required by law or regulation.
The term "fair presentation framework" is used to refer to a financial reporting framework
that requires compliance with the requirements of the framework and: , I
i. Acknowledges explicitly or implicitly that, to achieve fair presentation of the financial
statements, it may be necessary for management to provide disclosures beyond those
specifically required by the framework; or
ii. Acknowledges explicitly that it may be necessary for management to depart from a
requirement of the framework to achieve fair presentation of the financial statements.
Such departures are expected to be necessary only in extremely rare circumstances.
The term "compliance framework" is used to refer to a financial reporting framework that
m
requires compliance with the requirements of the framework, but does not contain the
co
a.
acknowledgements in (i) or (ii) above.
ny
ke
ea
b) Audit evidence — Information used by the auditor in arriving at the conclusions on which
om
the auditor's opinion is based. Audit evidence includes both information contained in the
.s
w
accounting records underlying the financial statements and other information.
w
w
For purposes of the ISAs:
(i) Sufficiency of audit evidence is the measure of the quantity of audit evidence. The
quantity of the audit evidence needed is affected by the auditor's assessment of the
risks; of material misstatement and also by the quality of such audit evidence.
(ii) Appropriateness of audit evidence is the measure of the quality of audit evidence;
that i!§, its relevance and its reliability in providing support for the conclusions on
which the auditor's opinion is based.
c) Audit risk — The risk that the auditor expresses an inappropriate audit opinion when the
financial statements are materially misstated. Audit risk is a function of the risks of material
misstatement and detection risk.
d) Auditor — The person or persons conducting the audit, usually the engagement partner or
other members of the engagement team, or, as applicable, the firm. Where an ISA expressly
intends that a requirement or responsibility be fulfilled by the engagement partner, the term
"engagement partner" rather than "auditor" is used. "Engagement partner" and "firm" are to
be read as referring to their public sector equivalents where relevant.
e) Detection risk — The risk that the procedures performed by the auditor to reduce audit risk
to an acceptably low level will not detect a misstatement that exists and that could be
material, either individually or when aggregated with other misstatements.
f) Financial statements — A structured representation of historical financial information,
including related notes, intended to communicate an entity's economic resources or
obligations at a point in time or the changes therein for a period of time in accordance with a
financial reporting framework. The related notes ordinarily comprise a summary of
significant accounting policies and other explanatory information. The term "financial
statements" ordinarily refers to a complete liet of financial statements as determined by the
requirements of the applicable financial reporting Framework, but can also refer to a single
financial statement.
g) Historical financial information — Information expressed in financial terms in relation to
a particular entity, derived primarily from that entity's accounting system, about economic
events occurring in past time periods or about economic conditions or circumstances at
points in time in the past.
h) Management -- The person(s) with executive responsibility for the conduct of the entity's
operations. For some entities in some jurisdictions, management includes some or all of
those charged with governance, for example, executive members of a governance board, or
an owner-manager.
i) Misstatement A difference between the amount, classification, presentation, or disclosure of
a reported financial statement item and the amount, classification, presentation, or disclosure
that is 'required for the item to be in accordance with the applicable financial reporting
framework. Misstatements can arise from error or fraud.
Where the auditor expresses an opinion on whether the financial statements are presented
fairly, in all material respects, or give a true and fair view, misstatements also include those
m
adjustments of amounts, classifications, presentation, or disclosures that, in the auditor's
co
a.
judgment, are iecessary for the financial statements to be presented fairly, in all material
ny
ke
respects, or to give a true and fair view.
ea
om
j) Premise, relating to the responsibilities of management and, where appropriate, those
.s
'Charged with governance, on which an audit is conducted — That management and,
w
w
where appropriate, those charged with governance have acknowledged and understand that
w
they have the following responsibilities that are fundamental to the conduct of an audit in
accordance with ISAs. That is, responsibility:
i. For the preparation of the financial statements in accordance with the applicable financial
reporting framework, including, where relevant, their fair presentation;
ii. For such internal control as management and, where appropriate, those charged with
governance determine is necessary to enable the preparation of financial statements that
are free from material misstatement, whether due to fraud or error; and
iii. To provide the auditor with:
a) Access to all information of which management and, where appropriate, those charged
with governance are aware that is relevant to the preparation of the financial statements
such as records, documentation and other matters;
b) Additional information that the auditor may request from management and, where
appropriate, those charged with governance for the purpose of the audit; and
c) Unrestricted access to persons within the entity from whom the auditor determines it
necessary to obtain audit evidence.

In the case of a fair presentation framework, (i) above may be restated as "for the preparation
and fair presentation of the financial statements in accordance with the financial reporting
framework," or "for the preparation of financial statements that give a true and fair view in
accordance with the financial reporting framework."
The "premise, relating to the responsibilities of management and, where appropriate, those
charged with governance, on which an audit is conducted" may also be referred to as the
"premise."
k) Professional judgment — The application of relevant training, knowledge and experience,

within the context provided by auditing, accounting and ethical standards, in making informed
decisions about the courses of action that are appropriate in the circumstances of the audit
engagement.
l) Professional skepticism — An attitude that includes a questioning mind, being alert to
conditions which may indicate possible misstatement due to error or fraud, and a critical
assessment of audit evidence.
m) Reasonable assurance — In the context of an audit of financial statements, a high, but not
absolute, level of assurance.
n) Risk of material misstatement — The risk that the financial statements are materially
misstated prior to audit. This consists of two components, described as follows at the assertion
level:
i) Inherent risk — The susceptibility of an assertion about a class of transaction,
m
account balance or disclosure to a misstatement that could be material, either
co
a.
individually or when aggregated with other misstatements, before consideration of
ny
1 any related controls.
ke
ea
ii) Control risk The risk that a misstatement that could occur in an assertion about a
om
class of transaction, account balance or disclosure and that could be material, either
.s
w
individually or when aggregated with other misstatements, will not be prevented,
w
w
or detected and corrected, on a timely basis by the entity's internal control.
o) (o) Those charged with governance — The person(s) or organ ization(s) (for example, a
corporate trustee) with responsibility for overseeing the strategic direction of the entity and
obligations related to the accountability of the entity. This includes overseeing the financial
reporting process. For some entities in some jurisdictions, those charged with governance may
include management personnel, for example, executive members of a governance board of a
private or public sector entity, or an owner-manager.
Requirements
Ethical Requirements Relating to an Audit of Financial Statements
The auditor shall comply with relevant ethical requirements, including those pertaining to
independence, relating to financial statement audit engagements.

 The auditor is subject to relevant ethical requirements, including those pertaining to
independence, relating to financial statement audit engagements. Relevant ethical
requirements ordinarily comprise Parts A and B of the International Ethics Standards 'Board
for Accountants' Code of Ethics for Professional Accountants (IESBA Code) related to an
audit of financial statements together with national requirements that are more restrictive.
 Part A of the IESBA Code establishes the fundamental principles of professional ethics
relevant to the auditor when conducting an audit of financial statements and provides a
conceptual framework for applying those principles. The fundamental principles with which
the auditor is required to comply by the IESBA. Code are:
(a) Integrity;
(b) Objectivity;
(c) Professional competence and due care;
(d) Confidentiality; and
(e) Professional behavior.
Part B of the IESBA Code illustrates how the conceptual framework is to be applied in specific
situations.
 In the case of an audit engagement it is in the public interest and, therefore, required by the
IESBA Code, that the auditor be independent of the entity subject to the audit. The IESBA
Code describes independence as comprising both independence of mind and independence in
appearance. The auditor's independence from the entity safeguards the auditor's ability to
form an audit opinion without being affected by influences that might compromise that
opinion. Independence enhances the auditor's ability to act with integrity, to be objective and
m
co
to maintain [An attitude of professional skepticism.
a.
ny
ke
ea
 International Standard on Quality Control (ISQC), or national requirements that are at least as
om
.s
demanding, deal with the firm's responsibilities to establish and maintain its system of quality
w
w
control for audit engagements. ISQC I sets out the responsibilities of the firm for establishing
w
policies and procedures designed to provide it with reasonable assurance that the firm and its
personnel comply with relevant ethical requirements, including those pertaining to
independence.
 ISA 220 sets out the engagement partner's responsibilities with respect to relevant ethical
requirements. These include remaining alert, through observation and making inquiries as
necessary,-for evidence of non-compliance with relevant ethical requirements by members of
the engagement team, determining the appropriate action if matters come to the engagement
partner's attention that indicate that members of the engagement team have not complied with
relevant ethical requirements, and forming a conclusion on compliance with independence
requirements that apply to the audit engagement. ISA 220 recognizes that the engagement
team is entitled to rely on a firm's system of quality control in meeting its responsibilities
with respect to quality control procedures applicable to the individual audit engagement,
unless information provided by the firm or other parties suggests otherwise.

Professional Skepticism
The, auditor shall plan and perform an audit with professional skepticism recognizing that
circumstances may exist that cause the financial statements to be materially misstated.
Professional skepticism includes being alert to, for example:
• Audit evidence that contradicts other audit evidence obtained.

• Information that brings into question the reliability of documents and responses to inquiries to
be used as audit evidence.
• Conditions that may indicate possible fraud.
• Circumstances that suggest the need for audit procedures in addition to those required by the
ISAs.
Maintaining professional skepticism throughout the audit is necessary if the auditor is, for example,
to reduce the risks of:
• Overlooking unusual circumstances.

• Over generalizing when drawing conclusions from audit observations.
• Using inappropriate assumptions in determining the nature, timing and extent of the audit
procedures and evaluating the results thereof.
m
co
 Professional skepticism is necessary to the critical assessment of audit evidence. This includes
a.
ny
questioning contradictory audit evidence and the reliability of documents and responses to
ke
ea
inquiries and other information obtained from management and those charged with governance.
om
It also includes consideration of the sufficiency and appropriateness of audit evidence obtained in
.s
w
the light of the circumstances, for example, in the case where fraud risk factors exist and a single
w
w
document, of a nature that is susceptible to fraud, is the sole supporting evidence for a material
financial statement amount.
 The auditor may accept records and documents as genuine unless the auditor has reason to
believe the contrary. Nevertheless, the auditor is required to consider the reliability of
information to be used as audit evidence. In cases of doubt about the reliability of information or
indications of possible fraud (for example, if conditions identified during the audit cause the
auditor to believe that a document may not be authentic or that terms in a document may have
been falsified), the ISAs require that the auditor investigate further and determine what
modifications or additions to audit procedures are necessary to resolve the matter.
 The auditor cannot be expected to disregard past experience of the honesty and integrity of the
entity's management and those charged with governance. Nevertheless, a belief that management
and those charged with governance are honest and have integrity does not relieve the auditor of
the need to maintain professional skepticiSm or allow the auditor to be satisfied with less than
persuasive audit evidence when obtaining reasonable assurance.

Professional Judgment
The auditor shall exercise professional judgment in planning and performing an audit of financial
statements.
Professional judgment is essential to the proper conduct of an audit. This is because interpretation of
relevant ethical requirements and the 1SAs and the informed decisions required throughout the audit
cannot be made without the application of relevant knowledge and experience to the facts and
circumstances. Professional judgment is necessary in particular regarding decisions about:
• Materiality and audit risk.

• The nature, timing and extent of audit procedures used to meet the requirements of the ISAs
and gather audit evidence.
• Evaluating whether sufficient appropriate audit evidence has been obtained, and whether
more needs to be done to achieve the objectives of the 1SAs and thereby, the overall
objectives of the auditor.
• The evaluation of management's judgments in applying the entity's applicable financial
The drawing of conclusions based on the audit evidence obtained, for example, assessing the
reasonableness of the estimates made by management in preparing the financial statements.
m
co
 The distinguishing feature of the professional judgment expected of an auditor is that it is
a.
ny
exercised by an auditor whose training, knowledge and experience have assisted in
ke
developing the necessary competencies to achieve reasonable judgments.
ea
om
 The exercise of professional judgment in any particular case is based on the facts and
.s
circumstances that are known by the auditor. Consultation on difficult or contentious matters
w
w
during the course of the audit, both within the engagement team and between the engagement
w
team and others at the appropriate level within or outside the firm, such as that required by
ISA ,1220, assist the auditor in making informed and reasonable judgments.
 Professional judgment can be evaluated based on whether the judgment reached reflects a
;competent application of auditing and accounting principles and is appropriate in the light of
and consistent with, the facts and circumstances that were known to the auditor up to the date
of the auditor's report.
 Professional judgment needs to be exercised throughout the audit. It also needs to be
appropriately documented. In this regard, the auditor is required to prepare audit
documentation sufficient to enable an experienced auditor, having no previous connection
with the audit, to understand the significant professional judgments made in reaching
conclusions on significant matters arising during the audit. Professional judgment is not to be
used as the justification for decisions that are not otherwise supported by the facts and
circumstances of the engagement or sufficient appropriate audit evidence.

Sufficient Appropriate Audit Evidence and Audit Risk
- To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to
reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable
conclusions on which to base the auditor's opinion.
- Audit evidence is necessary to support the auditor's opinion and report: It is cumulative in
nature and is primarily obtained from audit procedures performed during the course of the
audit. It may, however, also include information obtained from other sources such as previous
audits (provided the auditor has determined whether changes have occurred since the previous
audit that may affect its relevance to the current audit or a firm's quality control procedures for
client acceptance and continuance. In addition to other sources inside and outside the entity, the
entity's accounting records are an important source of audit evidence.
- Also, information that may be used as audit evidence may have been prepared by an expert
employed or engaged by the entity. Audit evidence comprises both information that supports
and corroborates management's assertions, and any information that contradicts such assertions.
In addition, in some cases, the absence of information (for example, management's refusal to
provide a requested representation) is used by the auditor, and therefore, also constitutes audit
evidence. Most of the auditor's work in forming the auditor's opinion consists of obtaining and
evaluating audit evidence.
- The sufficiency and appropriateness of audit evidence are interrelated. Sufficiency is the
measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by
the auditor's assessment of the risks of misstatement (the higher the assessed risks, the more
audit evidence is likely to be required) and also by the quality of such audit evidence (the
m
co
higher the quality, the less may be required). Obtaining more audit evidence, however, may not
a.
ny
compensate for its poor quality.
ke
- Appropriateness is the measure of the quality of audit evidence; that is, its relevance and its
ea
om
reliability in providing support for the conclusions on which the auditor's opinion is based. The
.s
reliability of evidence is influenced by its source and by its nature, and is dependent on the
w
w
individual circumstances under which it is obtained.
w
- Whether sufficient appropriate audit evidence has been obtained to reduce audit risk to an
acceptably low level, and thereby enable the auditor to draw reasonable conclusions on which
to base the auditor's opinion, is a matter of professional judgment. ISA 500 and other relevant
ISAs establish additional requirements and provide further guidance applicable throughout
the.audit regarding the auditor's considerations in obtaining sufficient appropriate audit
evidence.
Audit Risk
- Audit risk is a function of the risks of material misstatement and detection risk. The
assessment of risks is based on audit procedures to obtain information necessary for that
purpose and evidence obtained throughout the audit. The assessment of risks is a matter of
professional judgment, rather than a matter capable of precise measurement.
- For purposes of the ISAs, audit risk does not include the risk that the auditor might express an
opinion that the financial statements are materially misstated when they are not. This risk is
ordinarily insignificant. Further, audit risk is a technical term related to the process of

auditing; it does not refer to the auditor's business risks such as loss from litigation, adverse
publicity, or other events arising in connection with the audit of financial statements.
Risks of Material Misstatement
The risks of material misstatement may exist at two levels:
• The overall financial statement level; and

• The assertion level for classes of transactions, account balances, and disclosures.
- Risks of material misstatement at the overall financial statement level refer to risks of
material misstatement that relate pervasively to the financial statements as a whole and
potentially affect many assertions.
- Risks of material misstatement at the assertion level are assessed in order to determine the
I nature, timing and extent of further audit procedures necessary to obtain sufficient
appropriate audit evidence. This evidence enables the auditor to express an opinion on the
financial statements at an acceptably low level of audit risk. Auditors use various
approaches to accomplish the objective of assessing the risks of material misstatement.
For example, the auditor may make use of a model that expresses the general relationship
of the components of audit risk in mathematical terms to arrive at an acceptable level of
detection risk. Some auditors find such a model to be useful when planning audit
procedures.
- The risks of material misstatement at the assertion level consist of two components:
m
inherent risk and control risk. Inherent risk and control risk are the entity's risks; they exist
co
a.
independently of the audit of the financial statements.
ny
ke
- Inherent risk is higher for some assertions and related classes of transactions, account
ea
balances, and disclosures than for others. For example, it may be higher for complex
om
calculations or for accounts consisting of amounts derived from accounting estimates that
.s
w
are subject to significant estimation uncertainty. External circumstances giving rise to
w
w
business risks may also influence inherent risk. For example, technological developments
might make a particular product obsolete, thereby causing inventory to be more
susceptible to overstatement.
- Factors in the entity and its environment that relate to several or all of the classes of
transactions, account balances, or disclosures may also influence the inherent risk related
to a specific assertion. Such factors may include, for example, a lack of sufficient working
capital to continue operations or a declining industry characterized by a large number of
business failures.
- Control risk is a function of the effectiveness of the design, implementation and
maintenance of internal control by management to address identified risks that threaten
the achievement of the entity's objectives relevant to preparation of the entity's financial
statements. However, internal control, no matter how well designed and operated, can
only reduce, but not eliminate, risks of material misstatement in the financial statements,
because of the inherent limitations of internal control. These include, for example, the
possibility of human errors or mistakes, or of controls being circumvented by collusion or
inappropriate management override. Accordingly, some control risk will always exist. The
ISAs provide the conditions under which the auditor is required to, or may choose to, test

the operating effectiveness of controls in determining the nature, timing and extent of
substantive procedures to be performed.18
- The 1SAs do not ordinarily refer to inherent risk and control risk separately, but rather to
a combined assessment of the "risks of material misstatement." However, the auditor may
make separate or combined assessments of inherent and control risk depending on
preferred audit techniques or methodologies and practical considerations. The assessment
of the risks of material misstatement may be expressed in quantitative terms, such as in
percentages, or in non-quantitative terms. In any case, the need for the auditor to make
appropriate risk assessments is more important than the different approaches by which
they may be made.
- ISA 315 establishes requirements and provides guidance on identifying and assessing the
risks of material misstatement at the financial statement and assertion levels.
Detection Risk
For a given level of audit risk, the acceptable level of detection risk bears an inverse relationship to
the assessed risks of material misstatement at the assertion level. For example, the greater the risks
of material misstatement the auditor believes exists, the less the detection risk that can be accepted
and, accordingly, the more persuasive the audit evidence required by the auditor.
Detection risk relates to the nature, timing and extent of the auditor's procedures that are determined
by the auditor to reduce audit risk to an acceptably low level. It is therefore a function of the
m
co
effectiveness of an audit procedure and of its application by the auditor. Matters such as:
a.
ny
ke
• adequate planning;
ea
om
• proper assignment of personnel to the engagement team;
.s
• the application of professional skepticism; and
w
w
w
• Supervision and review of the audit work performed assist to enhance the effectiveness of an
audit procedure and of its application and reduce the possibility that an auditor might select
an inappropriate audit procedure, misapply an appropriate audit procedure, or misinterpret
the; audit results.
ISA 300 and ISA 330 establish requirements and provide guidance on planning an audit of financial
statements and the auditor's responses to assessed risks. Detection risk, however, can only be
reduced, not eliminated, because of the inherent limitations of an audit. Accordingly, some detection
risk will always exist.
Inherent Limitations of an Audit
The auditor is not expected to, and cannot, reduce audit risk to zero and cannot therefore obtain
absolute assurance that the financial statements are free from material misstatement due to fraud or
error. This is because there are inherent limitations on f an audit, which result in most of the audit

evidence on which the auditor draws conclusions and bases the auditor's opinion being persuasive
rather than conclusive. The inherent limitations of an audit arise from:
• The nature of financial reporting;

• The nature of audit procedures; and
• The need for the audit to be conducted within a reasonable period of time and at a reasonable
cost:
The Nature of Financial Reporting
The preparation of financial statements involves judgment by management in applying the

requirements of the entity's applicable financial reporting framework to the facts and circumstances
of the entity. In addition, many financial statement items involve subjective decisions or assessments
or a degree of uncertainty, and there may be a range of acceptable interpretations or judgments that
may be made. Consequently, some financial statement items are subject to an inherent level of
variability which cannot be eliminated by the application of additional auditing procedures. For
example, this is often the case with respect to certain accounting estimates. Nevertheless, the ISAs
require the auditor to give specific consideration to whether accounting estimates are reasonable in
the context of the applicable financial reporting framework and related disclosures, and to the
qualitative aspects of the entity's accounting practices, including indicators of possible bias in
m
management's judgments.
co
a.
ny
ke
ea
om
The Nature of Audit Procedures
.s
w
w
There are practical and legal limitations on the auditor's ability to obtain audit evidence. For
w
example:
• There is the possibility that management or others may not provide, intentionally or
unintentionally, the complete information that is relevant to the preparation of the financial
statements or that has been requested by the auditor. Accordingly, the auditor cannot be
certain of the completeness of information, even though the auditor has performed audit
procedures to obtain assurance that all relevant information has been obtained.
• Fraud may involve sophisticated and carefully organized schemes designed to conceal it.
Therefore, audit procedures used to gather audit evidence may be ineffective for detecting an
intentional misstatement that involves, for example, collusion to falsify documentation which
may cause the auditor to believe that audit evidence is valid when it is not.
• An audit is not an official investigation into alleged wrongdoing.
• Accordingly, the auditor is not given specific legal powers, such as the power of search,
which may be necessary for such an investigation.
Timeliness of Financial Reporting and the Balance between Benefit and Cost

- The matter of difficulty, time, or cost involved is not in itself a valid basis for the auditor to
omit an audit procedure for which there is no alternative or to be satisfied with audit evidence
that is less than persuasive. Appropriate planning assists in making sufficient time and
resources available for the conduct of the audit. Notwithstanding this, the relevance of
information, and thereby its value, tends to diminish over time, and there is a balance to be
struck between the reliability of information and its cost.
- This is recognized in certain financial reporting frameworks (see, for example, the IASB's
Framework for the Preparation and Presentation of Financial Statements). Therefore, there is
an expectation by users of financial statements that the auditor will form an opinion on the
financial statements within a reasonable period of time and at a reasonable cost, recognizing
that it is impracticable to address all information that may exist or to pursue every matter
exhaustively on the assumption that information is in error or fraudulent until proved
otherwise.
Consequently, it is necessary for the auditor to:
• Plan the audit so that it will be performed in an effective manner;

• Direct audit effort to areas most expected to contain risks of material misstatement, whether
due to fraud or error, with correspondingly less effort directed at other areas; and
• Use testing and other means of examining populations for misstatements.
m
The ISAs contain requirements for the planning and performance of the audit and require the
co
a.
auditor, among other things, to:
ny
ke
ea
• Have a basis for the identification and assessment of risks of material misstatement at the
om
financial statement and assertion levels by performing risk assessment procedures and related
.s
w
'activities; and
w
w
• Use testing and other means of examining populations in a manner that provides a reasonable
basis for the auditor to draw conclusions about the population.
Other Matters that Affect the Inherent Limitations of an Audit
In the case of certain assertions or subject matters, the potential effects of the inherent limitations on
the auditor's ability to detect material misstatements are particularly significant. Such assertions or
subject matters include:
• Fraud, particularly fraud involving senior management or collusion.

• The existence and completeness of related party relationships and transactions. The
occurrence of non-compliance with laws and regulations.
• Future events or conditions that may cause an entity to cease to continue as a going concern.
Relevant ISAs identify specific audit procedures to assist in mitigating the effect of the inherent
limitations.
Because of the inherent limitations of an audit, there is an unavoidable risk that some material
misstatements of the financial statements may not be detected, even though the audit is properly
planned and performed in accordance with ISAs. Accordingly, the subsequent discovery of a
material misstatement of the financial statements resulting from fraud or error does not by itself
indicate a failure to conduct an audit in accordance with ISAs.
However, the inherent limitations of an audit are not a justification for the auditor to be satisfied
with less than persuasive audit evidence. Whether the auditor has performed an audit in accordance
with ISAs is determined by the audit procedures performed in the circumstances, the sufficiency and
appropriateness of the audit evidence obtained as a result thereof and the suitability of the auditor's
report based on an evaluation of that evidence in light of the overall objectives of the auditor.
Conduct of an Audit in Accordance with ISAs
Complying with ISAs Relevant to the Audit
- The auditor shall comply with all ISAs relevant to the audit. An ISA is relevant to the audit
when the ISA is in effect and the circumstances addressed by the ISA exist.
m
- The auditor shall have an understanding of the entire text of an ISA, including its application
co
and other explanatory material, to understand its objectives and to apply its requirements
a.
ny
properly.
ke
ea
- The auditor shall not represent compliance with ISAs in the auditor's report unless the auditor
om
has complied with the requirements of this ISA and all other ISAs relevant to the audit.
.s
w
w
w
Objectives Stated in Individual ISAs
To achieve the overall objectives of the auditor, the auditor shall use the objectives stated in relevant
ISAs in planning and performing the audit, having regard to the interrelationships among the ISAs,
to:
a) Determine whether any audit procedures in addition to those required by the ISAs are
necessary in pursuance of the objectives stated in the ISAs; and
b) Evaluate whether sufficient appropriate audit evidence has been obtained.
Complying with Relevant Requirements
The auditor shall comply with each requirement of an ISA unless, in the circumstances of the audit:
a) The entire ISA is not relevant; or

b) The requirement is not relevant because it is conditional and the condition does not exist.

In exceptional circumstances, the auditor may judge it necessary to depart from a relevant
requirement' in an ISA. In such circumstances, the auditor shall perform alternative audit procedures
to achieve the aim of that requirement.
The need for the auditor to depart from a relevant requirement is expected to arise only where the
requirement is for a specific procedure to be performed and, in the specific circumstances of the
audit, that procedure would be ineffective in achieving the aim of the requirement.
Failure to Achieve an Objective
If an objective in a relevant ISA cannot be achieved, the auditor shall evaluate whether this prevents
the auditor from achieving the overall objectives of the auditor and thereby requires the auditor, in
accordance with the ISAs, to modify the auditor's opinion or withdraw from the engagement (where
withdrawal is possible under applicable law or regulation). Failure to achieve an objective represents
a significant matter requiring documentation in accordance with ISA 230.
Nature of the ISAs
The ISAs, taken together, provide the standards for the auditor's work in fulfilling the overall
m
co
objectives of the auditor. The ISAs deal with the general responsibilities of the auditor, as well as the
a.
ny
auditor's further considerations relevant to the application of those responsibilities to specific topics.
ke
ea
om
.s
w
w
- The scope, effective date and any specific limitation of the applicability of a specific ISA is
w
made clear in the ISA. Unless otherwise stated in the ISA, the auditor is permitted to apply an
ISA before the effective date specified therein.
- In performing an audit, the auditor may be required to comply with legal or
regulatoryrequirements in addition to the ISAs. The ISAs do not override law or regulation
that governs an audit of financial statements. In the event that such law or regulation differs
from the ISAs, an audit conducted only in accordance with law or regulation will not
automatically comply with ISAs.
- The auditor may also conduct the audit in accordance with both ISAs and auditing standards
of a specific jurisdiction or country. In such cases, in addition to complying with each of the
ISAs relevant to the audit, it may be necessary for the auditor to perform additional audit
procedures in order to comply with the relevant standards of that jurisdiction or country.
Considerations Specific to Audits in the Public Sector
The ISAs are relevant to engagements in the public sector. The public sector auditor's
responsibilities, however, may be affected by the audit mandate, or by obligations on public sector

entities arising from law, regulation or other authority (such as ministerial directives, government
policy requirements, or resolutions of the legislature), which may encompass a broader scope than
an audit of financial statements in accordance with the ISAs. These additional responsibilities are
not dealt within the ISAs. They may be dealt with in the pronouncements of the International
Organization of Supreme Audit
Institutions or national standard setters, or in guidance developed by government audit agencies
Contents of the ISAs
In addition to objectives and requirements (requirements are expressed in the ISAs using "shall"), an
ISA contains related guidance in the form of application and mother explanatory material. It may
also contain introductory material that provides context relevant to a proper understanding of the
ISA, and definitions. The entire text of an ISA, therefore, is relevant to an understanding of the
objectives stated in an ISA and the proper application of the requirements of an ISA.
Where necessary, the application and other explanatory material provides further explanation of the
requirements of an ISA and guidance for carrying them out. In particular, it may:
• Explain more precisely what a requirement means or is intended to cover.
m
• Include examples of procedures that may be appropriate in the circumstances.
co
a.
ny
ke
ea
While such guidance does not in itself impose a requirement, it is relevant to the proper application
om
of the requirements of an ISA. The application and other explanatory material may also provide
.s
w
background information on matters addressed in an ISA.
w
w
- Appendices form part of the application and other explanatory material. The purpose and
intended use of an appendix are explained in the body of the related ISA or within the title
and introduction of the appendix itself.
- Introductory material may include, as needed, such matters as explanation of:
• The purpose and scope of the ISA, including how the ISA relates to other ISAs.
• The subject matter of the ISA.
• The respective responsibilities of the auditor and others in relation to the subject matter
of the ISA.
• The context in which the ISA is set.
An ISA may include, in a separate section under the heading "Definitions," a description of the
meanings attributed to certain terms for purposes of the ISAs.
These are provided to assist in the consistent application and interpretation of the

ISAs, and are not intended to override definitions that may be established for other purposes,
whether in law, regulation or otherwise. Unless otherwise indicated, those terms will carry the same
meanings throughout the ISAs.
When appropriate, additional considerations specific to audits of smaller entities and public sector
entities are included within the application and other explanatory material of an ISA. These
additional considerations assist in the application of the requirements of the ISA in the audit of such
entities. They do not, however, limit or reduce the responsibility of the auditor to apply and comply
with the requirements of the ISAs.
Considerations Specific to Smaller Entities
For purposes of specifying additional considerations to audits of smaller entities, a "smaller entity"
refers to an entity which typically possesses qualitative characteristics such as:
a. Concentration of ownership and management in a small number of individuals (often a single

individual — either a natural person or another enterprise that owns the entity provided the
owner exhibits the relevant qualitative characteristics); and
b. One or more of the following:
i) Straightforward or uncomplicated transactions;
m
ii) Simple record-keeping;
co
iii) Few lines of business and few products within business lines;
a.
ny
iv) Few internal controls;
ke
ea
v) Few levels of management with responsibility for a broad range of controls; or
om
vi) Few personnel, many having a wide range of duties.
.s
w
These qualitative characteristics are not exhaustive, they are not exclusive to smaller entities, and
w
w
smaller entities do not necessarily display all of these characteristics.
- The considerations specific to smaller entities included in the ISAs have been developed
primarily with unlisted entities in mind. Some of the considerations, however, may be helpful
in audits of smaller listed entities.
- The ISAs refer to the proprietor of a smaller entity who is involved in running the entity on a
day-to-day basis as the "owner-manager."
Objectives Stated in Individual ISAs
Each ISA contains one or more objectives which provide a link between the requirements and the
overall objectives of the auditor. The objectives in individual ISAs serve to focus the auditor on the
desired outcome of the ISA, while being specific enough to assist the auditor in:
• Understanding what needs to be accomplished and, where necessary, the appropriate means
of doing so; and

• Deciding whether more needs to be done to achieve them in the particular circumstances of
the audit.
As with the overall objectives of the auditor, the ability to achieve an individual objective is equally
subject to the inherent limitations of an audit.
In using the objectives, the auditor is required to have regard to the interrelationships among the
ISAs. This is because; the ISAs deal in some cases with general responsibilities and in others with
the application of those responsibilities to specific topics. For example, this ISA requires the auditor
to adopt an attitude of professional skepticism; this is necessary in all aspects of planning and
performing an audit but is not repeated as a requirement of each ISA. At a more detailed level, ISA
315 and ISA 330 contain, among other things, objectives and requirements that deal with the
auditor's responsibilities to identify and assess the risks of material misstatement and to design and
perform further audit procedures to respond to those assessed risks, respectively; these objectives
and requirements apply throughout the audit. An ISA dealing with specific aspects of the audit (for
example, ISA 540) may expand on how the objectives and requirements of such ISAs as ISA 315
and ISA 330 are to be applied in relation to the subject of the ISA but does not repeat them. Thus, in
achieving the objective stated in ISA 540, the auditor has regard to the objectives and requirements
of other relevant ISAs.
m
Use of Objectives to Determine Need for Additional Audit Procedures
co
a.
ny
The requirements of the ISAs are designed to enable the-auditor to achieve the objectives specified
ke
ea
in the ISAs, and thereby the overall objectives of the auditor. The proper application of the
om
requirements of the ISAs by the auditor is therefore expected to provide a sufficient basis for the
.s
w
w
auditor's achievement of the objectives.
w
However, because the circumstances of audit engagements vary widely and all such circumstances
cannot be anticipated in the ISAs, the auditor is responsible for determining the audit procedures
necessary to fulfill the requirements of the ISAs and to achieve the objectives. In the circumstances
of an engagement, there may be particular matters that require the auditor to perform audit
procedures in addition to those required by the
ISAs to meet the objectives specified in the ISAs.
Use of Objectives to Evaluate Whether Sufficient Appropriate Audit Evidence Has Been Obtained
The auditor is required to use the objectives to evaluate whether sufficient appropriate audit
evidence has been obtained in the context of the overall objectives of the auditor. If as a result the
auditor concludes that the audit evidence is not sufficient and appropriate, then the auditor may
follow one or more of the following approaches:

• Evaluate whether further relevant audit evidence has been, or will be, obtained as a result of
complying with other ISAs;
• Extend the work performed in applying one or more requirements; or perform other
procedures judged by the auditor to be necessary in the circumstances.
Where none of the above is expected to be practical or possible in the circumstances, the auditor will
not be able to obtain sufficient appropriate audit evidence and is required by the ISAs to determine
the effect on the auditor's report or on the auditor's ability to complete the engagement.
Complying with Relevant Requirements
Relevant Requirements
- In some cases, an ISA (and therefore all of its requirements) may not be relevant in the
circumstances. For example, if an entity does not have an internal audit function, nothing in
ISA 610 is relevant.
- Within a relevant ISA, there may be conditional requirements. Such a requirement is relevant
when the circumstances envisioned in the requirement apply and the condition exists. In
general, the conditionality of a requirement will either be explicit or implicit, for example:
• The requirement to modify the auditor's opinion if there is a liMitation of scope
represents an explicit conditional requirement.
• The requirement to communicate significant deficiencies in internal control identified
m
during the audit to those charged with governance, which depends on the existence of
co
a.
such identified significant deficiencies; and the requirement to obtain sufficient
ny
ke
appropriate audit evidence regarding the presentation and disclosure of segment
ea
information in accordance with the applicable financial reporting framework, which
om
depends on that framework requiring or permitting such disclosure, represent implicit
.s
w
w
conditional requirements,
w
- In some cases, a requirement may be expressed as being conditional on applicable law or
regulation. For example, the auditor may be required to withdraw from the audit engagement,
where withdrawal is possible under applicable law or regulation, or the auditor may be
required to do something, unless prohibited by law or regulation. Depending on the
jurisdiction, the legal or regulatory permission or prohibition may be explicit or implicit.
Departure from a Requirement
- ISA 230 establishes documentation requirements in those exceptional circumstances where
the auditor departs from a relevant requirement. The ISAs do not call for compliance with a
requirement that is not relevant in the circumstances of the audit.
Failure to Achieve an Objective
Whether an objective has been achieved is a matter for the auditor's professional judgment. That
judgment takes account of the results of audit procedures performed in complying with the
requirements of the ISAs, and the auditor's evaluation of whether sufficient appropriate audit
evidence has been obtained and whether more needs to be done in the particular circumstances of the

audit to achieve the objectives stated in the ISAs. Accordingly, circumstances that may give rise to a
failure to achieve an objective include those that:
Prevent the auditor from complying with the relevant requirements of an ISA.
• Result in its not being practicable or possible for the auditor to carry out the additional audit
procedures or obtain further audit evidence as determined necessary from the use of the
objectives, for example, due to a limitation in the available audit evidence.
- Audit documentation that meets the requirements of ISA 230 and the specific documentation
requirements of other relevant ISAs provides evidence of the auditor's basis for a conclusion
about the achievement of the overall objectives of the auditor.
- While it is unnecessary for the auditor to document separately (as in a checklist, for example)
that individual objectives have been achieved, the documentation of a failure to achieve an
objective assists the auditor's evaluation of whether such a failure has prevented the auditor
from achieving the overall objectives of the auditor.
In carrying out an audit, the firm and each member of the engagement team is required to:
- Comply with the ethical guidelines relating to audit engagements which comprise the
COE as promulgated by ICPAK, which are more restrictive in certain areas. In general, each
member of the engagement team is required to behave with integrity in all professional
relationships which implies honesty, fair dealing, sincerity and professional independence.
m
An auditor should be objective in all judgements and not allow prejudice, bias or any other
co
a.
interest to influence the auditor's objectivity. Auditors are required to respect the
ny
confidentiality of information obtained in the course of an audit and not disclose any
ke
ea
information to a third party unless it is legally or professionally required ,of us. Moreover, the
om
firm should only undertake work which it is competent and experienced to perform and all
.s
w
professional work must be conducted with due care, skill and diligence.
w
w
- Comply with the quality control requirements as stipulated in ISA 220 which requires the
engagement partner to take responsibility for the overall quality on each audit engagement,
but recognises that the engagement team is entitled to rely on the firm's systems in meeting its
responsibilities with respect to quality control procedures applicable to the individual audit
engagement.
- Conduct the audit in accordance with ISA's which provide the basic principles and
essential procedures which have to be applied in the context of explanatory notes and
appendices. In addition to this, we should consider the IAPS's applicable to the audit
engagement. In determining the scope of an audit, the engagement team should comply with
each ISA relevant to the audit and should not represent compliance with ISA's unless we have
complied with all of the ISA's relevant to the audit.
- Plan and perform an audit with an attitude of professional scepticism recognizing that
circumstances may exist that cause the financial statements to be materially misstated. The
engagement team is required to make a critical assessment of the validity of the audit
evidence obtained and should be alert to evidence that contradicts or brings into question the
reliability of documents and responses to inquiries and other information obtained from the
management and those charged with governance. The attitude of professional scepticism is
necessary throughout the audit to reduce the risk of overlooking unusual circumstances, of
over generalising conclusions drawn from audit observation, and of using incorrect
assumptions in determining the nature, timing and extent of the audit procedures and
evaluating the results. The engagement team should obtain persuasive audit evidence that
those charged with governance are honest and have integrity.
- Obtain reasonable assurance that the financial statements taken as a whole are free
from material misstatement, whether due to fraud or error. This is applicable to the
whole audit process and requires the accumulation of audit evidence necessary for the
engagement team to conclude that there are no material misstatements in the financial
statements taken as a whole. Material misstatements are considered at both the overall
financial statement level and in relation to classes of transactions, account balances, and
disclosures and related assertions. Due to the inherent limitations in the use of testing and the
operations of internal controls, most audit evidence is persuasive and not conclusive. As
absolute assurance is unattainable, an audit is therefore not a guarantee that the financial
statements are free from material misstatement. Moreover, an audit opinion does not assure
the future viability of an entity nor the '0 efficiency effectiveness with which the
management conducts the affairs of the entity. Mandpm;enf; representations are not a
substitute for obtaining sufficient appropriate audit evidence on which to base an audit
opinion.
- Plan and perform the audit to reduce the audit risk to an acceptably low level that is
consistent with the objectives of an audit. The audit risk is the risk that the auditor
expresses an inappropriate opinion when the financial statements are materially misstated.
The engagement team reduces this risk by designing and performing audit procedures to
obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on
m
co
which to base the audit opinion. Reasonable assurance is obtained when the audit risk has
a.
ny
been reduced to an acceptably low level.
ke
- Determine whether the financial reporting framework adopted by the management in
ea
om
preparing the financial statements is acceptable in view of the nature of the entity and the
.s
objective of the financial statements. In Kenya, the reporting framework promulgated by
w
w
w
ICPAK is IFRS. However, in exceptional circumstances where the firm is required to report
on special purpose financial statements prepared for reporting to donor agencies or to comply
with the reporting framework of the parent company, the engagement team should compare
the accounting conventions adapted to the requirements of an existing acceptable framework.
Where the engagement team concludes that the framework adopted by the management is not
acceptable, the engagement partner should consider the implication in relation to engagement
acceptance, (IOA' 210) and the auditor's report (ISA 700).

PRINCIPLES OF AUDITING
Fundamental principles are those according to which the books of business accounts are audited.
These principles can be changed according the desire of the auditor.
We discuss the main principles of auditing under these headings:
1. Planning:-
It is the basic principle of auditing. The auditor should plan before starting the work. In
planning auditor decides accounting about the system and internal control procedure.
2. Honesty:-
Honesty and sincerity is the second important principle of auditing. The loyalty of auditor to
work and profession must be beyond the doubts.
3. Impartiality:-
In case of audit the attitude of the auditor must be impartial. Keeping in view this principle his
personal views may not be included in the audit report.
4. Secrecy:
Secrecy must be maintained by the auditor during the process of audit. He cannot disclose any
information to the third party.
5. Evidence:-
During the audit the auditor can collect the evidence through the working papers. He can
frame his opinion on the audit evidence. The nature and source of evidence must be kept in
m
co
view by the auditor.
a.
ny
6. Consistency:-
ke
ea
It is an important principle of auditing. In case of selecting the rates of depreciation and
om
valuation of stock the accountant must follow the rates of the coming years. In this regard
.s
w
w
there should be consistency and changes are not acceptable.
w
7. Legal Frame Work:-
The business activities may run within the rules and legal formalities. To protect the rights of
the interested parties' rules must be applied.
8. Working Paper Preparation:-
The auditors collect documents providing evidence that audit was carried out according the
principles.
The: auditor prepares the working paper and kept in this custody as a proof.
9. Internal Control:-
The auditor will examine the accounting system and inter control. To frame his opinion, he
keeps in view the evidence obtained from the books.
10. Report:-
According the principle of auditing a report will be prepared by the auditor at the end. It may
be conditional or unconditional. The auditor can draw conclusion and disclose the facts and
figures about the business for general information

TECHNIQUES OF AUDITING or AUDIT TECHNIQUES:-
Techniques of auditing mean the procedure and method which is adopted by the auditor in checking
the accounts.
Following are the important techniques of audit
1. Examination of Record:-
This technique is commonly used by the auditors; the inspection of books and documents is
made to verity the validity of data.
2. Inquiry:-
The auditor can also use the technique of inquiry. He can get the information from resource
persons inside or outside the enterprise.
3. Sampling:-
Auditor can select few items from whole accounting information. This technique enables the
auditor to obtain and evaluate the evidence of some characteristics of the whole class. It is
helpful in forming the conclusion.
4. Confirmation:-
To ensure the accuracy of the data auditor can collect the information from the debtor.
Confirmation; is response to an inquiry to prove certain data recorded in the books.
5. Compliance:-
To check the arithmetical accuracy of accounting record, the balancing accounts can be
m
co
compared with the vouchers to test the reliability of data.
a.
ny
6. Compliance Test:-
ke
ea
These tests are designed to check the effectiveness and compliance of internal control. In
om
obtaining the audit evidence, auditor is concerned with the existence of effective internal
.s
w
w
control.
w
7. Use of Computer Techniques:-
There is large number of audit techniques like audit software, test packs and mapping which
can be used by the auditor to test the accuracy of the data.
8. Substantive Test:-
There are designed to obtain evidence that data produced by accounting system is accurate or
not. It has two kinds:
i. Test of detail transaction.
ii. Test of significant ratios and trends.
9. Dependence on Experts and Auditors:-
The auditor has to rely on the internal and other auditors to complete his work. He has also to
rely on other experts like lawyers, engineers and doctors for their expert opinion about the
business.
10. Analytical Review:-
It consists of studying significant ratios, trends and investigating different changes. This
review procedure is based on the expectations of relationship among the past and present data

STAGES OF AN AUDIT
The suggested audit approach is designed to gather sufficient and reliable evidence to support the
audit opinion in the most efficient and effective way and to enable the engagement team to fully
understand the client's business. There is no difference between an audit of a large and a small entity
except that the procedures adopted may differ depending on the particular circumstances of each
audit.
i. Preliminary Engagement Activities

ii. Planning
iii. Execution
iv. Review and Completion
1) Preliminary Engagement Activities
At the pre-planning stage, the engagement partner ensures that-.
- The client acceptance and continuation procedures have been carried out;
- The terms of engagement have been agreed in writing;
- The quality control aspects for the assignment have been reviewed including review of the
competency of the team to carry out the assignment, review of compliance with the ethical
requirements, including review of the independence requirements.
m
co
a.
ny
ke
ii) Planning
ea
om
Planning is an essential component in focusing the audit efforts. The key components of planning
.s
w
are:
w
w
- Identifying the scope of the assignment.
- Developing an audit strategy taking into consideration the scope of the engagement; the
business and the regulatory environment in which the entity operates; entity specific issues
including reliance on the work of internal audit; reporting objectives, timing of the audit and
the nature of communication required; matters affecting the direction of the audit including
preliminary setting of materiality levels, preliminary review of risk including fraud risk,
preliminary review of internal control including the control environment, the process adopted
by the entity to identify, measure, monitor and control risks.
- Developing, based on the above, the overall audit plan detailing the nature, timing and extent
of the audit procedures to be performed in order to reduce the audit risk to an acceptably low
level; the nature of tests to be adopted; procedures to be adopted at the assertion level; and
tailoring the audit programmes.
- Ascertaining the nature and the extent of the resources required to perform the audit.

iii) Execution
The key components of the execution stage are:
- Carrying out the test of controls and substantive tests on transactions and balances including
substantive analytical procedures to obtain sufficient and appropriate audit evidence to enable
the engagement team to draw reasonable conclusions on which to base the audit opinion.
- Evaluating significant assumptions used in fair value measurement to determine the
reasonableness of the basis used and the disclosures.
- Identification of related parties and obtaining sufficient and appropriate audit evidence in
respect of measurement and disclosure of related party transactions.
- Documenting the nature, timing and extent of the audit procedures performed and the results
and conclusions drawn from the audit evidence obtained.
While pre-printed forms and programmes are available in the Manual, the extent and the timing of
the tests should be tailored to the specific assignment. Different tests and different levels will be
appropriate for each assignment. The control of the audit at this stage must be maintained by a
senior team member with the appropriate experience and expertise.
iv) Review and Completion
m
co
a.
The review and completion procedures focus on ensuring that sufficient and appropriate evidence
ny
ke
has been obtained to support the audit opinion. This involves ensuring that:
ea
om
- All outstanding matters have been cleared.
.s
w
- Consultations on difficult or contentious matters have been documented and • adequately
w
w
resolved and conclusions therefrom implemented.
- Analytical procedures have been performed to form a conclusion on whether the financial
statements taken as a whole are consistent with the firm's knowledge of the business.
- Where other appropriate audit evidence cannot be reasonably obtained, written management
representations have been obtained on areas material to the financial statements.
- Review has been carried out of any material uncertainty relating to events or conditions that
may exist which alone or in aggregate cast a significant doubt on the entity's ability to
continue as a going concern.
- There is evidence that the engagement team has considered and confirmed that the financial
Reporting framework adopted by the entity is suitable, and that the financial statements
comply with the framework as to both recognition and measurement and presentation and
disclosure. In the context of Kenya, this in most cases will be the IFRS's.
- The engagement partner has reviewed the audit file and is satisfied that sufficient and
appropriate evidence has been obtained to support the conclusions derived and the audit
opinion to be issued. As much of the audit evidence obtained is persuasive rather than
conclusive, absolute certainty is rarely obtainable and therefore the engagement partner
should ensure that the audit risk is reduced to the lowest level possible.

- Where applicable, sufficient and appropriate procedures have been performed to identify
subsequent events up to the date of the audit report and ensure that all items that require
adjustment or disclosure in the financial statements have been appropriately dealt with.
- Where appropriate, an engagement quality control review has been undertaken and all the
issues arising from the review have been fully dealt with and cleared with the reviewer.
- At the end of each audit, the engagement team is de-briefed, the audit objectives set out for
the assignment have been achieved and that the engagement team has gained experience from
the assignment which will enhance their personal development.
Though not covered by the terms of audit engagement, the engagement team may, as part of the
audit process carry out a business review of the key issues facing the entity and take a strategic look
at the business and at areas where the firm can add value to the entity. In providing other value
added services, the firm and in particular the engagement partner should be conscious of the
independence requirements of the code of ethics
DIFFERENCES BETWEEN AUDITING AND ACCOUNTING
Financial accounting and Auditing
m
co
a.
Financial accounting entails provision of information about a business or company in form of
ny
ke
financial statements which are then made public. These statements are generally prepared on an
ea
om
annual basis and used by management and other interested parties to make decisions. The
.s
information contained in these financial statements must give a true and fair view of the state of
w
w
w
affairs in the organization.
Auditing is a check carried out by an independent auditor to make sure that what a company is
saying about its financial statement is true. Auditing therefore adds credibility to the financial
statements by ensuring the availability of accurate and reliable financial information.
Auditing
a) Involves examination of financial statements to prove the true and fair view of company's
affairs.
b) It is done mainly at year-end after the directors have prepared the financial statements,
although planning work could be carried out earlier. 1i
c) An audit is mainly governed by the international standards on auditing (ISA).
d) The auditor must be independent of all the stakeholders such as management.
e) It is a statutory requirement that financial statements are audited.

Financial Accounting
a) Financial Accounting is the recording, classifying and summarizing events of an economic

entity in order to assist management in decision making. Involves preparation of books of
accounts to aid in decision-making
b) It is a continuous process carried out throughout the financial period.
c) In preparing financial statements and maintaining books of accounts, the accountant is guided
by generally accepted accounting standards.
d) Accountancy is a management function aimed at assisting management to run the business in
an orderly efficient manner.
e) It is a statutory requirement that all companies must maintain proper accounting records.
An auditor is the guy who asks everyone questions and an accountant is the guy who gives the
auditor elusive answers'. While this is a humorous way of putting it, it depicts quite accurately what
happens in most organisations — the accountant produces the accounts and the auditor audits and
qualifies them.
Accounting and auditing are related professions; indeed accountants and auditors usually hold the
same qualifications. An accountant is a practitioner of accountancy. Accounting involves
maintaining and recording of the financial transactions of a company. Accountants ensure that there
is proper record keeping within the organisation. The main goal of accounting is to provide the
m
company with clear, comprehensive and reliable information on the operations of the company for
co
a.
decision making. This information in presented in the form of an income statement, balance sheet,
ny
ke
statement of changes in equity and cash flow statement.
ea
om
.s
Essentially, auditing starts where accounting ends. Auditors use the financial reports in the
w
w
evaluation, verification and review of the accounts books of the company. Auditors do an
w
independent appraisal of the strength of the internal control system and compliance of the books of
accounts to Generally Accepted Accounting Principles and international accounting standards. They
also check on non¬financial issues like risk analysis.
An audit can be internal or external. External audits are done by independent bodies, like audit
firms; KPMG and Ernst and Young. Internal audits are carried out by the company's own internal
audit department. Other types of audits are forensic and security.
Main difference between auditing and accounting:
i) Accountants are usually employees of the company whereas external auditors are employees
of the audit firm who perform an independent appraisal of the books of accounts. An internal
auditor is an employee of the company but is not part of the accounts department. They do
not report to anyone in the finance department to avoid a conflict of interest.
ii) Accounting is governed by Generally Accepted Accounting Principles and international
accounting standards. In contrast, an auditors check for material misstatements and their
auditing processes are governed by auditing standards.

iii) Accounting is a day-to-day process, while an audit takes place after a fixed period of time or
after the occurrence of an extraordinary event, like fraud.
iv) Accounting is a 'must have' for all businesses whereas some companies choose to do without
audits.
v) Accountants provide financial management and other information necessary for effective
decision making in the company. By contrast, auditors are not involved in the
management',Of the company and clearly state in their report that the financial statements are
the responsibility of the directors of the company.
vi) After the end of the financial year, accountants produce the financial statements. After the
audit, auditors issue an opinion on whether the financial statements present a true and fair
picture of activities of the company. Auditors can also claim to have failed to reach an
opinion on the accounts due to lack of sufficient information.
vii) Accountants work in their given offices whereas auditors move from company to company
doing their work.
viii) Accounting is more detailed financial work whereas auditors sample financial information to
come to a professional opinion.
Accounting and auditing are related and complementary, though the work is done by different sets
of accountants with separate skills within the financial field
m
co
Advantages of auditing
a.
ny
- Dispute resolution. A partnership business with a complex profit sharing agreement may
ke
ea
require an independent examination of those accounts to ensure accurate assessment and
om
division of those profits.
.s
w
- Significant changes in ownership and structure can be easily effected if past accounts contain
w
w
unqualified audit reports. e.g. in mergers.
- Auditors have access to the corporate strategy of the company thus are able to give advice on
gaining competitive advantage and on improvement of business efficiency.
- Borrowing of finances from third parties is enhanced with availability of unqualified audit
report on the company's financial statements.
- Auditing protects the interests of the shareholders who are separated from the management of
their savings invested in the company.
- Auditing assists in prevention and detection of fraud and error in financial statements
although this is not the primary objective of an audit
Disadvantages of auditing
- Audit fees are normally high since auditors are highly qualified professionals hence small
firms such as sole proprietorships may not afford their financial statements to be audited.
- The audit exercise interrupts the clients operations because client staffs have to spend time in
availing the required information to the auditors.

- Company secrets may leak to competitors since all company information is accessible to the
auditors.
Similarities between Auditing and Financial Accounting
Both auditing and accounting are statutory requirements i.e. that companies must maintain proper
books of accounts at that their financial statement must be audited
THE TYPES AND TIMING OF AUDITS
INTERIM AND FINAL AUDITS
After examining the end year financial statements the auditor then forms his opinion as to whether
the financial statements show a true and fair view and reports this to the shareholders.
Whereas the split between the systems and balance sheet audits is concerned with the type of work
covered, that between the interim and final audits is concerned with timing. The interim audit will
normally take place approximately three-quarters of the way throughout the financial year.
There is an element of similarity between systems/balance sheet work and interim/final audits in as
m
much as the majority of the systems work will be carried out during the interim audit and the
co
a.
majority ofthe balance-sheet work during the final audit. However, it will be necessary to complete
ny
ke
some 'sy8t.dms work during the final audit so that transactions between the time of the interim and
ea
final audits do not escape the auditor's attention. Similarly, some substantive testing is very likely to
om
.s
be carried out during the interim (e.g. verifying fixed assets additions to date).
w
w
w
With very small audits, it is sometimes considered unnecessary to carry out an interim audit. This
means that, as a matter of convenience, all the audit work will be carried out in a single phase
commencing typically, a short time before the year-end and continuing into the post balance sheet
period.
At the other extreme, with large companies it is sometimes necessary to carry out more than one
interim audit or, alternatively adopt a continuous auditing approach. In the case of a continuous audit
the auditor's staff will either make several visits to the client spread throughout the year or, as in the
case of very large companies, some of the audit staff will be present at the client's premises virtually
all the time.
Interim audits
This is an audit that is usually carried out mid way through the accounting period an interim audit
usually precedes a final audit and is ideal for large to medium size companies.
Works carried out during an interim audit usually include;
1. Obtaining an understanding of the nature of the client's business;

2. Evaluating any significant changes in the clients operating environment that could have a
significant impact on the client's financial statements such as change in the management.
3. Ascertaining, recording and testing the clients accounting and internal control system.
4. Concluding on the level of reliance to be placed on the internal control system.
5. Plan and design the substantive procedures to be carried out during the final audit;
6. Reporting to management on any significant weaknesses identified in the internal control
system.
Note that
An interim audit is usually carried in preparation for the final audit at which the financial statements
wi 1l be reviewed.
Final audits
Final Audits are usually done at the end of the year on the financial statements i.e. the balance sheet
and the profit and loss account. A final audit can be conducted in two ways;
m
co
1. As a continuation of the interim audit for large to medium size organisations;
a.
ny
2. For small organisations the audit could be carried out in one single session after the end of the
ke
financial period.
ea
om
.s
w
w
w
PRIVATE AND STATUTORY AUDITS
Statutory audits
These are carried out as per the requirements of the various statutes e.g. the Companies Act cap 486
requires that all public limited companies must have their financial statements subjected to an
independent audit. The objectives of the audit are to express an opinion as to whether the balance
sheet and the profit and loss account show a true and fair view. The rights and duties of the auditor
are laid out in the Companies Act or the relevant statute. The powers of appointment of the auditor
are vested on the shareholders.

Private audits
These are audits that are not governed by the Act. These are performed by an independent auditor
because the owners, members or other interested parties require them and not because the law
requires them to be carried out. Private audits are carried out for organisations such as NG0s,
partnerships, clubs and charities among others. The appointment of the auditor is usually carried out
as a private contract between the auditor and the relevant stakeholder. The scope and objective of the
work is determined by the agreed terms between the auditor and the client. The auditors' rights and
duties are also laid out in the contract.
Comparison between private and statutory audits
Similarities
i. Both are carried out by qualified auditors.

ii. They involve the assessment of the internal control system.
iii. They facilitate detection of errors and frauds.
iv. Reports issued by the auditors can be used by third parties.
Differences
m
co
a.
Statutory Audits
ny
ke
ea
i. It is a requirement of an Act of parliament e.g. the Companies Act.
om
ii. The scope and objective of work is defined in the Act
.s
w
iii. The report is addressed to the shareholders.
w
w
iv. Appointment of the auditor is stipulated in the Act (Sec.159). It can either be by shareholders,
directors or registrar of companies.
v. The auditor is liable to third parties.
vi. The auditor has full independence.
Private Audits
i. It is not a requirement by the Act.

ii. The scope is agreed between a client and the auditor therefore it is limited.
iii. Report is addressed to relevant stakeholder.
iv. Private appointment by the owner.
v. The auditor is not liable to third parties.

Continuous audits
This is an approach whereby the audit is carried out throughout the financial period. The audit work
is carried out at predetermined intervals usually around three audit visits. This approach is ideal for
large organisations with tight reporting deadlines e.g. multinational banks.
Assuming that the work is carried out in three-audit visits spread over duration of four months, the -
first 'audit visit will mainly entail carrying out detailed planning of the audit. Work carried out will
include;
a) Obtaining a good understanding of the clients business or updating the business

understanding obtained in the previous audits.
b) Identifying any developments in the clients business that could have a significant impact on
the audit such as new legislation.
c) Identifying any changes that have taken place at the client's that could have an impact on the
audit such as changes in management.
d) Determining the number of staff members to be involved in the audit and the level of
experience required and whether there will be need to involve experts.
The second audit visit will be carried out usually half way through the financial period work carried
out will include;
a) Ascertaining, recording and testing the clients internal control systems.
m
b) Concluding on the level of reliance to be placed on the internal control system.
co
a.
c) Carrying out limited analytical-review on the interim financial performance of the company.
ny
ke
This Will include carrying out ratio analysis.
ea
d) Deciding on the level of substantive testing and the nature of substantive procedures to be
om
carried out
.s
w
w
w
The final audit visit will mainly entail review of the financial statements at the end of the financial
year. Work carried out will include;
a) Carrying out substantive procedures on the various account balances
b) Concluding whether there are any significant misstatements in the financial statements.
c) Final analytical review to verify whether the information obtained is consistent and whether
the view presented by the financial statements is consistent with the auditors understanding of
the business.
d) Forming an opinion as to whether the financial statements show a true and fair view.
Advantages
1. Accounts are usually kept up to date.

2. Errors and frauds are discovered at an early stage.
3. The auditor gathers sufficient knowledge of the business as a result of his frequent visits.
4. Saves time during final audits.
5. Better report is developed, as time spent is more.

Disadvantages
1. It is expensive to have a continuous audit due to the amount of time spent.

2. Frequent disruptions of the clients work during the audit.
3. The auditor's independence may be adversely affected by the continuous presence at the
clients premises.
4. Tendencies to over depend on auditing staff to solve accounting problems.
5. Interference of work, which has already been audited by the client's staff.
Procedural audits
Requires an examination of procedures or records for reliability and accuracy. At the end the auditor
can add new ones, modify existing ones or scrap old ones. Attention is paid mainly to:
1. Company internal control system.

2. Laid down guidelines and procedures.
3. As changes made without auditors' knowledge
4. Records of the company.
Advantages
1. Reveals any inefficient procedures.
m
co
2. Identifies strengths and weaknesses in the internal control system.
a.
ny
3. Creates harmony and co-ordination of company decision making process.
ke
4. Identifies any bureaucracies
ea
om
.s
w
w
Disadvantages
w
1. It is expensive.
2. Management can frustrate the whole process if they do not want to reveal inefficiencies.
3. It could lead to duplication of effort.
4. It is tedious especially when many procedures are involved.
5. Sometimes the auditor may not understand technical procedures.
6. Procedures change to respond to changes in the economy on the social setting.
7. Where the internal control system is weak, it is of limited applicability.
Management audits
This involves investigation of the company's entire management to ascertain whether the
management is running the organisation in the best interest of the stakeholders. It investigates
company's managerial aspects of the business from high to low management. It assesses the
efficiency of management to run the organisation in the most viable way.

This audit assists in the following
1. It helps improve the quality of management.

2. Reveals weaknesses of management's.
3. Reveals the strengths and weaknesses of the internal control system
4. It acts as a check to the efficiency of budgetary system.
5. Corrective measures are initiated immediately based on the results of the audit
Balance sheet audits
This audits tests the strength of the internal control system by working backwards to get the initial
transactions. It is based on verification of assets by checking;
- Description: Mainly of recording entries.

- Ownership: Prove of ownership either by use of logbooks for cars or title deeds for land etc
- Value: Cost and method of depreciation.
- Existence: checks if the asset really exists
- Applied to business with strong internal control system.
INTERNAL VERSUS EXTERNAL AUDIT - COMPLIMENTARY ROLE OF INTERNAL

TO EXTERNAL AUDIT
m
co
Introduction
a.
ny
ke
Internal audit is a function established by management to assist in corporate governance by
ea
om
assessing internal controls and helping in risk management. It can be a department of employees or
.s
w
can be outsourced to expert service providers.
w
w
Internal auditing is different from external auditing, although the techniques used by both are very
similar. While the techniques used may be similar, the focus and reasons behind the audit are
different.
Similarities between internal audit and external audit
• Both auditors are concerned about the strength and proper functioning of the internal control
system. The internal auditor is concerned it is his or her responsibility while the external
auditor is concerned as he or she relies on the strength of internal control system to carry out
systems based audits.
• Both auditors have as part of their duties to ensure that the company adheres to all relevant
laws and regulations.
• Both auditors interested in ensuring that the company keeps proper books of records. The
internal auditor uses the company accounts to appraise the functioning of the internal control
system while external auditor uses them to collect audit evidence to corroborate his audit
opinion.

• Both auditors are concerned about prevention and detection of errors and frauds. The internal
auditor ensures errors or frauds are prevented and detected by having strong internal control
system while the external auditor has the incidental duty of detecting and preventing material
errors and frauds which would otherwise distort the true and fair view of the financial
statements.
• Both auditors have interest in safeguarding company assets. The internal auditor through
strong internal control system ensures safety of company's assets while external auditor must
ensure that company assets are safeguarded against theft and misuse so that the true of fair
view of financial statements is maintained.
Distinction between internal and external audit
Although many of the techniques internal and external auditors use may be similar, the basis and
reasoning of their work is different.
The external audit is focused on the financial statements, whereas the internal audit is focused on the
operations of the entire business.
The following table highlights the differences between internal and external audit.
The table demonstrates that the whole basis and reasoning of internal audit work is fundamentally
different to that of external audit work.
m
co
a.
Internal audit External audit
ny
Objective Designed to add value and An exercise to enable auditors
ke
ea
improve an organization’s to express an opinion on the
om
operations. financial statements
.s
w
Reporting Reports to the board of Reports to the shareholders or
w
w
directors, or other people members of a company on the
charged with governance, such truth and fairness of the
as the audit committee. accounts. Audit report is
Reports are private and for the publicly available to the
directors and management of shareholders and other
the company interested parties.
Scope Work relates to the operations Work relates to the financial
of the organisation. statements.
Relationship Often employees of the Independent of the corn
organisation, although management. Usually
sometimes the function is appointed by the shareholders.
outsourced.

Regulation of internal auditors
Internal auditing is not regulated in the same way as statutory external auditing
There are no legal requirements associated with becoming an internal auditor. The scope and nature
of internal audit's work is more likely to be set by company policy than by any external guidelines.
In contrast to external auditors, internal auditors are not required to be members of a professional
body such as the ICPAK. However, this does not mean they cannot be, and many are.
Internal audit function
It is the responsibility of management and those charged with governance to prevent and detect
fraud, in this respect, internal auditors may have a role to play.
Internal audit has two key roles to play in relation to organisational risk management:
- Ensuring the company's risk management system operates effectively

- Ensuring that strategies implemented in respect of business risks operate effectively
The role of internal audit -
The internal audit department has a two-fold role in relation to risk management.
m
co
a.
• It monitors the company's overall risk management policy to ensure it operates effectively.
ny
ke
• It monitors the strategies implemented to ensure that they continue to operate effectively
ea
om
.s
w
As a significant risk management policy in companies is to implement internal controls, internal
w
w
audit has la key role in assessing systems and testing controls.
Internal audit may assist in the development of systems. However, its key role will be in monitoring
the overall process and in providing assurance that the systems which the departments have designed
meet objectives and operate effectively.
It is important that the internal audit department retains its objectivity towards these aspects of its
role, which is another reason why internal audit would generally not be involved in the assessment
of risks and the design of the system.
Responsibility for fraud and error
It is the responsibility of management and those charged with governance to prevent and detect
fraud, and in this respect, internal auditors may have a role to play

Limitations of the internal audit function
Although the presence of an internal audit department within an organisation is indicative of good
internal control, by its very nature, there are some limitations of the internal audit function.
Internal auditors are employed by the organisation and this can impair their independence and
objectivity and ability to report fraud/error to senior management because of perceived threats to
their continued employment within the company.
To ensure transparency, best practice indicates that the internal audit function should have a dual
reporting relationship, i.e. report both to management and those charged with governance (the audit
committee). If this reporting structure is not in place, management may be able to unduly influence
the internal audit plan, scope, and whether issues are reported appropriately.
This results in a serious conflict, limits the scope and compromises the effectiveness of the internal
audit function.
Internal auditors are not required to be professionally qualified (as accountants are) and so there may
be limitations in their knowledge and technical expertise
Factors necessitating growth in Internal Audit
m
co
a.
ny
1. Increase in size of business
ke
As businesses grow in size and increase the level of operations it becomes necessary to have a
ea
om
function that overlooks the all the internal controls that have been put in place.
.s
w
w
w
2. Dynamic business
Due to changes in technology a number of companies have become so dynamic such that their
controls are updated on a continuous basis and this calls for constant feedback on those
controls that 1, necessitate updating. This meant that, to cope with these demands companies
had to improvise and use expert advice, which was available from the Internal Auditor.
3. Legislation and regulatory requirements

As the concept of corporate governance gains roots in business management, the need for
internal audit is increasing. The function is looked plays a critical role in ensuring that
management has put in place adequate systems of internal controls. Companies are now
required to have audit committees to overlook the operation of controls within the
organizations. The internal auditor reports to the audit committee.
4. Competition
Under perfect competition companies can only survive if they are operationally efficient and
this calls for stronger controls and cost effectiveness.

5. Evolution of IT
Of late many companies have computerised their operations and controls. There is need
therefore for continuous review of the operation of controls over these computerized systems.
USING THE WORK OF INTERNAL AUDITORS
International Standard on Auditing (ISA) 610 (Revised}, Using the Work of Internal Auditors
This International Standard on Auditing (ISA) deals with the external auditor's responsibilities if
using the work of the internal audit function in obtaining audit evidence.
Relationship between the Internal Audit Function and the External Auditor
The objectives of the internal audit function are determined by management and, where applicable,
those charged with governance. While the objectives of the internal audit function and the external
auditor are different, some of the ways in which the internal audit function and the external auditor
achieve their respective objectives may be similar.
Irrespective of the degree of autonomy and objectivity of the internal audit function, such function is
not independent of the entity as is required of the external auditor when expressing an opinion on
m
co
financial statements. The external auditor has sole responsibility for the audit opinion expressed, and
a.
ny
that responsibility is not reduced by the external auditor's use of the work of the internal auditors.
ke
ea
om
Objectives of the external auditor
.s
w
w
The objectives of the external auditor, where the entity has an internal audit function that the
w
external auditor has determined is likely to be relevant to the audit, are:
a) To determine whether, and to what extent, to use specific work of the internal auditors; and
b) If using the specific work of the internal auditors, to determine whether that work is adequate
for the purposes of the audit.
Using Specific Work of the Internal Auditors
- In order for the external auditor to use specific work of the internal auditors, the external
auditor shall evaluate and perform audit procedures on that work to determine its adequacy
for the external auditor's purposes.
- To determine the adequacy of specific work performed by the internal auditors for the
external iauditor's purposes, the external auditor shall evaluate whether:
a) The work was performed by internal auditors having adequate technical training and
proficiency;
b) The work was properly supervised, reviewed and documented;

c) Adequate audit evidence has been obtained to enable the internal auditors to draw
reasonable conclusions;
d) Conclusions reached are appropriate in the circumstances and any. reports prepared by
the internal auditors are consistent with the results of the work performed; and
e) Any exceptions or unusual matters disclosed by the internal auditors are properly
resolved.
Documentation
If the external auditor uses specific work of the internal auditors, the external auditor shall include in
the audit documentation the conclusions reached regarding the evaluation of the adequacy of the
work of the internal auditors, and the audit procedures performed by the external auditor on that
work.
Scope of this ISA {International Standard on Auditing (ISA) 610 (Revised), Using the Work of
internal Auditors)
- The entity's internal audit function is likely to be relevant to the audit if the nature of the
internal audit function's responsibilities and activities are related to the entity's financial
reporting, and the auditor expects to use the work of the internal auditors to modify the nature
or timing, or reduce the extent, of audit procedures to be performed.
- Carrying out procedures in accordance with this ISA may cause the external auditor to re-
m
co
evaluate the external auditor's assessment of the risks of material misstatement.
a.
ny
Consequently, this may affect the external auditor's determination of the relevance of the
ke
internal audit function to the audit.
ea
om
- Similarly, the external auditor may decide not to otherwise use the work of the internal
.s
auditors to affect the nature, timing or extent of the external auditor's procedures. In such
w
w
circumstances, the external auditor's further application of this ISA may not be necessary.
Objectives of the Internal Audit Function w

The objectives of internal audit functions vary widely and depend on the size and structure of the
entity and the requirements of management and, where applicable, those charged with governance.
The activities of the internal audit function may include one or more of the following:
• Monitoring of internal control. The internal audit function may be assigned specific
responsibility for reviewing controls, monitoring their operation and recommending
improvements thereto.
• Examination of financial and operating information. The internal audit function may be
assigned to review the means used to identify, measure, classify and report financial and
operating information, and to make specific inquiry into individual items, including detailed
testing of transactions, balances and procedures.

• Review of operating activities. The internal audit function may be assigned to review the
economy, efficiency and effectiveness of operating activities, including non-financial
activities of an entity.
• Review of compliance with laws and regulations. The internal audit function may be assigned
to review compliance with laws, regulations and other external requirements, and with
management policies and directives and other internal requirements.
• Risk management. The internal audit function may assist the organization by identifying and
Determining Whether and to What Extent to Use the Work of the Internal Auditors Whether
the Work of the Internal Auditors is likely to be Adequate for Purposes of the Audit
Factors that may affect the external auditor's determination of whether the work of the internal
auditors is likely to be adequate for the purposes of the audit include:
Objectivity
• The status of the internal audit function within the entity and the effect such status has on the
ability of the internal auditors to be objective.
• Whether the internal audit function reports to those charged with governance or an officer
with, appropriate authority, and whether the internal auditors have direct access to those
charged with governance. I ;
• Whether the internal auditors are free of any conflicting responsibilities. !
m
• Whether those charged with governance oversee employment decisions related to the internal
co
a.
audit function.
ny
ke
• Whether there are any constraints or restrictions placed on the internal audit function by
ea
management or those charged with governance.
om
• Whether, and to what extent, management acts on the recommendations of the internal audit
.s
w
w
function, and how such action is evidenced.
w
Technical competence
• Whether the internal auditors are members of relevant professional bodies.

• Whether the internal auditors have adequate technical training and proficiency as internal
auditors.
• Whether there are established policies for hiring and training internal auditors.
Due professional care
• Whether activities of the internal audit function are properly planned, supervised, reviewed
and documented.
• The existence and adequacy of audit manuals or other similar documents, work programs and
internal audit documentation.

Communication
Communication between the external auditor and the internal auditors may be most effective when
the internal auditors are free to communicate openly with the external auditors, and:
• Meetings are held at appropriate intervals throughout the period;

• The external auditor is advised of and has access to relevant internal audit reports and is
informed of any significant matters that come to the.attention of the internal auditors when
such matters may affect the work of the external auditor; and
• The external auditor informs the internal auditors of any significant matters that may affect
the internal audit function.
Planned Effect of the Work of the Internal Auditors on the Nature, Timing or Extent of the
External Auditor's Procedures
Where the work of the internal auditors is to be a factor in determining the nature, timing or extent
of the external auditor's procedures, it may be useful to agree in advance the following matters with
the internal auditors:
• The timing of such work;

• extent of audit coverage;
• Materiality for the financial statements as a whole (and, if applicable, materiality level or
m
co
levels for particular classes of transactions, account balances or disclosures), and performance
a.
materiality;
ny
ke
• Proposed methods of item selection;
ea
• Documentation of the work performed; and
om
.s
• Review and reporting procedures.
w
w
w
The nature, timing and extent of the audit procedures performed on specific work of the internal
auditors will depend on the external auditor's assessment of the risk of material misstatement, the
evaluation of the internal audit function, and the evaluation of the specific work of the internal
auditors. Such audit procedures may include:
• Examination of items already examined by the internal auditors;

• Examination of other similar items; and
• Observation of procedures performed by the internal auditors.
The External Auditor's Responsibility for the Audit
The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is
not reduced by the external auditor's use of the work of the internal audit function on the
engagement. A ItI4igh the function may perform audit procedures similar to those performed by the
external auditor, neither the internal audit function nor the internal auditors are independent of the

entity as is required of the external auditor in an audit of financial statements in accordance with ISA
200.
This ISA, therefore, defines the conditions that are necessary for the external auditor to be able to
use the work of internal auditors. It also defines the necessary work effort to obtain sufficient
appropriate -evidence that the work of the internal audit function is adequate for the purposes of the
audit. The requirements are designed to provide a framework for the external auditor's judgments
regarding the use of the work of the internal audit function to prevent over or undue use of such
work.
Objectives
The objectives of the external auditor, where the entity has an internal audit function and the
external auditor expects to use the work of the function to modify the nature or timing, or reduce the
extent, of audit procedures to be performed directly by the external auditor are:
a) To determine whether the work of the internal audit function can be used, and if so, in which
areas and to what extent; and having made that determination:
b) If using the work of the internal audit function, to determine whether that work is adequate
for purposes of the audit.
m
Determining Whether, in Which Areas, and to What Extent the Work of the Internal Audit
co
a.
Function Can Be Used
ny
ke
ea
Evaluating the Internal Audit Function
om
.s
The external auditor shall determine whether the work of the internal audit function can be used for
w
w
w
purposes of the audit by evaluating the following:
a) The extent to which the internal audit function's organizational status and relevant policies and
procedures support the objectivity of the internal auditors;
b) The level of competence of the internal audit function; and
c) Whether the internal audit function applies a systematic and disciplined approach, including
quality control.
The external auditor shall not use the work of the internal audit function if the external auditor
determines that:
a) The function's organizational status and relevant policies and procedures do not adequately
support the objectivity of internal auditors;
b) The function lacks sufficient competence; or
c) The function does not apply a systematic and disciplined approach, including quality control.

As a basis for determining the areas and the extent to which the work of the internal audit function
can; be used, the external auditor shall consider the nature and scope of the work that has been
performed, or is planned to be performed, by the internal audit function and its relevance to the
external auditor's overall audit strategy and audit plan.
The external auditor shall make all significant judgments in the audit engagement and, to prevent
undue use of the work of the internal audit function, shall plan to use less of the work of the function
and perform more of the work directly:
a) The more judgment is involved in:

i. Planning and performing relevant audit procedures; and
ii. Evaluating the audit evidence gathered;
b) The higher the assessed risk of material misstatement at the assertion level, with special
consideration given to risks identified as significant;
c) The less the internal audit function's organizational status and relevant policies and procedures
adequately support the objectivity of the internal auditors; and
d) The lower the levels of competence of the internal audit function.
- The external auditor shall also evaluate whether, in aggregate, using the work of the internal
audit function to the extent planned would still result in the external auditor being sufficiently
involved in the audit, given the external auditor's sole responsibility for the audit opinion
m
expressed.
co
- The external auditor shall, in communicating with those charged with governance an overview
a.
ny
of the planned scope and timing of the audit communicate how the external auditor has planned
ke
ea
to use the work of the internal audit function.
om
- If the external auditor plans to use the work of the internal audit function, the external auditor
.s
w
shall discuss the planned use of its work with the function as a basis for coordinating their
w
w
respective activities.
- The external auditor shall read the reports of the internal audit function relating to the work of
the function that the external auditor plans to use to obtain an understanding of the nature and
extent of audit procedures it performed and the related findings.
- The external auditor shall perform sufficient audit procedures on the body of work of the
internal audit function as a whole that the external auditor plans to use to determine its adequacy
for purposes of the audit, including evaluating whether:
a) The work of the function had been properly planned, performed, supervised, reviewed and
documented;
b) Sufficient appropriate evidence had been obtained to enable the function to draw reasonable
conclusions; and
c) Conclusions reached are appropriate in the circumstances and the reports prepared by the
function are consistent with the results of the work performed.
- The nature and extent of the external auditor's audit procedures shall be responsive to the
external auditor's evaluation of:
a) The amount of judgment involved;
b) The assessed risk of material misstatement;

c) The extent to which the internal audit function's organizational status and relevant policies
and procedures support the objectivity of the internal auditors; and
d) The level of competence of the function and,
e) Shall include performance of some of the work.
- The external auditor shall also evaluate whether the external auditor's conclusions regarding
the internal audit function and the determination of the nature and extent of use of the work of
the 'function for purposes of the audit
Documentation
If the external auditor uses the work of the internal audit function, the external auditor shall include
in the audit documentation:
(a) The evaluation of:
i. Whether the function's organizational status and relevant policies and procedures
adequately support the objectivity of the internal auditors;
ii. The level of competence of the function; and
iii. Whether the function applies a systematic and disciplined approach, including quality
control;
(b) The nature and extent of the work used and the basis for that decision; and f
m
(c) The audit procedures performed by the external auditor to evaluate the adequacy of the work
co
a.
used.
ny
ke
ea
The objectives and scope of internal audit functions typically include assurance and consulting
om
activities designed to evaluate and improve the effectiveness of the entity's governance processes,
.s
w
risk management and internal control such as the following:
w
w
Activities Relating to Governance
The internal audit function may assess the governance process in its accomplishment of objectives
on ethics and values, performance management and accountability, communicating risk and control
information to appropriate areas of the organization and effectiveness of communication among
those charged with governance, external and internal auditors, an'd management.
Activities Relating to Risk Management
• The internal audit function may assist the entity by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management and internal
control (including effectiveness of the financial reporting process).
• The internal audit function may perform procedures to assist the entity in the detection of
fraud
Activities Relating to Internal Control
• Evaluation of internal control. The internal audit function may be assigned specific
responsibility for reviewing controls, evaluating their operation and recommending
improvements thereto. In doing so, the internal audit function provides assurance on the
control. For example, the internal audit function might plan and perform tests or other
procedures to provide assurance to management and those charged with governance
regarding the design, implementation and operating effectiveness of internal control,
including those controls that are relevant to the audit.
• Examination of financial and operating information. The internal audit function may be
assigned to review the means used to identify, recognize, measure, classify and report
financial and operating information, and to make specific inquiry into individual items,
including detailed testing of transactions, balances and procedures.
• Review of operating activities. The internal audit function may be assigned to review the
economy, efficiency and effectiveness of operating activities, including non-financial
activities of an entity.
• Review of compliance with laws and regulations. The internal audit function may be assigned
to review compliance with laws, regulations and other external requirements, and with
management policies and directives and other internal requirements.
• Activities similar to those performed by an internal audit function may be conducted by
functions with other titles within an entity. Some or all of the activities of an internal audit
function may also be outsourced to a third party service provider. Neither the title of the
function, nor whether it is performed by the entity or a third-party service provider, is sole
m
co
determinants of whether or not the external auditor can use the work of the function. Rather,
a.
ny
it is the nature of the activities; the extent to which the internal audit function's organizational
ke
status and relevant policies and procedures support the objectivity of the internal auditors;
ea
om
competence; and systematic and disciplined approach of the function that are relevant.
.s
• References in this ISA to the work of the internal audit function include relevant activities of
w
w
other functions or third-party providers that have these characteristics.
w
• In addition, those in the entity with operational and managerial duties and responsibilities
outside of the internal audit function would ordinarily face threats to their objectivity that
would preclude them from being treated as part of an internal audit function for the purpose
of this ISA, although they may perform control activities that can be tested in accordance
with ISA 330.9 For this reason, monitoring controls performed by an owner-manager would
not be considered equivalent to an internal audit function.
While the objectives of an entity's internal audit function and the external auditor differ, the function
may ,perform audit procedures similar to those performed by the external auditor in an audit of
financial statements. If so, the.external auditor may make use of the function for purposes of the
audit in one or more of the following ways:
• To obtain information that is relevant to the external auditor's assessments of the risks of
material misstatement due to error or fraud. In this regard, ISA 315 (Revised) requires the
external auditor to obtain an understanding of the nature of the internal audit function's
responsibilities, its status within the organization, and the activities performed, or to be

performed, and make inquiries of appropriate individuals within the internal audit function (if
the entity has such a function); or
• Unless prohibited, or restricted to some extent, by law or regulation, the external auditor, after
appropriate evaluation, may decide to use work that has been performed by the internal audit
function during the period in partial substitution for audit evidence to be obtained directly by
the external auditor.
Evaluating the Internal Audit Function
Objectivity and Competence
1. The external auditor exercises professional judgment in determining whether the work of the
internal audit function can be used for purposes of the audit, and the nature and extent to
which the work of the internal audit function can be used in the circumstances.
2. The extent to which the internal audit function's organizational status and relevant policies
and procedures support the objectivity of the internal auditors and the level of competence of
the function are particularly important in determining whether to use and, if so, the nature and
extent of the use of the work of the function that is appropriate in the circumstances.
3. Objectivity refers to the ability to perform those tasks without allowing bias, conflict of
interest or undue influence of others to override professional judgments. Factors that may
affect the external auditor's evaluation include the following:
• Whether the organizational status of the internal audit function, including the function's
m
authority and accountability, supports the ability of the function to be free from bias,
co
a.
conflict of interest or undue influence of others to override professional judgments. FOf
ny
ke
example, whether the internal audit function reports to those charged with governance or
ea
an officer with appropriate authority, or if the function reports to management, whether it
om
has direct access to those charged with governance.
.s
w
• Whether the internal audit function is free of any conflicting responsibilities, for example,
w
w
having managerial or operational duties or responsibilities that are.outside of the internal
audit function.
• Whether those charged with governance oversee employment decisions related to the internal
audit function, for example, determining the appropriate remuneration policy.
• Whether there are any constraints or restrictions placed on the internal audit function by
management or those charged with governance, for example, in communicating the internal
audit function's findings to the external auditor.
• Whether the internal auditors are members of relevant professional bodies and their
memberships obligate their compliance with relevant professional standards relating to
objectivity, or whether their internal policies achieve the same objectives.
• Competence of the internal audit function refers to the attainment and maintenance of
knowledge and skills of the function as a whole at the level required to enable assigned tasks
to be performed diligently and in accordance with applicable professional standards. Factors
that may affect the external auditor's determination include the following:
• Whether the internal audit function is adequately and appropriately resourced relative to the
size of the entity and the nature of its operations.
• Whether there are established policies for hiring, training and assigning internal auditors to
internal audit engagements.
• Whether the internal auditors have adequate technical training and proficiency in auditing.
Relevant criteria that may be considered by the external auditor in making the assessment
may include, for example, the internal auditors' possession of a relevant professional
designation and experience.
• Whether the internal auditors possess the required knowledge relating to the entity's financial
reporting and the applicable financial reporting framework and whether the internal audit
function possesses the necessary skills (for example, industry-specific knowledge) to perform
work related to the entity's financial statements.
• Whether the internal auditors are members of relevant professional bodies that oblige them to
comply with the relevant professional standards including continuing professional
development requirements.
4. Objectivity and competence may be viewed as a continuum. The more the internal audit function's
organizational status and relevant policies and procedures adequately support the objectivity of
the internal auditors and the higher the level of competence of the function, the more likely the
external auditor may make use of the work of the function and in more areas.
5. However, an organizational status and relevant policies and procedures that provide strong
support for the objectivity of the internal auditors cannot compensate for the lack of sufficient
competence of the internal audit function. Equally, a high level of competence of the internal
audit function cannot compensate for an organizational status and policies and procedures that do
not adequately support the objectivity of the internal auditors.
Application of a Systematic and Disciplined Approach
m
co
a.
- The application of a systematic and disciplined approach to planning, performing,
ny
ke
supervising, reviewing and documenting its activities distinguishes the activities of the
ea
internal audit function from other monitoring control activities that may be performed within
om
.s
the entity.
w
w
- factors that may affect the external auditor's determination of whether the internal audit
w
function 'applies a systematic and disciplined approach include the following:
• The existence, adequacy and use of documented internal audit procedures or guidance
covering such areas as risk assessments, work programs, documentation and reporting,
the nature and extent of which is commensurate with the size and circumstances of an
entity.
• Whether the internal audit function has appropriate quality control policies and
procedures, for example, such as those policies and procedures that would be applicable
to an internal audit function (such as those relating to leadership, human resources and
engagement performance) or quality control requirements in standards set by the
relevant professional bodies for internal auditors.
• Such bodies may also establish other appropriate requirements such as conducting
periodic external quality assessments.
Circumstances When Work of the Internal Audit Function Cannot Be Used
- The external auditor's evaluation of whether the internal audit function's organizational status
and relevant policies and procedures adequately support the objectivity of the internal
auditors, the level of competence of the internal audit function, and whether it applies a
systematic and disciplined approach may indicate that the risks to the quality of the work of
the function are too significant and therefore it is not appropriate to use any of the work of the
function as audit .evidence.
- Consideration of the factors in paragraphs 3and 4 of Evaluating the Internal Audit Function
above individually and in aggregate is important because an individual factor is often not
sufficient to conclude that the work of the internal audit function cannot be used for purposes
of the audit. For example, the internal audit function's organizational status is particularly
important in evaluating threats to the objectivity of the internal auditors.
- If the internal audit function reports to management, this would be considered a significant
threat to the function's objectivity unless other factors such as those described in paragraph 3
of evaluating the Internal Audit Function above collectively provide sufficient safeguards to
reduce the threat to an acceptable level.
- In addition, self-review threat is created when the external auditor accepts an engagement to
provide internal audit services to an audit client, and the results of those services will be used
in conducting the audit. This is because of the possibility that the engagement team will use
the results of the internal audit service without properly evaluating those results or without
exercising the same level of professional skepticism as would be exercised when the internal
audit work is performed by individuals who are not members of the firm.
Factors Affecting the Determination of the Nature and Extent of the Work of the internal
Audit function that can be used
m
co
a.
ny
- Once the external auditor has determined that the work of the internal audit function can be
ke
used for purposes of the audit, a first consideration is whether the planned nature and scope of
ea
om
the work of the internal audit function that has been performed, or is planned to be performed,
.s
is relevant to the overall audit strategy and audit plan that the external auditor has established
w
w
- Examples of work of the internal audit function that can be used by the external auditor
w
include the following:
- Testing of the operating effectiveness of controls.
- Substantive procedures involving limited judgment.
- Observations of inventory counts.
- Tracing transactions through the information system relevant to financial reporting.
- Testing of compliance with regulatory requirements.
- In some circumstances, audits or reviews of the financial information of subsidiaries that are
not significant components to the group
- The external auditor's determination of the planned nature and extent of use of the work of
the internal audit function will be influenced by the external auditor's evaluation of the extent
to which the internal audit function's organizational status and relevant policies and
procedures adequately support the objectivity of the internal auditors and the level of
competence of the internal audit function. In addition, the amount of judgment needed in
planning, performing and evaluating such work and the assessed risk of material
misstatement at the assertion level are inputs to the external auditor's determination.

- Further, there are circumstances in which the external auditor cannot use the work of the
internal audit function for purpose of the audit
Judgments in planning and performing audit procedures and evaluating results
- The greater the judgment needed to be exercised in planning and performing the audit
procedures and evaluating the audit evidence; the external auditor will need to perform more
procedures directly, because using the work of the internal audit function alone will not
provide the external auditor with sufficient appropriate audit evidence.
- Since the external auditor has sole responsibility for the audit opinion expressed, the external
auditor needs to make the significant judgments in the audit engagement.
Significant judgments include the following:
• Assessing the risks of material misstatement;

• Evaluating the sufficiency of tests performed;
• Evaluating the appropriateness of management's use of the going concern assumption;
• Evaluating significant accounting estimates; and
• Evaluating the adequacy of disclosures in the financial statements, and other matters affecting
the auditor's report.
m
co
Assessed risk of material misstatement
a.
ny
ke
- For a particular account balance, class of transaction or disclosure, the higher an assessed risk
ea
om
of material misstatement at the assertion level, the more judgment is often involved in
.s
planning and performing the audit procedures and evaluating the results thereof. In such
w
w
circumstances, the external auditor will need to perform more procedures directly, and
w
accordingly, make less use of the work of the internal audit function in obtaining sufficient
appropriate audit evidence.
- Furththermore, the higher the assessed risks of material misstatement, the more persuasive the
audit evidence required by the external auditor will need to be, and, therefore, the external
auditor will need to perform more of the work directly.
- Significant risks require special audit consideration and therefore the external auditor's ability
to use the work of the internal audit function in relation to significant risks will be restricted
to procedures that involve limited judgment. In addition, where the risk of material
misstatement is other than low, the use of the work of the internal audit function alone is
unlikely to reduce audit risk to an acceptably low level and eliminate the need for the external
auditor to perform some tests directly.
- Carrying out procedures in accordance with this ISA may cause the external auditor to
reevaluate the external auditor's assessment of the risks of material misstatement.
Consequently, this may affect the external auditor's determination of whether to use the work
of the internal audit function and whether further application of this ISA is necessary.

Communication with Those Charged with Governance
- The external auditor is required to communicate with those charged with governance an
overview of the planned scope and timing of the audit.
- The planned use of the work of the internal audit function is an integral part of the external
auditor's overall audit strategy and is therefore relevant to those charged with governance for
their understanding of the proposed audit approach.
Using the Work of the Internal Audit Function
Discussion and Coordination with the Internal Audit Function
- In discussing the planned use of their work with the internal audit function as a basis for
coordinating the respective activities, it may be useful to address the following:
• The timing of such work.
• The nature of the work performed.
• The extent of audit coverage.
• Materiality for the financial statements as a whole (and, if applicable, materiality level
or levels for particular classes of transactions, account balances or disclosures), and
performance materiality.
• Proposed methods of item selection and sample sizes.
m
co
• Documentation of the work performed.
a.
ny
• Review and reporting procedures.
ke
ea
- Coordination between the external auditor and the internal audit function is effective when,
om
for example:
.s
• Discussions take place at appropriate intervals throughout the period.
w
w
w
• The external auditor informs the internal audit function of significant matters that may affect
the function.
The external auditor has access to relevant reports of the internal audit function and is informed of
any significant matters that come to the attention of the function when such matters may affect the
work of the external auditor so that the external auditor is able to consider the implications of such
matters for the audit engagement.
- ISA 200 discusses the importance of the auditor planning and performing the audit with
Professional skepticism, including being alert to information that brings into question the
reliability of documents and responses to inquiries to be used as audit evidence. Accordingly,
communication with the internal audit function throughout the engagement may provide
opportunities for internal auditors to bring matters that may affect the work of the external
auditor to the external auditor's attention.
- The external auditor is then able to take such information into account in the external
auditor's identification and assessment of risks of material misstatement. In addition, if such
information may be indicative of a heightened risk of a material misstatement of the financial
statements or may be regarding any actual, suspected or alleged fraud, the external auditor
can take this into account in the external auditor's identification of risk of material
misstatement due to fraud
Procedures to Determine the Adequacy of Work of the Internal Audit Function
- The external auditor's audit procedures on the body of work of the internal audit function as a
whole that the external auditor plans to use provide a basis for evaluating the overall quality
of the function's work and the objectivity with which it has been performed.
- The procedures the external auditor may perform to evaluate the quality of the'work
performed and the conclusions reached by the internal audit function, in addition to
reperformance include the following:
• Making inquiries of appropriate individuals within the internal audit function.
• Observing procedures performed by the internal audit function.
• Reviewing the internal audit function's work program and working papers.
The more judgment involved, the higher the assessed risk of material misstatement, the less the
internal audit function's organizational status and relevant policies and procedures adequately
support the objectivity of the internal auditors, or the lower the level of competence of the internal
audit function, the more audit procedures are needed to be performed by the external auditor on the
m
co
overall body of work of the function to support the decision to use the work of the function in
a.
ny
obtaining sufficient appropriate audit evidence on which to base the audit opinion.
ke
ea
om
.s
w
w
Reperformance
w
- For purposes of this ISA, reperformance involves the external auditor's independent
execution of procedures to validate the conclusions reached by the internal audit function.
This objective may be accomplished by examining items already examined by the internal
audit function, or where it is not possible to do so, the same objective may also be
accomplished by examining sufficient other similar items not actually examined by the
internal audit function.
- Reperformance provides more persuasive evidence regarding the adequacy of the work of the
internal audit function compared to other procedures.
- While it is not necessary for the external auditor to do reperformance in each area of work of
the internal audit function that is being used, some reperformance is required on the body of
work Of'. the internal audit function as a whole that the external auditor plans to use.
- The external auditor is more likely to focus reperformance in those areas where more
judgment was exercised by the internal audit function in planning, performing and evaluating
the results of the audit procedures and in areas of higher risk of material misstatement.

THE USERS OF AUDITED FINANCIAL STATEMENTS AND AUDITOR REPORTS
The annual accounts and report are primarily prepared by the directors to the shareholders. However,
the following parties need financial statements.
1. Those parties with vested interests in a business.
- Employees.
- Creditors or suppliers
- Lenders and debenture holders
- The management
- The shareholders to whom the financial statements are addressed.
- Credit rating agencies.
2. Those with potential interests
- Potential shareholders
- Trustees
- Suppliers
- Customers
m
3. Those with representative interests
co
a.
ny
- Lawyers
ke
- The government
ea
om
- The general public.
.s
w
w
w
4. Others
- Competitors
- Stock brokers
- Statisticians
- Financial journalists
- Trade unions.
• Present and potential investors. These risk capital providers and their advisors are concerned
the risk that is inherent in their investment. They need information to help them determine
whether they should buy more shares, hold on to the shares they have or sell the shares they
have.
• Employees. These and their representative groups such as trade unions are interested in
information about the stability and profitability of their employers. They are also interested in
information which enable them assess the ability of the company to provide adequate
remuneration, retirement benefits and employment opportunities.

• Lenders. These are interested in information that enables them determine whether their loans
and interests arising from the loans will be paid back when due.
• Suppliers and other trade creditors. These users are interested in information that enables
them determine whether the amounts owing to them will be paid when due. Their interest in the
company is of shorter period than lenders while they are dependent upon the continuation of the
company as a major customer.
• Customers. These have interest in information about the continuance of the company especially
when they have long term involvement and or are dependent as the company.
• Government. The main interest of the government is allocation of resources. It also requires
information in order to regulate the activities of the enterprise, determine taxation policies and
obtain national income statistics.
• Public. A company affects public in a variety of ways. A company may make substantial
contribution to the local economy by employing people and obtaining supplies locally.
• Financial statements assist the public in information on trends and recent developments of die
company in the economy.
m
co
a.
ny
ke
ea
om
.s
w
w
w

TOPIC 2
PLANNING FOR THE AUDIT
INTRODUCTION
An Audit plan is the specific guideline to be followed when conducting an audit. it helps the auditor
obtain sufficient appropriate evidence for the circumstances, helps keep audit costs at a reasonable
level, and helps avoid misunderstandings with the client.
It addresses the specifics of what, where, who, when and how:
 What are the audit objectives?

 Where will the audit be done? (i.e. scope)
 When will the audit(s) occur? (how long?)
 Who are the auditors?
 How will the audit be done?
Benefits of Audit Plan
m
co
a.
 It helps the auditor obtain sufficient appropriate evidence for the circumstances
ny
It helps to keep audit costs at a reasonable level.
ke

ea
 It helps to avoid misunderstandings with the client.
om
 It helps to ensure that potential problems are promptly identified
.s
w
 It helps to know the scope of audit program by an Auditor.
w
OBJECTIVES OF PLANNING FOR THE AUDIT w
Planning for the audit is a vital area of the audit primarily conducted at the beginning of audit
process to ensure that the:-
 Appropriate attention is devoted to important areas

 Potential problems are promptly identified
 work in completed expeditiously
 work is properly coordinated
The plan developed needs to be revised as necessary during the course of audit

TYPES:
Overall Plan
It’s the general strategy for audit, which sets the direction for audit, describe the expected scope and
conduct of audit and provides guiding for the development of audit programme.
Audit Programme
Detailed set of instructions to implement overall plan for the nature, timing and extent of audit
procedure.
General Planning Matters
The following administrative details of an audit should be considered while developing audit plan.
1. Logistics
2. Use of IT
3. Time budgets
4. Subsidiary objectives of the assignment
5. Logistics
When planning an audit engagement partners or manager has to considers many practical areas like
m
co
a.
1. Staff
ny
2. Client management
ke
ea
3. Location of the audit
om
4. Dead lines
.s
w
w
w
Staff
For the selection of audit staff for a particular assignment following considerations should be made.
1. Appropriate level of qualification

2. Reasonable experience and expertise
3. Availability of staff
4. Relationships with client and within staff members
5. Boarding and lodging requirements
Client Management
The management of the client may have preferences regarding audit staff. Audit manager should
consider their recommendations in the light of independence rule to decide the changing of audit
team as consistency of audit staff helps audit efficiency.

Locations
Following are important issues
 Locations of different premises of client e.g. factory, admin office

 Mobility of audit staff
 Location of audit review by manager engagement partner
 Location of audit staff to each site
 Liaison with client staff to ensure each site visits in congenial.
Dead Line
It is important that the auditors know the deadlines and the key dates:
 Dates of financial statements approval

 Date of main audit visit
 Date of stock
 Date of manager review
 Date of engagement partner’s review
 Date of engagement partner’s post audit meeting with client management
m
 Date of which audit report is due to be signed
co
a.
 Date of AGM
ny
ke
ea
om
.s
w
Uses of IT
w
w
There are several factors to be considered
 Whether the client has computerized system

 If so whether the auditor will make use of CAATS
 Whether auditor will use computer for making working papers
 If so whether audit team is appropriately equipped
Time Management
Audit must be cost effective therefore, the time to be taken to conduct each part of the audit is to be
estimated and the fee set accordingly it is important that
 Audit team is aware of time budget

 Audit team record variance from time budget. The time budgets will be based on issues such
as:
a. Prior years time record
b. Risk assessment
c. Materiality consideration
Subsidiary Objectives
Along with the key purpose of audit i.e. to express an opinion on the financial statements, there may
be certain other objectives of audit assignment e.g.
 Report on weakness of internal control system

 Report to be included in prospectus.
 Other ancillary service to be mentioned (recommendation for improvement in compliance
with law and regulations.
Audit Principal
Auditor should perform the audit with an attitude of “Professional Skepticism” recognizing that
circumstances may exist, which cause the financial statements to be materially misstated, such
circumstances include.
m
ACCEPTING AUDIT ENGAGEMENTS
co
a.
ny
Preconditions for an audit
ke
ea
om
Auditors should only accept a new audit engagement, or continue an existing audit engagement if
.s
w
the 'preconditions for an audit' required by ISA 210 Agreeing the terms of audit engagements are
w
w
present.
ISA 210 requires the auditor to:
 Determine whether the financial reporting framework to be applied in the preparation of the
financial statements is appropriate; and
 Obtain the agreement of management that it acknowledges and understands its
responsibilities.
If the preconditions for an audit are not present, the auditor should discuss the matter with
management, and should not accept the engagement unless required to do so by law or regulation.
Procedures
If offered an audit role, the auditor should:
 ask the client for permission to contact the outgoing auditor (reject role if client refuses)

 contact the outgoing auditor, asking for any reasons why they should not accept appointment.
If a reply is not received, the prospective auditor should try and contact the outgoing auditor
by other means e.g. by telephone. If a reply is still not received the prospective auditor may
still choose to accept but must proceed with care.
 ensure that the legal requirements in relation to the removal of the previous auditors and the
appointment of the firm have been met
 carry out checks to ensure the firm can be independent, is competent to do this audit and has
the necessary resources
 assess whether this work is suitably low risk
 assess the integrity of the company's directors
 as a commercial organisation, the firm should also ensure that this is a desirable client (e.g.
right industry, suitable profit margin etc)
 not accept the appointment, where it is known that a limitation will be placed on the scope of
the audit.
Engagement letters
The engagement letter will be sent before the audit. It specifies the nature of the contract between
the audit firm and the client and minimises the risk of any misunderstanding of the auditor's role.
It should be reviewed every year to ensure that it is up to date but does not need to be reissued every
year unless there are changes to the terms of the engagement. The auditor must issue a new
engagement letter if the scope or context of the assignment changes after initial appointment.
m
co
a.
ny
ISA 210 requires the auditor to consider whether there is a need to remind the entity of the existing
ke
terms of the audit engagement for recurring audits and many firms choose to send a new letter every
ea
om
year, to emphasise its importance to clients.
.s
w
w
The contents of the engagement letter
w
The contents of a letter of engagement for audit services are listed in ISA 210 Agreeing the Terms
of Audit Engagements. They should include the following:
 The objective and scope of the audit;

 The responsibilities of the auditor;
 The responsibilities of management;
 The identification of an applicable financial reporting framework; and
 Reference to the expected form and content of any reports to be issued.
In addition to the above the engagement letter may also make reference to:
 The unavoidable risk that some material misstatements may go undetected due to the inherent
limitations in an audit;
 Arrangements regarding the planning and performance of the audit;
 The expectation that management will provide written representations;

 The agreement of management to make available to the auditor draft financial statements and
other information in time to complete the audit in accordance with the proposed timetable;
 The agreement of management to inform the auditor of facts that may affect the financial
statements;
 The basis on which fees are computed and billing arrangements;
 A request for management to acknowledge receipt of the engagement letter and to agree the
terms outlined;
 Agreements concerning the involvement of auditors experts and internal auditors; and
 Restrictions to the auditor's liability.
AUDIT PLAN FOR NEW CLIENTS
Before accepting any client for services, the auditor should undertake following procedures and duly
consider the factors/matters
 Client/company Reputation / Background / History

The auditor should get information about client’s reputation to ensure that the company is not
apparently high risk clients. Particularly the auditor should assess the Management Integrity.
 Client Business/Industry
The auditor should seek information about the nature of client’s business (type of industry) to
m
co
assess the relevant regulations/standards relevant to client’s industry.
a.
ny
ke
 Risk
ea
om
The auditor has to evaluate apparent with client to ensure that audit is being conducted
.s
carefully.
w
w
NB: Indicators of risky clients in exams scenario would be Weak accounting systems/poor
w
systems
– Rapid turnover of employees particularly accounts department
– Directors/Mgt casual attitude about disclosures/reporting requirements
– Frequent change of auditors in short time period (e.g. Auditors changed 3-4 times in 4-
5 years)
– Bad reputation of client mgt
– Mgt requirement to conduct audit within short time period
– Operating Losses/Lack of Finances/Lack of Funds
– Unusual Transactions/Related Party Transactions
– Negative media comments about client etc)
 Expertise/Competence/ Skills
Before accepting any client, the auditors should ensure that they have relevant
expertise/competence/skills to do the audit of the client.(TIP: Even if auditors do not have
relevant experience of doing the audit of companies from same industry, still they may accept
the audit to gain experience by learning the relevant requirements and to enter into client’s
industry.)

 Conflict of Interest
The auditors should ensure that acceptance of any client would not create problem of conflict
of interest in existing clients.
 Resources Availability
Before acceptance auditors should evaluate the availability of resources in terms of relevant
audit team members and time to conduct the audit.
 Fees/ Engagement Economies

Auditors should consider that audit fee is in accordance with ethical requirements and level of
audit work required.
 Ethical Requirements
Acceptance of any client should not create any conflicts or threats to independence, integrity
and objectivity of auditors.
 Communication with previous auditors/predecessor auditors

– Before accepting any audit, the auditor has to communicate with previous/predecessor
auditors to ensure that there no professional reasons for which audit should not be
accepted and there are no legal/ethical problems. However the new/proposed auditors
would seek permission of the client before communication with previous auditors and if
client declines the permission the auditor should withdraw from appointment. While
m
co
before replying back to new/proposed auditors, the old/previous auditors would also seek
a.
ny
permission of the client to reply back and if client does not grant permission the
ke
new/proposed auditor should decline the nomination.
ea
om
.s
– NB: Communication with previous auditors is mandatory requirement and it has to be
w
w
w
done formally in writing (letter).
– After going through all above matters auditor may decide to accept or decline the client.
If auditor decides to accept the client, following further procedure would be undertaken.
– Confirm that removal/resignation of previous/predecessor auditor has been conducted in
accordance with legal requirements.
– Ensure that appointment of new/proposed auditors is also in accordance with statutory
requirement.
– Submit “Engagement Letter”.
Sources to obtain information about client before acceptance of audit
Through following sources/channels/references information about new client’s reputation, systems

and risk may be obtained
 Media comments/remarks
 Latest Financial Statements
 Financial Analyst’s Report
 Credit Rating Report

 Audit Report of previous auditors
 Enquiries from third parties
Provisions regarding tendering/advertisement of work
While advertising services of auditors, following requirements should be ensured
 Advertisement should not bring disrepute to the profession

 Discredit or belittle the services of other auditors/assurance firms is not allowed
 Advert should not be misleading/ambiguous
 All regulatory requirements should be complied
Objectives / purpose of engagement letter
 Determines of auditor’s responsibilities

 Written confirmation of the auditor’s acceptance of appointment
Contents of engagement letter

 Objective of an audit
 Rights and duties of Auditor
 Responsibilities of Management
 Scope of Audit
 Applicable regulatory framework
m
co
 Test nature and inherent limitation of audit
a.
 Unrestricted access to information and records
ny
ke
 Description of Management Letter
ea
 Description of Management Representation Letter
om
.s
 Arrangements of involvement of “others”(including Internal auditor, Experts and predecessor
w
w
Auditors)
w
 Basis of fees
 Request for client to confirm the terms of audit
 Terms of other services, if any
 Any other matter
Circumstances in which engagement letter would be replaced/reissued
In following circumstances engagement letter would be reissued

 Client misunderstanding
 Change in terms of engagement
 Change of senior management
 Change in nature or size of client’s business / operations
 Change in legal requirement
NB: However if client demands a restriction/limitation in scope of audit, the auditors should not
accept the change in engagement letter.

AUDIT PLAN FOR AN EXISTING CLIENT
Past arguments over the scope of the audit, the type of opinion issued, fees etc may give the auditor
pause to reconsider the association with the particular client. The auditor may also decide to
discontinue the relationship if the client is deemed to lack integrity. Under the Ethical Standards the
auditor may have to discontinue association if there are ethical issues (if the client is involved in
litigation against the auditor, there are unpaid fees, independence issues etc.). The auditor may also
decide the particular engagement is too high risk. Client acceptance and continuance is an important
part of determining audit risk.
 Obtaining an understand lng with the client
A clear understanding of the terms of the engagement should exist between the client and the
auditor. ISA 210 describes the contents of an engagement letter. Although the standard does not
require use of an engagement letter, the guidance is provided in a manner that presumes use of an
engagement letter. According to ISA 210, „the auditor and the client should agree on the terms of
the engagement." ISA 210' states that the auditor should ensure that the engagement letter or other
form of suitable contract documents and confirms the auditors" acceptance of the appointment and
includes a summary of the responsibilities of those charged with governance and of the auditor. The
terms of the engagement include consideration of what is to be done (the objective, scope, and report
of the audit) by who (the staff) and for how much (the fee). The agreed terms would need to be
m
co
recorded in an audit engagement letter or other suitable form of contract. The engagement letter may
a.
ny
also include an agreement to provide other services such as tax returns. It should also state any
ke
assistance to be provided by the client personnel in obtaining books and records, and schedules to be
ea
om
prepared for the auditor. It will outline the auditor's responsibilities in relation indictable offences
.s
w
and money laundering. It also serves the purpose of informing the client that the auditor cannot
w
w
guarantee that all fraud will be detected.
 Develop overall audit strategy
ISA 300 necessitates that the overall audit strategy should be established at the beginning, and
updated and amended as required during the course of the audit. The auditor may need to revise his
Overall Audit Strategy and Overall Audit Plan (mid thereby the planned nature, extent and timing of
further audit procedures) when unexpected events, changed conditions or the audit evidence
achieved from audit procedures lead to information that is significantly different from information
available to the auditor when he first planned his audit.
The, purpose of the overall audit strategy is to develop an effective response to the risk of material
Misstatement. The auditor considers what they found in preliminary planning activities such as
client acceptance, ethical position of the audit firm and their understanding of the entity and its
environment, including its internal control, to develop an effective and efficient overall audit
strategy that will appropriately respond to assessed risks. The overall audit strategy includes
consideration of planned audit responses to specific risks through the development of the audit plan.
The overall audit strategy also helps the auditor determine the resources required for the
engagement, including engagement staffing. Therefore, at a minimum the following matters should
be included in the overall audit strategy:
- Relevant characteristics of the audit engagement, such as the reporting framework used in
order to set the scope of the engagement.
- Key dates for reporting and other communications
- Setting of materiality
- Preliminary risk assessment and whether internal controls are to be tested
- Consideration of resources available and how they are to be used
 Select staff for engagement
Appropriate staff, knowledgeable about the client's industry, must be assigned to the engagement
order that they may effectively carry out their work, the assigned engagement staff should have the;
- following capabilities and competencies:
1. An understanding of, and practical experience with, audit engagements of similar nature and
complexity through appropriate training and participation.
2. Appropriate technical knowledge, including knowledge of relevant information technology.
3. Knowledge of relevant industry in which the client operates.
4. Ability to apply professional judgment.
m
5. An understanding of the firm's quality control policies and procedures
co
6. An understanding of professional standards and regulatory and legal requirements.
a.
ny
ke
ea
om
For existing clients there may also be a need for continuity from year to year. In addition, ISA 300
.s
w
states that „The auditor should plan the nature, timing, and extent of direction and supervision of
w
w
engagement team members and review of their work". In reviewing the work of engagement team
members, it should be ensured that:
1. The work has been performed in accordance with professional standards and regulatory and
legal requirements
2. The work performed supports the conclusions reached
3. The work performed is appropriately documented.
4. The evidence obtained is sufficient and appropriate to support the auditor's report.
5. The objectives of the engagement have achieved.
6. Any need to revise the nature, timing and extent of audit work performed has been identified
7. Significant matters have been raised for further consultation
8. Appropriate consultations have taken place and the resulting conclusion have been
documented and implemented.
The engagement team will usually consist of a partner, manager, audit senior and junior.
 Evaluate need for outside experts

ISA 620 defines an expert as a person or firm possessing special skill, knowledge, and experience in
a particular field other than accounting and auditing. The auditor must have an understanding of the
client's business sufficient to identify whether an expert is needed e.g. where inventory is highly
specialised and is material to the financial statements independent valuation by an expert may be
necessary. Where an expert's work is needed as audit evidence, the auditor should evaluate the
expert's skills and competence by considering professional qualifications, experience, and
reputation. The expert's objectivity should be considered.
 Understand the client's business and industry
ISA 310 requires a reasonable understanding of the client's business and industry. The nature of the
client's business and industry affects client business risk and the risk of material misstatement in the
financial statements. Auditors use the knowledge of these risks to determine the appropriate amount
of audit evidence to gather. Auditors have been exposed to problems resulting from the auditor's
failure to understand comprehensively the nature of transactions in client's industry. The auditor
must also have an understanding of the client's external environment, including economic
conditions, impact of competition, reporting obligations, legal and regulatory requirements. The
auditor should source this information by reading industry trade publications, and regulatory
requirements. The auditor should identify factors such as major sources of income, key customers
and suppliers, sources of finance, related parties and transactions with related parties requiring
disclosure that may be high-risk areas within the client. The auditor should make inquiries of
m
co
management and others within the entity in relation to the above. Visiting the client's premises is
a.
ny
also useful in this regard because it gives an opportunity to observe operations firsthand and to meet
ke
ea
key employees. Transactions with related parties are important to auditors because the International
om
.s
Accounting Standards require that such transactions be disclosed in the financial statements if they
w
w
are material. As management are pivotal in establishing an entity's strategies and business processes
w
the auditor should consider Management's philosophy and operating style and its ability to identify
and respond to risks as this significantly affects the risk of material misstatement in the financial
statements. In this regard, the auditor should read the memorandum and articles of association, read
minutes of board of directors and shareholders, and inquire of management.
The auditor should understand the client's objectives related to reliability of financial reporting;
effectiveness and efficiency of operations; and compliance with laws and regulations. Auditors need
knowledge about operations to assess client business risk and inherent risk in the financial
statements.
The auditor should make inquiries of management; review prior year working papers; inspect legal
documents (such as share options and pension plans), minutes of meetings and significant contracts.
The auditor needs also to consider to client's performance measurement system. Inherent risk may be
increased if the client has set unreasonable objectives or if the performance measurement systems
encourage manipulation of amounts in the financial statements. The auditor should read financial

statements, perform ratio analysis, and inquire of management about key performance indicators that
management uses to measure progress toward its objectives.
 Assess client business risk
The auditor uses knowledge gained from the strategic understanding of the client-business and
industry to assess client business risk, the risk that client will fail to achieve its objectives. It is
management's responsibility to identify the business risks facing the company and respond
accordingly to those risks. The auditor's main concern is the risk of material misstatement in the
financial statements due to client business risk. It is important to note that not all business risks will
turn into risks leading to material misstatement in the financial statements. ISA 315 stresses the
importance of all members of the audit team understanding the potential risk of misstatements in
each client's financial statements. In particular, the standard introduces the concept that the auditor is
required to obtain an understanding of business risks and significant risks to the extent that they are
relevant to the financial statements. ISA 315 requires the audit team to discuss risk factors as part of
the audit planning process.
 Perform preliminary analytical procedures
Analytical procedures applied at the planning stage can assist the auditor in gaining an
understanding of the client's business and in assessing client business risk. ISA 520 states, "The
m
auditor should apply analytical procedures at the planning and overall review stages of the audit."
co
a.
ISA 520 Analytical Procedures states that analytical procedures include the consideration of
ny
ke
comparisons of the entity's financial information with, for example:
ea
om
- Comparable information for prior periods
.s
w
- Anticipated results of the entity, such as budgets or forecasts, or expectations of the auditor,
w
w
such as an estimate for depreciation
- Similar industry information, such as comparison of the entity's ratio of sales to receivables
with industry averages or with other entities of comparable size in the same industry.
Application of analytical procedures may indicate aspects of the business of which the auditor was
unaware. In order to gain a better understanding of the client's business and industry, the auditor will
calculate typical ratios and compare the company ratios to those of the industry. Analytical
procedures identify significant deviation from predicted amounts, which show the auditor where to
increase procedures to obtain corroborative evidence. ISA 315 paragraph 10 contains additional
guidance on I applying analytical procedures as risk assessment procedures.
DEVELOPING OVERALL AUDIT PLAN
Overall audit plan describes the expected scope and conduct of the audit:
 Factors Affecting The Form And Content Of Overall Audit Plan
 Size of the entity.

 Complexity of the audit
 Specific methodology and technology (e.g. computers) used by the auditor.
Matters to Be Considered when developing Overall Audit Planning
a) Knowledge Of
 Business
 General economic factors and industry conditions
 Important characteristics of the entity, its business
 Performance and reporting requirements and changes therein
 Level of competence of management
b) Understanding the Accounting and Internal Control System
 The accounting policies adopted and change therein.

 The effect of new accounting or auditing pronouncements
 The auditor’s cumulative knowledge of internal control and expected emphasis of tests of
control and substantive procedures.
c) Risk and Materiality
 The expected assessment of inherent and control risk and identification of significant audit
m
areas.
co
a.
 The setting of materiality level.
ny
ke
 The possibility of material misstatement
ea
 The identification of complex accounting areas
om
.s
w
d) Nature, Timing and Extent Of Procedure
w
w
 Possible change of emphasis of specific audit areas
 The effect of information technology on the audit
 The work of internal auditing and its effect on external auditing
e) Coordination, Direction, Supervision and Review
 The involvement of other auditors

 The involvement of experts
 The number of locations
 Staffing requirements
f) Other Matters
 Going concern assumption

 Conditions requiring special attention such as related parties
 Terms of engagement and any statutory responsibilities
 The nature and timing of reports or other communication
Audit Program
Audit program ensures that the work is carried out in accordance with audit plan
Meaning and Objective of Audit Program
These are written instruction, which lay down the procedures to be performed by the assistants in
order to implement the audit plan. It helps in controlling proper execution of the audit work. It may
also contain the following.
In Preparing the Audit Program Following Points Should Be Considered
 Audit objectives for each area; and

 An hourly time budget for various audit areas or procedures.
 Assessment of inherent and control risks
 Required level of assurance from substantive procedures
 Timing of tests of controls and substantive procedures
 Availability of assistants
 Involvement of other auditors or experts
 Assistance from client
Update the Plan
m
Plans should be revised during the course of audit. Audit planning is a continuous process because
co
a.
of changes in conditions. Circumstances ma causes us to alter the plan; therefore, it is important to
ny
ke
record the significant changes.
ea
om
Audit Planning Memorandum
.s
w
w
w
APM is documentary evidence that the adequate planning is carried out. The audit-planning
memorandum should include intended audit approach, risks evaluation, materiality levels, timetable,
staffing requirement, and consideration of going concern basis and client’s use of computer systems.
For the above it is apparent that audit plan and APM are the same things
LIMITATIONS OF AUDIT PLAN
An audit plan is necessary to ensure that the entire course of an audit process runs progressively and
systematically. It also confirms that a pre-determined audit procedure and coordination is followed
and in correct timing and direction. Although this plan is an important component of the audit, it is
not without its shortcomings.

Rigidity
 An audit plan follows a standard approach and set patterns. This may stifle flexibility and
initiative, therefore dampening professional judgment of the parties involved. Rigidity also
makes the process too mechanistic undermining the audit staffs' abilities, creativity and
talents. This will consequently leave them with less freedom in performing their task and also
technically challenged.
Overlooking Audit Staffs' Capabilities
 A plan will make the audit process automated and will loosen the sense of responsibility for
the audit staff. It can potentially decrease initiative and inventiveness, with less application of
staff talents and abilities. They therefore do not reinforce the plan with any improvements,
which will lower its future effectiveness. The automation also leaves the staff performing
their task with normality, which can cause boredom.
Incompatibility
 The strategies and procedures adopted from an audit plan may not be in accordance with a
client's standards. An auditor will likely need to prepare a new procedural plan that meets the
needs of the client; in some cases, this backtracking may cause the client to lose faith and/or
trust in the auditor. Staff may also feel manipulated since they will have to participate in the
preparation of the new plan, which can vary significantly from the standard audit.
m
co
a.
Constant Update
ny
ke
ea
 An audit plan needs to change regularly -- usually each year -- to keep it current with the
om
changing economic environment and business structures. If this change is not done, the plan
.s
w
w
may turn out to be too rigid in nature and its application in an audit process may be in-
w
effective and out-dated. This updating requires more time and resource devotion to the plan,
which would be better used in other productive activities.

TOPIC 3
INTERNAL CONTROL SYSTEM
DEFINITION OF INTERNAL CONTROL AND INTERNAL CONTROL SYSTEMS
Internal control is the process, effected by an entity's Board of Trustees, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
a. Reliability of financial reporting,

b. Effectiveness and efficiency of operations, and
c. Compliance with applicable laws and regulations.
Internal Control Systems are basic management practices that usually involve two elements: a
policy establishing what should be done and procedures used to support the policy. Internal control
systems typically come from senior management's interpretation of the companes strategic
initiatives, laws and regulations, or industry standards and practices.
m
Types of Internal Controls:
co
a.
ny
1. Detective: Designed to detect errors or irregularities that may have occurred.
ke
2. Corrective: Designed to correct errors or irregularities that have been detected.
ea
om
3. Preventive: Designed to keep errors or irregularities from occurring in the first place.
.s
w
w
w
Key Internal Control Activities
Segregation of Duties
Duties are divided, or segregated, among different people to reduce the risk of error or inappropriate
actions. For example, responsibilities for receiving cash or checks, preparing the deposit to the
Cashier's Office, and reconciling the deposit to the cashier's receipt and Balances should be
separated.
Structure
Organizational structure - lines of authority and responsibility - should be clearly defined so that
employees know where to go to report performance of duties, problems and questions related to
position and the organization as a whole. An organization chart is a good means of defining this
structure as long as it is kept up to date. Part of the structure is also the rules that employees must
abide by. Written policies and procedures provide guidance to employees in carrying out their

duties, provide for clear rules on allowable and expected activity, as well as provide means for
enforcement. The department's lines of authority and policies and procedures should be reviewed
periodically to ensure they are in agreement with the organization's strategic mission.
Authorization and Approval
Transactions should be authorized and approved to help ensure the activity is consistent with
departmental or institutional goals and objectives. For example, a department may have a policy that
all purchase requisitions and invoice vouchers must be approved by the director. The important thing
is that the person who approves transactions must have the authority to do so and the necessary
knowledge to make informed decisions.
Reconciliation and Review
Performance reviews of specific functions or activities may focus on compliance, financial or

operational issues. Reconciliation involves comparing transactions or activity recorded to other
sources to help ensure that the information reported is accurate. For example, revenue and expense
activity recorded on accounting reports should be reconciled or compared to supporting documents
to ensure that the transactions are recorded timely, in the correct account, and for the right amount.
Security
Security may be physical or electronic (information system controls) or both. Equipment,
m
co
inventories, cash, checks and other assets should be secured physically, and periodically counted and
a.
compared with amounts shown on control records. For example, the periodic physical confirmation
ny
ke
of equipment by individual departments is a physical security control. Virus detection software
ea
should be current and updated regularly to help protect integrity of systems. Hardware and access
om
.s
controls (passwords) should be changed periodically and rigorously safeguarded to protect from
w
w
unauthorized access to database, computer systems, etc. Special physical and software controls (such
w
as encryption software) should be developed for systems containing sensitive and/or confidential
information.
PURPOSE OF INTERNAL CONTROL SYSTEMS
Internal Control objectives are desired goals or conditions for a specific event cycle which, if
achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur.
They are conditions which we want the system of internal control to satisfy. For a control objective
to be effective, compliance with it must be measurable and observable.
Internal Audit evaluates Mercer's system of internal control by accessing the ability of individual
process controls to achieve seven pre-defined control objectives. The control objectives include
authorization, completeness, accuracy, validity, physical safeguards and security, error handling and
segregation of duties.

 Authorization - The objective is to ensure that all transactions are approved by responsible
personnel in accordance with specific or general authority before the transaction is recorded.
 Completeness - The objective is to ensure that no valid transactions have been omitted from
the accounting records.
 Accuracy - The objective is to ensure that all valid transactions are accurate, consistent with
the originating transaction data and information is recorded in a timely manner.
 Validity - The objective is to ensure that all recorded transactions fairly represent the
economic events that actually occurred, are lawful in nature, and have been executed in
accordance with management's general authorization.
 Physical Safeguards & Security - The objective is to ensure that access to physical assets
and information systems are controlled and properly restricted to authorized personnel.
 Error handling - The objective is to ensure that errors detected at any stage of processing
receive prompt corrective action and are reported to the appropriate level of management.
 Segregation of Duties - The objective is to ensure that duties are assigned to individuals in a
manner that ensures that no one individual can control both the recording function and the
procedures relative to processing the transaction.
A well designed process with appropriate internal controls should meet most, if not all of these
control objectives.
Major Components:
1. Control environment: Factors that set the tone of the organization, influencing the control
m
co
consciousness of its people. The seven factors are (ICHAMPBO):
a.
ny
o I - Integrity and ethical values,
ke
o C - Commitment to competence,
ea
om
o H - Human resource policies and practices,
.s
o A - Assignment of authority and responsibility,
w
w
o M - Management's philosophy and operating style,
w
o B - Board of Director's or Audit Committee participation, and
o O - Organizational structure.
2. Risk Assessment: Risks that may affect an entity's ability to properly record, process,
summarize and report financial data:
o Changes in the Operating Environment (e.g. Increased Competition)
o New Personnel
o New Information Systems
o Rapid Growth
o New Technology
o New Lines, Products, or Activities
o Corporate Restructuring
o Foreign Operations
o Accounting Pronouncements
3. Control Activities: Various policies and procedures that help ensure those necessary actions
are taken to address risks affecting achievement of entity's objectives (PIPS):
o P - Performance reviews (review of actual against budgets, forecasts)
o I - Information processing (checks for accuracy, completeness, authorization)

o P - Physical controls (physical security)
o S - Segregation of duties
4. Information and communication: Methods and records established to record, process,
summarize, and report transactions and to maintain accountability of related assets and
liabilities. Must accomplish:
a. Identify and record all valid transactions.
b. Describe on a timely basis.
c. Measure the value properly.
d. Record in the proper time period.
e. Properly present and disclose.
f. Communicate responsibilities to employees.
Monitoring: Assessment of the quality of internal control performance over time.
What can happen when Internal Controls are weak or non-existent?
When we recommend improving controls within a department, we often hear three basic arguments
for not implementing our recommendations:
1. There is not enough staff to have adequate segregation of duties.

2. It is too expensive.
3. The employees are trusted and controls are not necessary.
These arguments represent pitfalls to unsuspecting management. Each argument is in itself a
m
co
problem that needs to be resolved.
a.
ny
ke
1. The problem of not having enough staff or other resources should be discussed with your
ea
supervisor. In most cases, compensating controls can be implemented in situations where one
om
.s
person has to do all of the business-related transactions for a department.
w
w
2. If implementing a recommended control seems too expensive, be sure to consider the full cost
w
of a fraud that could occur because of the missing control. In addition to any funds that may
be lost, consider the cost of time that would have been spent by the department during the
time of an investigation of the matter, and the cost of hiring a new employee. Fraud is always
expensive and the prevention of fraud is worth the cost.
3. Finally consider the issue of trust. Most employees are trustworthy and responsible, which is
an important factor in employee relations and departmental operations. However, it is also
the responsibility of administrators to remain objective. Experience shows that it is often the
most trusted employees who are involved in committing frauds.
Departments conducting research are good examples of areas where sound internal controls are
needed. Research departments that have grants and contracts with outside sponsors are at risk that
inappropriate charges will be posted to the project account, perhaps affecting current or future
funding. Each department not only has the responsibility to ensure that all of their transactions are
have been processed properly, but also to ensure that other researchers are not "hiding" improper
transactions in the department's accounts.

DESIGNING AN INTERNAL CONTROL SYSTEM
Although an adequate internal control system should prevent errors, an effective system will help
detect errors when they occur within a reasonable time period. There are several tools available to
assist in the design of an internal control system. These methods highlight strengths and weaknesses
which may exist in the internal control system.
 A checklist review process is one form of evaluating a system. Issues of separation of duties,
completeness of data, checks and balances, effect on operating efficiency, and possible
overrides should be addressed. Checklists can be directed to the general environment as well
as cycles within the operation. The checklist should state the objective to be achieved,
possible risks if it’s not achieved, and question if the controls achieve the objective. The
questions should relate to whether or not the controls are actually in use. If the questions are
answerable by "yes/no", then they need to be worded in such a way that "yes" is not
automatically the "correct" answer. An "incorrect" answer indicates a weakness and requires
additional questions or investigation.
 Flowcharting is another means of designing and evaluating an internal control system.
Flowcharts can show the flow of document processing and/or the controls of a system.
Decision trees are similarly helpful in designing proper controls, but these tools are useful
only if they are updated as changes occur.
 "Walk-throughs" and "transaction tracing" can be a useful tool. A transaction is walked
through the system to determine if the procedure on paper can be accurately translated to
actuality.
m
co
a.
ny
ke
ea
om
.s
BENEFITS AND LIMITATIONS OF INTERNAL CONTROL SYSTEMS
w
w
w
BENEFITS
Application of internal control provides the following benefits to the various parties:
1. Internal control helps to protect the assets of the business from misuse, theft, accident etc.
2. Internal control helps to implement management policies to attain corporate goals.
3. Internal control helps the auditor in his/her work detecting all the errors and frauds which are
committed in the books of accounts.
4. Internal control helps to increase the accuracy and reliability of financial statement and
books of accounts.
5. Internal control helps to regulate the work of staffs through division of work among the
staffs in a scientific manner which helps to make the daily works of staffs effective.
6. Internal control helps the management to prepare and implement effective plans by
providing correct and fact information.
7. Internal control helps to put moral pressure on staffs.

LIMITATIONS
No matter how well internal controls are designed, they can only provide reasonable assurance that
objectives have been achieved. Some limitations are inherent in all internal control systems. These
include:
1. Judgment: The effectiveness of controls will be limited by decisions made with human
judgment under pressures to conduct business based on the information at hand.
2. Breakdowns: Even well designed internal controls can break down. Employees sometimes
misunderstand instructions or simply make mistakes. Errors may also result from new
technology and the complexity of computerized information systems.
3. Management Override: High level personnel may be able to override prescribed policies
and procedures for personal gain or advantage. This should not be confused with
management intervention, which represents management actions to depart from prescribed
policies and procedures for legitimate purposes.
4. Collusion: Control systems can be circumvented by employee collusion. Individuals acting
collectively can alter financial data or other management information in a manner that cannot
be identified by control systems.
Inherent limitations of any internal control system and examples of each include:
m
1. Human judgement
co
a.
Faulty decision-making or human error may lead to breakdowns in internal control. For
ny
ke
example, in the design of computer processing controls.
ea
om
.s
2. Failure to understand or take action
w
w
w
There may be ineffective control because individuals may not understand the purpose of a
specific control. For example, the purpose of a payroll exception report.
3. Inappropriate management override of controls

Management may purposefully override existing controls, thus rendering laid down system
controls to be ineffective. For example, a sales director may choose to opt to extend credit to
a long-standing customer in order to create customer goodwill, in contravention of laid down
credit control procedures.
4. Collusion by two or more people

Leading to circumnavigation of controls. For example, between a factory employee, factory
manager and a wages data processing clerk to claim, authorise and process a fraudulent
payment for overtime wages.

5. Management judgement
With regard to the nature and extent of risk the company chooses to assume and the nature
and extent of the controls it chooses to implement. For example, management may adopt a
low risk exposure to the loss of non-current assets by implementing an ongoing system of
monitoring and inspection of non-current assets, centred around the operation of a
comprehensively detailed non-current asset register.
6. Cost benefit consideration

A pragmatic approach will often need to be adopted in this regard, especially in smaller
companies. For example, the cost of employing additional accounts staff to ensure adequate
segregation of duties in relevant areas may outweigh the maximum benefit to be derived from
improved internal control.
7. Ability to cope with non-routine transactions

The ability to predict the likelihood of non-routine transactions arising means that it is less
likely that systems will be designed to cope with such transactions. For example, the purchase
of a very expensive non-current asset with an unusual and complex specification.
m
co
GENERAL CONTROLS ON:
a.
ny
ke
ea
om
SALES
.s
w
w
The tests of controls in the sales system will be based around:
w
• Selling (authorization)
• Goods outwards (custody)
• Accounting (recording)
Assertion: Occurrence and existence
Control objectives
 One person is not responsible for taking orders, recording sales and receiving payment.
 Recorded sales transactions represent goods shipped.
 Goods and services are only supplied to customers with good credit ratings.
 Goods and services are provided at authorised prices and on authorised terms.
 Customers are encouraged to pay promptly.

Controls
 Segregation of duties
 Sales recorded only with approved sales order form and shipping documentation.
 Accounting for numerical sequences of invoices.
 Monthly customer statements sent out and customer queries and complaints handled
independently.
 Authorisation of credit terms to customers (senior staff authorisation, references/credit checks
for new customers, regular review of credit limits)
 Authorisation by senior staff required for changes in other customer data such as address etc.
 Orders not accepted unless credit limits reviewed first.
 Authorised price lists and specified terms of trade in place.
Tests of controls
- Observe and evaluate whether proper segregation of duties is operating.

- Test a sample of sales invoices for authorised sales order form and shipping documentation.
- Examine application controls for authorisation.
- Review and test entity's procedures for accounting for numerical sequences of invoices.
Review entity's procedures for sending out monthly statements and dealing with customer
queries’ and complaints.
m
co
- Review entity's procedures for granting credit to customers. ; 1
a.
ny
- Examine a sample of sales orders for evidence of proper credit approval by the appropriate
ke
senior staff member.
ea
om
- Examine application controls for credit limits.
.s
w
- Authorised price lists and specified terms of trade in place.
w
w
- Review all new customer files to ensure satisfactory credit references have been obtained.
- Compare prices and terms on a sample of sales invoices to the authorised price list and terms
of trade.
- Examine application controls for authorised prices and terms.
Assertion: Completeness
Control objectives
- All revenue relating to goods dispatched is recorded.

- All goods and services sold are correctly invoiced.
Controls
- Accounting for numerical sequences of invoices.

- Shipping documentation is matched to sales invoices.
- Sales invoices are reconciled to the daily sales report.
- An open-order file is maintained and reviewed regularly.
Tests of controls
- Review and test entity's procedures for accounting for numerical sequences of invoices.
Trace a sample of shipping documents to the sales invoices and ledger.
- Review a sample of reconciliations performed.
- inspect the open- order file for unfilled orders.
Assertion: Accuracy
Control objectives
All sales and adjustments are correctly journalised, summarised and posted to the correct accounts.
Controls
Sales invoices and matching documents required for all entries.
Tests of controls
Vouch recorded sales to supporting documents.
m
co
a.
ny
ke
Assertion: Cut-off
ea
om
Control objectives
.s
w
w
w
Transactions have been recorded in the correct period.
Controls
All shipping documentation is forwarded to the invoicing section on a daily basis. Daily invoicing of
goods shipped.
Tests of controls
- Compare dates on sales invoices with dates of corresponding shipping documentation.

- Compare dates on sales invoices with dates recorded in the sales ledger.
Assertion: Classification
Control objectives
All transactions are properly classified in accounts.

Controls
- Chart of accounts in place.

- Codes in place for different types of products or services.
Tests of controls
- Review sales ledger for proper classification.

- 'Examine a sample of sales invoices for proper classification.
- Test application controls for proper codes.
THE PURCHASES SYSTEM
The tests of controls in the purchases system will be based around:
• Buying (authorisation)
• Goods inwards (custody)
• Accounting (recording)
Purchases Control objectives, controls and tests of controls
m
co
a.
ny
ke
ea
om
Control objectives
.s
w
w
Recorded purchases represent goods and services received.
w
Controls
- Authorisation procedures and policies in place for ordering goods and services.
Segregation of duties.
- Purchase orders raised for each purchase and authorised by appropriate senior personnel.
- Approved purchase order for each receipt of goods.
- Staff receiving goods and check them against the purchase order.
- Stores clerks sign for goods received.
- Purchase orders and GRNs are matched with the supplies' invoices
Tests of controls
- Inspect policies and procedures and inquire about them.

- Observe and evaluate segregation of duties.

- Examine a sample of purchase orders to ensure they have been appropriately authorised.
- Review the delegated list of authority for purchases.
- For a sample of orders, examine the goods received note (GRN) and match it to the order.
- Observe receipt of goods by staff to confirm whether the check is done.
- Inspect a sample to confirm whether stores staff undertake this check.
- Examine supporting documentation for a sample of invoices
Control objectives
All purchase transactions that occurred have been recorded.
Controls
- Purchase orders and GRNs are matched with the suppliers' invoices
- Periodic accounting for prenumbered GRNs and purchase orders. Independent check of
amount recorded in the purchase journal.
Tests of control
m
- Examine supporting documentation for a sample of invoices.
co
a.
- Review entity's procedures for accounting for prenumbered documents.
ny
ke
- Examine application controls.
ea
om
- Examine documentation for evidence of this check.
.s
w
w
w
Assertion: Rights and obligations
Control objectives
Recorded purchases represent the liabilities of the entity.
Controls
Purchase orders and GRNs are matched with the suppliers' invoices.
Tests of control
Examine supporting documentation for a sample of invoices.
Assertion: Accuracy, classification and valuation

Control objectives
Purchase transactions are correctly recorded in the accounting system.
Controls
- Purchase orders and GRNs are matched- with the suppliers' invoices.
- 'Mathematical accuracy of the supplier's invoice is verified.
- Amount posted to general ledger is reconciled to the purchases ledger.
- Chart of accounts in place.
Tests of control
- Examine supporting documentation for documentation for a sample of invoices.

- Recalculate the mathematical accuracy of a sample of suppliers' invoices.
- Review reconciliations for evidence of this check.
- Review purchases journal and general ledger for reasonableness.
Assertion: Cut-off
Control objectives
m
co
a.
Purchase transactions are recorded in the correct accounting period.
ny
ke
ea
Controls
om
.s
- All goods received reports forwarded to accounts payable department daily.
w
w
w
- Procedures in place that require recording of purchases as soon as possible after
goods/services received.
Tests of control
- Compare dates on reports to dates on relevant vouchers.

- Compare dates on vouchers with dates they were recorded in the purchases journal
THE INVENTORY SYSTEM
Inventory controls are designed to ensure safe custody. Such controls include restriction of access,
documentation and authorisation of movements, regular Independent Inventory counting and
reviews of inventory condition.

Introduction
The inventory system can be very important in an audit because of the high value of inventory or the
complexity of its audit. It is closely connected with the sales and purchases systems covered in the
previous sections.
There are three possible approaches to the audit of inventory and the approach chosen depends on
the control in system in place over inventory.
a) If the entity has a perpetual inventory system in place where inventory is counted
continuously throughout the year, and therefore a year-end count is not undertaken, a
controls-based approach can be taken if control risk has been assessed as low.
b) If an inventory count is to be undertaken near the year-end and adjusted by perpetual
inventory records for the year-end value, this approach also requires control risk to be
assessed as low.
c) If inventory quantities will be determined by an inventory count at the year-end date, a
substantive approach is taken and no reliance is placed on controls.
Control objectives, controls and tests of controls
m
Most of the controls testing relating to inventory has been covered in the purchase and sales testing
co
a.
outlined in sections 1 and 2. Auditors will primarily be concerned at this stage with ensuring that the
ny
ke
business keeps track of inventory. To confirm this, tests must be undertaken on how inventory
ea
om
movements are recorded and how inventory is secured. Auditors will carry out extensive tests on the
.s
valuation of inventory'at the substantive testing stage
w
w
w
Control objectives
- All inventory movements are authorised and recorded.

- Inventory included on the statement of financial position physically exists.
Controls
- Pre-numbered documentation such as GDNs and GRNs in use.

- Reconciliations of inventory records with general ledger.
- Segregation of duties
- Physical safeguards in place to ensure inventory is not stolen. Separate responsibilities for
maintenance of records and custodianship.
- Inventory counted regularly.

Tests of control
- Review documentation in use.

- Review a sample of reconciliations to confirm they are performed and then reviewed by an
independent person
- Observe and evaluate proper segregation of duties.
- Review security systems in place (e.g. locked warehouses, CCTV etc).
- Review policies and procedures in place; discuss procedures with relevant staff.
- Review procedures for counting inventory.
- Attend inventory count.
Control objectives
- All purchases and sales of inventory have been recorded in the accounting system.\
Controls
- Procedures in place to include inventory held at third parties and exclude inventory held on
consignment for third parties.
- Reconciliations of accounting records with physical inventory.
m
co
Tests of control
a.
ny
ke
- Review entity's procedures relating to consignment inventory.
ea
om
- Review reconciliations performed and whether reviewed by independent person. Assertive:
.s
w
Rights and obligations
w
w
Control objectives
Inventory records only include items that belong to the entity.
Controls
Procedures in place to include inventory held at third parties and exclude inventory held on
consignment for third parties.
Tests of control
Review entity's procedures relating to consignment inventory.

Assertive: Accuracy, classification and valuation
Control objectives
- Inventory quantities have been accurately determined.

- Inventory is properly stated at the lower of cost and net realisable value.
Controls
- .Periodic or annual comparison of inventory with amounts shown in continuous (perpetual)

inventory records
- Standard costs reviewed by management.
- Review of cost accumulation and variance reports.
- Inventory managers review inventory regularly to identify slow-moving, obsolete and excess
inventory.
Tests of control
- Review and test entity's procedures for taking physical inventory

- Review and test entity's procedures for developing standard costs.
- Inspect variance reports produced.
m
co
- Discuss with inventory managers how this is done.
a.
ny
- Observe the procedure being performed.
ke
ea
om
.s
w
w
Assertive: Cut off
w
Control objectives
All purchases and sales of inventory are recorded in the correct accounting period.
Controls
- All dispatch documents processed daily to record the dispatch of finished goods.
- All goods inwards reports processed daily to record the receipt of inventory.
- Reconciliations of inventory records with general ledger. Tests of control
- Inspect documentation to confirm daily processing. Inspect documentation to confirm daily
processing.
- Review reconciliations performed.
- Assertive: Presentation and disclosure assertions Control objectives

- Inventory transactions and balances are properly identified and classified in the financial
statements.
- Disclosures relating to classification and valuation are sufficient. Controls
- Orders for materials and production data forms used to process goods through manufacturing.
Approval by Finance
- Director
Tests of control
- Review entity's procedures and documentation used to classify inventory.

- Review entity's working papers for evidence of review.
THE CASH SYSTEM
Controls over cash receipts and payments should prevent fraud or theft.
Control objectives, controls and tests of controls
The following table sets out the control objectives, controls and possible tests of controls over cash
payments.
m
co
Assertion: Occurrence
a.
ny
ke
Control Objective
ea
om
- Only valid cash payments are made.
.s
w
w
w
Controls
- Supplier statements independently reviewed and reconciled to trade payable records.
- Monthly bank reconciliations prepared and reviewed.
- Only authorised staff can make electronic cash payments and issue cheques
- Electronic cash payments and cheques prepared only after all source documents have been
independently approved.
Tests of control

- Review procedures for reconciling supplier statements.
- Review reconciliations to confirm whether undertaken and reviewed.
- Review delegated list of authority for cash payments.
- Inspect relevant documentation for evidence of approval by senior personnel.

Control objective
- All cash payments that occurred are recorded
Control
- Supplier statements
- Independently reviewed and reconciled to trade payable records.
- Monthly bank reconciliations prepared and reviewed.
- Review of cash payments by manager before release.
- Daily cash payments reconciled to posting to payable accounts.
- Use of prenumbered cheques.
Test of control

- Review procedures for reconciling supplier statements.
- Review reconciliations to confirm whether undertaken and independently reviewed.
m
co
- Inspect sample of listings for evidence of senior review.
a.
ny
- Review a sample of reconciliations for evidence that they have been done. Examine evidence
ke
ea
of use of prenumbered cheques.
om
.s
w
The following table sets out the control objectives, controls and possible tests of control over cash
w
w
Control objectives
- Cash payments recorded correctly in the ledger

- Cash payments posted to correct payable accounts and to the general ledger.
Controls
- Reconciliation of daily payments report to electronic cash payment transfers and cheques
issued.
- Supplier statements reconciled to payable accounts regularly.
- .Monthly bank reconciliations of bank statements to ledger account. ,
- Supplier statements reconciled to payable accounts regularly.
- Agreement of monthly cash payments journal to general ledger posting
- Payable accounts reconciled to general ledger control account.

Tests of control
- Review reconciliation.
- Review reconciliations for a sample of accounts.
- Review bank reconciliation for evidence it was done and independently reviewed.
- Review reconciliations for a sample of accounts.
- Review postings from journal to general ledger.
Assertion: Cut-off
Control objectives
Cash payments are recorded in the correct accounting period.
Controls
Reconciliation of electronic funds transfers and cheques issued with postings to cash payments
journal and payable accounts
Tests of control
Review reconciliation and check it is carried out regularly.
m
Assertion: Presentation and disclosure assertions
co
a.
ny
Control objectives
ke
ea
- Cash payments are charged to the correct accounts.
om
.s
w
w
Controls
w
- Chart of accounts
- Independent approval and review of general ledger account assignment.
Tests of control
- Review cash payments journal to assess reasonableness of charging of accounts.

- Review assignment of general ledger account.
The following are control objectives, controls and possible tests of controls over cash receipts.
Assertion: Occurrence
Control objectives
All valid cash receipts are received and deposited.

Controls
- Use of electronic cash receipts transfer not received or deposited
- Monthly bank reconciliations performed and independently reviewed.
- Use of cash registers or point-of-sale devices.
- Periodic inspections of cash sales procedures.
- Restrictive endorsement of cheques immediately on receipt.
- Mail opened by two staff members.
- Immediate preparation of cash book or list of mail receipts
- Independent check of agreement of cash/cheques to be deposited at bank with register totals
and receipts listing.
- Independent check of agreement of bank deposit slip with daily cash summary.
Test of control

- Examine application controls for electronic cash receipts transfer.
- Review monthly bank reconciliations to confirm performed and reviewed. Observe cash sales
m
procedures.
co
a.
- Inquire of managers about results of inspections.
ny
ke
- Observe mail opening, including endorsement of cheques.
ea
- Observe mail opening procedures.
om
.s
- Observe preparation of cash receipts' records.
w
w
- Review documentation for evidence of independent check.
w
Control objectives
All cash receipts received are recorded
Controls
- Use of electronic cash receipts transfer not received or deposited.
- Monthly bank reconciliations performed and independently reviewed.
- Daily cash receipts listing reconciled with posting to customer accounts.
- Customer statements prepared and sent out on a regular basis.

Tests of Controls

- Examine application controls for electronic cash receipts transfer.
- Review monthly bank reconciliations to confirm performed and reviewed. Review
reconciliation.
- inquire of management about handling of customer statements.
- Examine a sample of customers and note frequency of statements.
Control objectives
- Cash receipts recorded at correct amounts.
- Cash receipts posted to correct receivables accounts and to the general ledger.
Control
m
- Daily remittance report
co
a.
- Review reconciliations reconciled to control listing of remittance advices.
ny
- Monthly bank statement performed and reviewed independently
ke
ea
- Daily remittance report reconciled, daily with postings to cash, receipts journal and customer
om
.s
accounts.
w
w
- Monthly customer statements sent out.
w
- Monthly cash receipts journal agreed to general ledger posting
- Receivables ledger reconciled to control account.
Tests of controls
- Review reconciliations for evidence they were performed and independently reviewed.
- Review reconciliations.
- Review entity's procedures for sending out customer statements.
Review journal and posting to general ledger.

Assertion: Cut-off
Control objectives
Cash receipts are recorded in the correct accounting period.
Control
Bank reconciliation at period-end
Tests of control
- Review and test reconciliation

- Presentation and disclosure assertions
Control objective
- Cash receipts are charged to the correct accounts.

- Control
- Chart of accounts.
Tests of control
- Review cash receipts journal for unusual items.
m
co
- Trace cash receipts from listing to cash receipts journal for proper classification.
a.
ny
ke
ea
om
.s
w
w
w

TOPIC 4
ERRORS AND FRAUD
DEFINITION OF ERROR AND FRAUD
Misstatements in the financial statements can arise from fraud or error.
The term "error" refers to an unintentional misstatement in financial statements, including the
omission of an amount or a disclosure, such as:
a) a mistake in gathering or processing data from which financial statements are prepared;
b) an incorrect accounting estimate arising from oversight or misinterpretation of facts; and
c) a mistake in the application of accounting principles relating to measurement, recognition,
classification, presentation, or disclosure.
 The term "fraud" refers to an intentional act by one or more individuals among
management, those charged with governance, employees, or third parties, involving the use of
m
co
deception to obtain an unjust or illegal advantage. Although fraud is a broad legal concept,
a.
ny
the auditors are concerned with fraudulent acts that cause a material misstatement in the
ke
ea
financial statements. Misstatement of the financial statements may not be the objective of
om
.s
some frauds. Auditors do not . make legal determinations of whether fraud has actually
w
w
occurred. Fraud involving one or more members of management or those charged with
w
governance is referred to as "management fraud"; fraud involving only employees of the
entity is referred to as "employee fraud". In either case, there may be collusion with third
parties outside the entity.
 Two types of intentional misstatements are relevant to the auditors' consideration of fraud -
misstatements resulting from fraudulent financial reporting and misstatements resulting from
misappropriation of assets.
 Fraudulent financial reporting involves intentional misstatements or omissions of amounts or

disclosures in financial statements to deceive financial statement users. Fraudulent financial
reporting may involve:
a) deception such as manipulation, falsification, or alteration of accounting records or

supporting documents from which the finance ial statements are prepared;

b) misrepresentation in, or intentional omission from, the financial statements of events,
transactions or other significant information; and
c) intentional misapplication of accounting principles relating to measurement, recognition,
classification, presentation, or disclosure.
 Misappropriation of assets involves the theft of an entity's assets. Misappropriation of assets

can be accomplished in a variety of ways (including embezzling receipts, stealing physical or
intangible assets, or causing an entity to pay for goods and services not received); it is often
accompanied by false or misleading records or documents in order to conceal the fact that the
assets are missing.
 Fraud involves motivation to commit fraud and a perceived opportunity to do so. Individuals
might be motivated to misappropriate assets, for example, because the individuals are living
beyond their means. Fraudulent financial reporting may be committed because management
is under pressure, from sources outside or inside the entity, to achieve an expected (and
perhaps unrealistic) earnings target - particularly since the consequences to management of
failing to meet financial goals can be significant. A perceived opportunity for fraudulent
financial reporting or misappropriation of assets may exist when an individual believes
internal control could be circumvented, for example, because the individual is in a position of
trust or has knowledge of specific weaknesses in the internal control system.
m
co
a.
ny
 The distinguishing factor between fraud and error is whether the underlying action that results
ke
ea
in the misstatement in the financial statements is intentional or unintentional. Unlike error,
om
fraud is intentional and usually involves deliberate concealment of the facts. While the
.s
w
w
auditors may be able to identify potential opportunities for fraud to be perpetrated, it is
w
difficult, if not impossible, for the auditors to determine intent, particularly in matters
involving management judgement, such as accounting estimates and the appropriate
application of accounting principles.
THE DIFFERENCE BETWEEN FRAUD AND ERROR
The key distinguishing factor between fraud and error is whether the underlying action that results in
a misstatement of the financial statements is intentional or unintentional. The term ‘fraud’ is a broad
legal concept, but the auditor is concerned with fraud that causes a material misstatement in the
financial statements. ISA 240 defines fraud as: ‘An intentional act by one or more individuals
among management, those charged with governance, employees, or third parties, involving the use
of deception to obtain an unjust or illegal advantage.’ ISA 240

The two types of fraud most relevant to the auditor, according to ISA 240 are misstatements arising
from fraudulent financial reporting, and misstatements arising from the misappropriation of assets.
By way of contrast to fraud, the term ‘error’ refers to an unintentional misstatement in financial
statements, including the omission of an amount or a disclosure. ISA 240 says: ‘The distinguishing
factor between fraud and error is whether the underlying action that results in the misstatement of
the financial statements is intentional or unintentional
The similarity between fraud and errors is that of them are mistakes, causing misleading
information and reflecting incorrectly fact.
Summary of differences
Point of Fraud Errors

comparison
Form Fraud is intentional behavior Errors are non-intentional
with careful calculation to gain behavior; they are just
benefits. simple missing out
information or due to
limited competence and
m
carelessness in working...
co
a.
causing mistakes.
ny
ke
Sophistication As fraud is intentional As errors are non-intentional
ea
behavior, it is more behavior, they are as not
om
.s
sophisticated than errors. sophisticated as fraud and it is
w
w
When making fraud, people are easy to detect errors
w
often well-prepared and have
careful calculation, thus it is
difficult to detect fraud than
errors.
Essence Fraud is always considered as Depends on scale and essence
essential mistakes. of errors.

TYPES OF ERRORS AND FRAUDS
i. Errors of commission. These are errors that do not show in the trial balance because it still
balances. This is where the correct amount for a transaction is recorded but in the wrong
person’s account e.g. for debtors the correct class of accounts may be used but the wrong
personal entries entered.
ii. Errors of omissions. This is where transactions are completely omitted from books of
accounts.
iii. Errors of principle. This is where an item is entered in the wrong class of account e.g. a fixed
asset is debited to the expense account.
iv. Compensating errors. This is where errors cancel each other out. The errors occur usually on
opposite sides of the accounts i.e. on credit and debits sides with equal amounts and are
totally independent from each other.
v. Errors of original entry. These occur when the original figure is incorrect and the double entry
system is still observed.
vi. Complete reversal entries. These occurs where correct accounts are used but each items
shown on wrong side of the account e.g. crediting sales in debtors account and debiting sales
account.
m
co
a.
ny
TYPES OF FRAUD INCLUDE
ke
ea
om
• Manipulating, forgery, alteration or falsification of accounting records or supporting
.s
w
w
documents from which financial statements are prepared
w
• Misappropriation of company assets e.g. using a company vehicle for private undertakings,
stealing physical assets and embezzling receipts.
• Misapplication of accounting policies e.g. classifying a capital expenditure and revenue
expenditure.
• Inappropriate adjusting assumptions and changing judgments used to estimate account
balances. E.g. the management may insist on providing a 5% provision for bad and doubtful
debts even where past debt collection history shows that the actual default rate is about 15%.
• Suppression or omission of effects of a transaction on accounting record e.g. placing a
genuine debtor well known bad debts in the balance sheet thus misrepresenting the financial
position of the company.
Fraudulent financial reporting may be committed because management is under pressure from
outside or inside the entity to report unrealistic profit levels. A perceived opportunity for fraudulent
financial reporting or misappropriation of company assets may exist when an individual believes

that an internal control can be overridden. This could be because an individual is in a position of
trust or has knowledge of specific weaknesses in the internal control system.
The distinction between fraud and error is of little importance so far as audit procedure are
concerned. This is because the audit procedure used to detect errors is the same used to detect fraud.
The only difference may arise where the auditor may be required by law to disclose certain illegal
acts to the regulatory authority.
Responsibility for detection of fraud and error
The primary responsibility for the detection and prevention of fraud and error rests with the
management of the company. This responsibility is fulfilled through the implementation and
continuous operation of adequate system of internal controls. Such system reduces but does not
eliminate the possibility of fraud and error. The auditor on his part seeks reasonable assurance that
fraud and error which may be material to the financial statements has not occurred or if it has
occurred, the effect is properly reflected in the financial statements. At this point, the auditor should
plan his work so that he has reasonable expectation of detecting material misstatements in the
financial information resulting from fraud and error. It is important to emphasis that the auditor
cannot be held responsible for failing to detect errors and frauds. However, he is expected to carry
m
co
out his work in a manner that he is in a position to detect material errors and frauds. Failure to detect
a.
ny
such material errors implies that the financial statements are materially misstated.
ke
ea
om
Expectations gap
.s
w
w
w
This is the gap that exists between external auditor’s understanding of their role and duty and the
expectations of various users of the financial statements and the general public regarding the process
and the outcome of the external audit. I.e. the expectation by users of financial statements that
auditor should detect and prevent error and fraud as a duty, while actually it is not his duty but of the
directors.
The public may conceive the auditor’s role as including;

• Protecting the company against fraud and irregularities
• Providing early warning of future insolvency i.e. certifying the company as a going concern.
• Providing useful general assurance of the financial wellbeing of the company and its
continued profitability.
Most users of financial statements believe that the auditor has prepared the statements and should
therefore be in a position to explain the performance results of the company. Some other users of the
financial statements do not understand the audit opinion issue.

Possible means of reducing the expectations gap include:
Expanding the audit report to include more information explaining what auditors actually do. ISA
700 (Audit reports on financial statements) now requires auditors to include a paragraph explaining
the nature and scope of the audit conducted and also explaining the respective responsibility of
management and auditor in relation to preparation of the financial statements.
It has also been suggested that the role of the auditor should be broadened especially in areas of
fraud. ISA 240(fraud and error), requires that the auditor should report to the users of the financial
statements if there is material misstatements as a result of fraud and any other irregularities.
There should be attempts to improve the knowledge and understanding of auditor‟s role and
responsibility through public education.
Risk of fraud and error
In addition to weaknesses in the accounting and internal control system, events which also increase
risk of fraud and error are:
• Questions regarding the integrity and competence of management. Where management is not
m
co
honest and could misappropriate company assets, the risk of fraud and error increases.
a.
ny
• Unusual pressure within the company e.g. pressure on organization to attain a certain level or
ke
ea
profitability. This could tempt the managers to manipulate the financial statement so as to
om
achieve the set profit level.
.s
w
w
• Unusual transactions. Such could be carried out with intention of manipulating the financial
w
performance of the company e.g. a very large purchase of stock at the year end to increase
level of closing stock and subsequently increase profits.
Difficulties in obtaining sufficient, appropriate audit evidence especially where management is

reluctant to provide the necessary information to the auditor.
If circumstances indicate possible existence of fraud and error, the auditor should consider the
potential effect of financial statements. If the effect is material, the auditor should perform additional
procedures to dispel the suspicion. Where fraud or error is confirmed, the auditor should satisfy
himself that the effect of fraud or error is properly reflected in the financial statements or the error
corrected. The auditor should communicate his findings to management on timely basis if:
• He believes fraud may exist even if the potential effect would be immaterial.
• Fraud or error is actually found to exist.

Inherent limitations of an audit
An audit is subject to the avoidable risk that some material misstatements will not be detected, even
though the audit is properly planned and performed in accordance with ISAs. The risk of not
detecting misstatements resulting from fraud is higher than the risk of not detecting material
misstatements resulting from errors. This is because fraud involves acts designed to conceal it such
as forgery and deliberate failure to record transactions. When the audit reveals evidence to the
contrary, the auditor is entitled to accept representations from management as truthful and
documents as genuine. However, the auditor should plan and perform his work with professional
skepticism, recognizing that conditions or events may be found that indicate that fraud or error may
exist. Existence of a strong internal control system reduces the probability of misstatements in the
financial reporting occurring due to fraud or error but there is always a risk that the system may fail
to operate as designed.
The following procedures could be applied as general leads to where fraud or error may have
occurred.
• Comparison of the company’s current balance sheet with those of previous years.
• Calculation of profitability, leverage, activity and performance ratios for the current and
previous years.
• Using search inquiry to pose questions to management and accounting staff.
m
co
• Auditing in depth to establish the audit trail. This facilitates checking a transactions recording
a.
ny
process from initial to final stage.
ke
ea
• Using surprise checks and visits.
om
• Comparing budgeted and actual results of the company and investigating any variances noted.
.s
w
w
w
Errors and frauds in specific areas in business
This is the method by which the deficiencies of cash are concealed for sometime.
When cash is received from some debtor, it is not recorded in the cash books and is misappropriate.
Later on, when cash is received from any other debtor, his account is not credited but the account of
the first debtor is credited and cash is debited, again later on, when cash is received from their
debtor, his account is not credited but that of the second debtor in credited and cash is debited.
This process goes or the fraud is discovered. This method of fraud is known as short banking or
delayed accounting of money received or lapping. This is method by which the past defalcations are
covered up by the present receipt. If remittances are received by means of cheques, then cheques
will have to be split up. This proves is known as splitting cheques. Because by encashing the
cheques, less amount is credited to the debtor and rest amount is misappropriated.
We can detect such frauds with the help of auditors. The auditor should find out what is the internal
check system regarding cash. If there is any weak point, he must probe into the matter. The cashier

should not have access to ledger. Auditor should check the counterfoils of the receipts with the cash
book paying particular attentions to the dates.
(a) Sales & debtors Potentials errors

• Goods dispatched without being invoiced, services rendered without being invoiced, goods in
transit or a consignment not recognized in books.
• Goods being sold to bad credit risk customer.
• Overdue accounts without follow up.
• Sales invoiced but not recorded in the books.
• Cash sales not being recorded.
• Improper crediting of debtor account..
Implications
• Understated sales, wrong management accounts, loss of assets of the company and accounts
without true and fair view.
• Bad debts
• Misappropriation of cash, exposure to theft and loss of interest due to delayed banking.
• Unreliable records and disputes between the company and customers.
m
co
(b) Purchases and Creditor.
a.
ny
ke
ea
om
Potential errors
.s
w
• Liabilities being set up for goods not received or not authorized
w
w
• Liabilities being incurred but not recorded.
• Making payments without proper documents and authorization.
• Misallocation of funds to the wrong general ledger accounts
• Goods being returned without being recorded.
Implications
• Loss of company resources because of paying for goods never received
• Understanding of liabilities hence disputes with suppliers.
• Paying for services and goods not received
• Overstatement of expenses and creditors.
• Misstatement of various expense accounts hence unreliable records.
• Overstatement of purchases

(c) Wages
Potential errors
• Dummy workers in the payroll or fraudulent double payment of workers, payment for work
not done and unclaimed wages being misappropriated.
• Occurrence of payroll errors.
• Improper deductions being made or being misappropriated
• Inflation of the payroll in other ways.
Implications
• Overvaluation of stocks because using wrong labour costs.
• Overstatement of stocks
• Misstatement of various expense accounts
• Unreliable records.
How is internal control system helps prevent and detect fraud and error
• Supervision. This serves to prevent fraud or error by boosting the awareness of senior
employees who will refrain from committing fraud and error by virtue of constant review of
operations.
m
co
• Physical controls. These limit access to the assets of the company thus preventing them from
a.
ny
damage, misuse or theft.
ke
ea
• Segregation of duties. This boosts automatic checks, accountability and supervision at all
om
stages of processing transactions, minimizing chances of error and fraud.
.s
w
w
• Arithmetic and accounting controls. Proper recording of transactions according to the
w
principles of ISAs will prevent errors and frauds such an manipulation of accounts.
• Personnel. Engaging qualified, competent and efficient personnel will reduce chances of
errors. The company’s staff should be motivated and properly remunerated to prevent
temptations of fraud.
• Routine and automatic checks. These minimize fraud by boosting awareness that work will be
continuously checked, accountability will be increased and importance of being honest will
be emphasized.

TOPIC 5
AUDIT EVIDENCE
NATURE AND SOURCE OF AUDIT EVIDENCE
Audit evidence refers to the information obtained by the auditor in arriving at the conclusions on
which audit opinion on the financial statements is based. Audit evidence comprises of source
documents and accounting records underlying the financial statements. The accounting records
generally include:
 Records of initial entries and supporting records

 Records of electronic fund transfers, invoices, contracts and cheques.
 General and subsidiary ledgers, journal entries and other adjustments to the financial
statements not reflected in the journal entries
 Records such as work sheets and spread sheets supporting cost allocations, computations and
reconciliations.
m
co
Other information the auditor can use as audit evidence are:
a.
ny
ke
ea
 Minutes of meetings
om
 Confirmations form third parties
.s
w
w
 Analysis reports
w
 Comparable data about competitors.
 Control annuals.
 Information obtained by auditor from audit procedure such as observation and enquiries.
The sources and amount of evidence needed to achieve the required level of assurance is determined
by the auditor’s judgment. The auditor’s judgment will be influenced by the materiality of item
being examined, the relevance and reliability of evidence available from each source and cost
involved in obtaining it. Audit evidence is obtained through an appropriate mix of tests of controls
and substantive procedures where internal control system is considered weak; evidence may be
obtained entirely from substantive procedures.
Substantive tests are procedures carried out to test the accuracy and validity of accounting records.
They are of two types i.e. analytical review procedure and test of detail.

Characteristics of reliable evidence
The evidence must be both competent and sufficient. Competence means that the evidence must be
believeable or wothy of trust. The seven characteristics of competent evidence include:
1. Relevance--to the audit objective that the auditor is testing;

2. Independence of the provider--information received from outside the entity is presumed to
be more reliable than from inside the entity.
3. Effectiveness of the client's internal controls--evidence from a client whose internal
controls are effective is more trustworthy.
4. Auditor's direct knowledge--data or calculations prepared by someone inside the
organization will not be as reliable as data computed or discovered by the auditor directly.
5. Qualifications of the individuals providing the information--reliability of the information
is enhanced if the person providing it is qualified to do so.
6. Degree of objectivity--objective evidence is more reliable than evidence that is subjective.
7. Timeliness--data that are timely for the purpose intended are considered more reliable.
Sufficiency of evidence refers to the quantity of evidence, In part, sufficiency relates to the sample
size that the auditor selects, but the individual items selected for the sample may have a bearing as
well.
m
co
TYPES OF AUDIT EVIDENCE
a.
ny
ke
In deciding which procedures to use, the auditor may choose from seven different types of evidence:
ea
om
.s
1. Physical examination
w
w
w
This is the inspection or count by the auditor of a tangible asset.
Most often associated with inventory and cash, but it is also applicable to the verification of
securities, notes receivable and tangible fixed assets.
2. Confirmation
This is the receipt of a direct written response from a third party verifying the accuracy of
information that was requested by the auditor.
The request is made to the client, and the client asks the third party to respond directly to the
auditor.
3. Documentation
This is the auditor's inspection of the client's documents and records to substantiate the
information that is, or should be, included in the F/S.

Documents can be INTERNAL (has been prepared or used within the client's organization
and is retained without going to an outside party) or EXTERNAL (has been handled by
someone outside the client's organization who is a party to the transaction being documented,
which are either currently held by the client or readily accessible).
4. Analytical procedures
Uses comparisons and relationships to assess whether account balances or other data appear
reasonable compared to the auditor's expectations.
An auditor may compare the gross margin in the current year with the preceding years.
5. Inquiries of the Client
This is obtaining of written or oral information from the client in response to questions from
the auditor.
This type of evidence is usually not conclusive because it is not from an independent source.
Must obtain additional evidence through other procedures.
6. Recalculation
m
co
It involves rechecking a sample of calculations made by the client.
a.
ny
ke
Rechecking client calculations consists of testing the client's arithmetical accuracy and
ea
om
includes such procedures as extending sales invoices and inventory, adding journals and
.s
subsidiary records, and checking the calculation of the depreciation expense and prepaid
w
w
w
expenses.
7. Reperformance
This is the auditor's independent tests of client accounting procedures or controls that were
originally done as part of the entity's accounting and internal control system.
Recalculation is rechecking a calculation, where reperformance involves checking other

procedures.
8. Observation
Is the use of the senses to assess client activities. Observation is rarely sufficient by itself
because of the risk of an auditor changing their behavior because of the auditor's presence.

GATHERING OF AUDIT EVIDENCE
The auditor may rely on sufficient appropriate evidence obtained by substantive testing to form his
opinion. Alternatively he may be able to obtain assurance from presence of a reliable internal
contrast system and therefore reduce the extent of substantive testing the auditor obtains evidence in
performing compliance and substantive procedures using the following methods.
a) Inspection.
This consists of examining records, documents or tangible assets. The reliability of the evidence
obtained from inspection depends on nature, source and effectiveness of the internal control system.
Inspection of tangible assets provides evidence with the respect to the existence but not to their
value and ownership.
b) Observation
This involves looking at procedures being performed by others e.g. stock counting by client
personnel.
c) Inquiry and confirmation.
m
co
a.
ny
Inquiry consists of seeking information from knowledgeable persons inside and outside the
ke
ea
company. It ranges from formal written inquires addressed to the third parties to oral inquiries
om
addressed to persons within the entity. The information may be new to the auditor or may
.s
w
w
corroborate evidence from other sources. Confirmation is the response to inquiry to corroborate
w
information contained in financial statements e.g. debtors circularization.
d) Recalculation and re-performance
This involves checking the arithmetic accuracy of source documents and accounting records or
performing independent computations e.g. re-computing amount of provision for depreciation and
comparing this against that computed by client.
e) Analytical procedures.
This is the analysis of relationships such as between items of financial data to identify consistency
and predicted patterns or significant fluctuations, unexpected relationships and results of
investigations thereof.

AUDIT EVIDENCE PROCEDURES/TECHNIQUES
Analytical procedures
Nature and purpose of analytical procedures
They are mainly used at 3 stages of the audit:

 As part of the planning process
 At the final review stage
 As substantive procedures
Analytical procedures are involved in evaluation of financial statements information by a study of

relationships among financial and non financial information. A basic premise underlying the
application of analytical procedures is that logical or plausible relationship among data may be
expected to exist and continue in the absence of conditions to the contrary. Therefore the auditor can
use these relationships to obtain evidence of the financial statements amounts. A simple analytical
procedure is to compare revenue and expenses amounts for the current year to those of prior periods
noting any significant differences. Essentially, the process of performing analytical procedures
consists of four steps.
 Develop an expectation of account balance or ratio
m
co
a.
 To determine the amount of difference from expectation that can be accepted without
ny
ke
investigation
ea
 Comparison of company’s account balances or ratios with the expected.
om
.s
 Investigate and evaluate significant ratio differences from the expectation
w
w
w
1. Developing an expectation.
A variety of types of information are available to the auditor to develop an expectation for analytical
procedures including;
 Financial information for comparable priority periods.

 Anticipated results such as budgets and forecasts.
 Relationships among elements of financial information within a period e.g. level of debtors
and credit sales.
 Information derived from similar firms in the same industry e.g. industry wage average.
 Relationships between financial and non financial data e.g. wage expenses and a number of
employees. In establishing these relationships, the auditor may use shillings amount, physical
quantities ratios or percentages.

To increase the precision of the analytical procedures, separate relationships may be computed for
each department or product line. Industrial average’s provide a potentially rich source of information
in developing expectation for analytical procedures, since industry statistics may alert auditors to
classification error, improper application of accounting principles or other misstatements in specific
items in client’s financial statements. However there may be problems of lack of comparability
among companies and inability to obtain current industry data.
Methods of developing expectation on account balances and ratios
a) Trend analysis. This includes review of changes in an account balance over time e.g. review
of clients sales for the past six years may reveal a growth rate of 5%. This information could
assist auditor in developing an expectation of sales for the current year.
b) Ratio analysis. This involves comparison of relationships between two or more financial
statement account balances or comparisons of an account balance to non financial data e.g.
revenue per sale order. The typical financial ratios are liquidity, profitability, leverage and
activity ratios.
Because ratio analysis involves examination relationships between two or more variables and may
involve industrial data, it is often a richer analysis than trend analysis. There are two basic
approaches to ratio analysis;
m
co
a.
ny
 Horizontal analysis. This involves review of client’s ratios and trends over time
ke
ea
 Cross sectional analysis. This involves comparisons of ratios of similar firms at a given point
om
in time.
.s
w
w
w
2. The amount of acceptable difference.
The amount of acceptable difference between the expectation and the financial statements balance
that can be accepted without investigation is determined primarily by the amount that is considered
to be a material misstatement However; this amount must be consistent with the degree of assurance
from the procedure. When trend or ratio analysis is used, the auditor typically uses professional
judgment to specify an absolute amount of difference or percentage difference that will result into
investigation.
3. Comparison of the account balance or ratio with the expected balance or ratio.
Once the auditor has determined the expectation and amount of acceptable difference, he makes the
actual comparison to determine where significant difference lies.

4. Investigation and evaluation of significant differences.
The auditor must investigate any significant differences and his expectation and the client’s financial
statements balance or ratio to determine whether they represent misstatements. This involves
reconsidering the methods and factors used in developing the expectation. Inquiry to management
can be useful in this regard. Management explanations however must be ordinary be supported with
other audit evidence. If the explanations are not tallying with other audit evidence, the editor will
often be required to expand his tests of related financial amounts to determine whether or not they
are materially misstated.
Timing of analytical procedures
ISAs require the application of analytical procedures at the planning and overall review stages of the
audit. The auditor may also decide to use them during the audit on substantive tests to provide
evidence as to the reasonableness of specific account balances. Analytical procedures performed in
planning the audit are used to determine the nature, timing and extent of audit procedures that will
be used to obtain evidence about specific accounts. They are also used in understanding the client’s
business at the planning stage.
m
co
Analytical procedures must be used as part of the overall review stage of an audit to assist the
a.
ny
auditor in assessing the adequacy of the evidence gathered and the validity of conclusions reached.
ke
ea
At the final review stage of an audit, the analytical procedures generally include reviewing the
om
financial statements and re-computing ratios if necessary to identify any unusual or unexpected
.s
w
w
balance or that have not been previously identified and explained.
w
Where the auditors are not required to use analytical procedure as substantive tests, they are usually
most efficient tests of certain assertions .e.g. performing analytical procedures is the most efficient
way to evaluate competence of various revenue and expense accounts.
Extent of analytical procedures
Auditors must consider cost and likely effectiveness of analytical procedures in determining how
much they may be used for a particular audit A primary measure of the effectiveness of analytical
procedures is its precision. Precision depends on a number of factors including the predictability of
the relationship, the techniques used to develop the expectation and the reliability of the underlying
data used. Monthly data is more precise than yearly data.

Management representations ISA580
a) Oral representations.
Throughout an audit the auditors ask many questions to the officials and employees of Client
Company. Oral inquires are made on an endless range of topics from the location of records and
document, reasons for unusual account procedures and probability of collecting overdue accounts
receivable. In making inquires, the auditor should consider the knowledge, objectivity, experience,
responsibility and qualifications of individuals being questioned and use carefully structured
questions to address relevant issues. Client replies should be carefully evaluated as appropriate and
followed up with additional questions.
Generally, oral client representations are not sufficient themselves but they may be useful in
disclosing situations that require investigation or in corroborating other forms of evidence e.g. after
making careful analysis of all accounts receivable, the auditor normally discusses with the credit
manager, the prospects of collecting specific accounts.
b) Written representations.
The auditor must also obtain written representations from the client in accordance with provisions of
m
co
ISA 580. At conclusion of the audit, the auditor obtains from the client a written representation
a.
ny
letter. This letter summarizes the most important oral representations made by management during
ke
ea
the audit. Many specific items are included in this representation letter e.g. management represents
om
that all liabilities known to exist are reflected the financial statements. The representations generally
.s
w
w
fall into the following broad categories;
w
 All accounting records, financial data and minutes of director’s meetings have been made
available to the auditor.
 The financial statements are complete and were prepared in conformity with generally
accepted accounting principles.
 Management believes that adjusting entries brought to the attention by the auditor and not
recorded are not material individually or collectively.
 All items requiring disclosures such as contingencies, illegal acts and related parties
transactions have been properly disclosed.
ISA 580 requires the auditor to obtain representations letter on every engagement and provide
suggestions as to its form, content and guidance on how it is to be used as audit evidence and actions
to be taken if client refuses to provide representations. These letters are dated as of the date of the
auditor’s report ordinarily the last day of field work and are usually signed by both the client chief
executive officer and the chief accountant. A client representations letter should never be used as a
substitute for performing other audit procedures. The financial statements already constitute written
representations by the client hence representation letter does little more than assert that the original
representations were correct.
Purposes of representations letter
 To remind the client’s directors of their primary responsibilities for the financial statements.
 Documents in the audit working papers, client responses to the significant questions asked by
the auditor during the engagement.
 At times a representation letter may be the only evidence available in respect to management
future intentions e.g. whether a maturing debt is classified as a current or long term liability
will depend on whether management has both the ability and intent to refinance the debt.
Management may be unwilling to sign letters of representation or pass minutes required by the
auditor. If management declines, the auditor should inform the management that he will himself
prepare a statement in writing setting out his understanding of any representations that they have
been made during the course of the audit and send this statements to management with a request for
confirmation that the auditor’s understanding of the representations is correct.
If management disagrees with the auditor’s statement of representations, discussions should be held
m
co
to clarify the matters in doubt and if necessary a revised statement prepared and agreed. Should
a.
ny
management fail to reply, the auditor should follow up the matter to ensure the position as set out in
ke
ea
his statement is correct
om
.s
w
w
In rare circumstances, the auditor may be completely unable to obtain written representations which
w
he requires e.g. because of the refusal by management to cooperate or because management declines
to give proper representations required on the ground of its own uncertainty regarding that particular
issue. In such circumstances, the auditor may have to conclude that he has not received all
information and explanations required and consequently may need to consider qualification his audit
report an ground of limitation in scope of the audit.
AUDIT SAMPLING AND OTHER MEANS OF TEXTING

This International Standard on Auditing (ISA 530) applies when the auditor has decided to use audit
sampling in performing audit procedures. It deals with the auditor’s use of statistical and non-
statistical sampling when designing and selecting the audit sample, performing tests of controls and
tests of details, and evaluating the results from the sample.

Objective
The objective of the auditor, when using audit sampling, is to provide a reasonable basis for the
auditor to draw conclusions about the population from which the sample is selected.
Definitions
For purposes of the ISAs, the following terms have the meanings attributed below:
a) Audit sampling (sampling) – The application of audit procedures to less than 100% of items
within a population of audit relevance such that all sampling units have a chance of selection in
order to provide the auditor with a reasonable basis on which to draw conclusions about the
entire population.
b) Population – The entire set of data from which a sample is selected and about which the
auditor wishes to draw conclusions.
c) Sampling risk – The risk that the auditor’s conclusion based on a sample may be different
from the conclusion if the entire population were subjected to the same audit procedure.
Sampling risk can lead to two types of erroneous conclusions:
i. In the case of a test of controls, that controls are more effective than they actually are, or
m
in the case of a test of details, that a material misstatement does not exist when in fact it
co
does. The auditor is primarily concerned with this type of erroneous conclusion because
a.
ny
it affects audit effectiveness and is more likely to lead to an inappropriate audit opinion.
ke
ea
ii. In the case of a test of controls, that controls are less effective than they actually are, or in
om
the case of a test of details, that a material misstatement ISA 500, “Audit Evidence.”
.s
w
exists when in fact it does not. This type of erroneous conclusion affects audit efficiency
w
w
as it would usually lead to additional work to establish that initial conclusions were
incorrect.
d) Non-sampling risk – The risk that the auditor reaches an erroneous conclusion for any reason
not related to sampling risk.
e) Anomaly – A misstatement or deviation that is demonstrably not representative of

misstatements or deviations in a population.
f) Sampling unit – The individual items constituting a population.
g) Statistical sampling – An approach to sampling that has the following characteristics:

i. Random selection of the sample items; and
ii. The use of probability theory to evaluate sample results, including measurement of
sampling risk.
A sampling approach that does not have characteristics (i) and (ii) is considered non-statistical
sampling
h) Stratification – The process of dividing a population into sub-populations, each of which is a
group of sampling units which have similar characteristics (often monetary value).
i) Tolerable misstatement – A monetary amount set by the auditor in respect of which the
auditor seeks to obtain an appropriate level of assurance that the monetary amount set by the
auditor is not exceeded by the actual misstatement in the population.
j) Tolerable rate of deviation – A rate of deviation from prescribed internal control procedures
set by the auditor in respect of which the auditor seeks to obtain an appropriate level of
assurance that the rate of deviation set by the auditor is not exceeded by the actual rate of
deviation in the population.
Reasons for sampling
i. A complete check for all transactions and balances a business is no longer possible owing to
the numerous numbers of transactions.
ii. Time factor. Examining all the transactions will take a lot of time. The cost of doing this will
be prohibitive because audit fees are largely based on amount of time spent on assignment.
Also a complete check will take so long that the accounts will be ancient history before users
m
co
saw them.
a.
ny
iii. The objective of an audit is to express an opinion as to whether the financial statements show
ke
ea
a true and a fair view. It is possible for the auditor to obtain the assurance without examining
om
all transactions. The use of sampling with properly set out objectives and properly
.s
w
constructed tests allows more valid conclusions to be reached than when many transactions as
w
w
possible are tested. This is because detailed testing is done on a sample.
iv. A complete check would bore the audit staff so much that their work would become
ineffective and errors would remain unidentified.
Cases where sampling is inappropriate
i. When population is small, statistical sampling will create an unacceptable margin of error. If
the population is not sufficiently large, then statistical methods are invalid. Instances where
transactions or balances are small in number but material in relation to financial statements
e.g. directors fees should never be sampled and any transactions involving a large capital
expenditures.
ii. Any situation where the auditor is put on high alert a result of earlier tests or information is
received indicating material fraud in a certain accounting areas.
iii. For statutory disclosure items such as director‟s salaries, a full audit check is desirable
because materiality consideration does not apply in this case.

iv. Where population is not homogenous and requires stratification, it is not possible to select a
representative sample.
v. When the population has not been maintained in a manner suitable for audit sampling e.g. if
sales invoices are filed according to customer name as opposed to a numerical order.
Stages in audit sampling
a) Planning the sample
When planning how to carry out sampling, the auditor considers the following:
i. Objectives of tests and combinations of audit procedures which are likely to achieve the
objectives e.g. objective to verify compliance of the debtors balances.
ii. The population and sampling units should be appropriate to the objectives of sampling e.g. if
auditors objective is to test overstatement of debtors, an appropriate population would be a
list of total debtors.
iii. Definition of errors is substantive testing and deviation in compliance testing. Before
performing testing on a chosen sample, the auditor should define clearly test results and
conditions that will be considered errors or deviations by reference to audit objective. For
m
co
substantive testing, the auditor should project errors found in the sample to population and
a.
ny
consider the effect of projected errors on a particular test objective.
ke
ea
om
b) Determination of sample size.
.s
w
w
w
The auditor needs to determine the appropriate size of the sample on which audit procedures will be
applied. Sample size is determined by;
i. The tolerable error. The larger the tolerable error, the smaller the sample size required for
a given test.
ii. Auditor’s assessment of the inherent risk. The higher the assessment of inherent risk, the
larger the sample size is required. Higher inherent risk implies that there is a greater risk
of an account balance being misstated and this may be reduced by testing a larger sample.
iii. Auditor’s assessment of control risk. A higher control risk implies that little reliance can
be placed on effectiveness of operations of internal controls and the sample size needs to
be increased.
iv. Auditor’s required confidence level. The greater the degree of confidence level the auditor
requires, the larger the sample size needs to be so that the results of the sample are in fact
representative of the actual amount of error in the population.

c) Selecting items to be tested.
The sample selected should be a true representative of the population so that the auditor can draw
conclusions about the entire population. All sampling units should have an equal chance of being
selected. Common sampling methods are;
i. Random sampling. This is done by use of random number tables or use computers to select
sampling units
ii. Systematic selection. In this type of sampling, units in the population are divided by the
sample size to give sampling intervals e.g. if the population to be sample has 600 items and
sample size is 50, the sampling interval will be 12. One of the first 12 items will be selected
as the starting point and thereafter, every twelfth item will be selected i.e. if the first item
selected is third item, every 15th, 27 th, 39 th and so on items will be picked. However, the
auditor needs to determine that sampling units within the population are not structured in a
way that sampling intervals corresponds to a particular pattern in the population.
iii. Haphazard selection. The auditor selects a sample without following structured techniques.
The auditor should avoid conscious bias and predictability in selecting items in attempt to
ensure that all items in the population have a chance of being selected. This technique is not
suitable for statistical sampling.
m
co
iv. Block selection. This involves selecting a group of continuous items within the population
a.
ny
e.g. all sales transactions for August. Block sampling cannot be ordinarily used in audit
ke
ea
sampling because most populations are structured such that items in a sequence can be
om
expected to have similar characteristics therefore the sample selected may not be
.s
w
w
representative of the population.
w
d) Testing.
After selecting the sample items the auditor should carry out the predetermined test on each item.
e) Evaluating results of the test.
The following procedures should be followed.
i. The auditor should estimate the expected error or deviation rate in the whole population
by projecting the results of the sample to the population. This is then compared with the tolerable
error.
ii. The auditor should assess the risk of an incorrect conclusion. In general, expected error is
rarely a precise measure of the actual error in the population. Actual error may be greater or smaller

than projected error. The auditor most therefore consider on the basis of his sample results and
relevant evidence from other sources, the possible levels which actual error or deviation might take.
Main approaches to audit sampling
a) Judgmental sampling
This is also called non-statistical sampling. It involves using experience and knowledge of client’s
business and circumstances to select and taste a sample without using any mathematical of or
statistical tools. The auditor does not rely on probability theory and uses judgment in making
sampling decisions.
Advantages of judgmental sampling
i. It is well understood and refined by experience

ii. Opportunity to use expertise and knowledge in selecting sample units i.e. no special
knowledge and statistics is required. The auditor simply uses his judgment in making
sampling deacons
iii. No time is wasted on the mechanics of statistical tools. The time which could have been spent
m
co
on constructing sample and computing mathematical implications of results obtained is spent
a.
ny
on auditing sample units.
ke
ea
om
Disadvantages of judgmental sampling
.s
w
w
w
i. Unscientific. The approach does not form a strong basis of defense. It is difficult to justify
why the auditor selected some items and left out others.
ii. Wasteful as large simples need to be selected. This is because in effort to reduce the
sampling risk, the auditor attempts to select as many items as possible as opposed to
statistical sampling where sample size is determined using probability theory.
iii. Samples may not be representative of the population and thus results cannot be projected
to the population.
iv. There is danger of personal bias in selecting samples.
b) Statistical sampling.
This involves two steps;

i. Use of random selection to pick a sample.
ii. Use of probability theory to determine the sample size, evaluate quantitatively the sample
results and measure sampling risk. Statistical sampling differs from non statistical

sampling in that the auditor uses probability theory to measure the sampling risk and
evaluate the sample results.
Advantages of statistical sampling
i. It is scientific and defensible. The auditor can justify the items selected because these are
selected randomly.
ii. Elimination of personal bias. The sample selected is unbiased which increases reliability
of audit evidence.
iii. Small samples are selected which improve the efficiency of the exercise. This is because
probability theory helps determine a precise sample size.
Disadvantages of statistical sampling
i. It is difficult to extract samples especially if documents are not sequentially numbered.

ii. The need to follow a predetermined statistical report may reduce initiative and the need to
apply judgment by the auditor.
iii. The result may be misunderstood if audit staff are not properly trained on use of the
techniques.
iv. It may not be suitable for all applications. Probability theory works best for large
m
co
populations and therefore cannot be applied for small populations.
a.
ny
v. It is expensive because extensive staff training is required and the use of information
ke
ea
technology.
om
.s
w
w
Factors considered before adopting statistical sampling
w
i. The number of clients to whom a technique as appropriate. This is because the set up and
training costs are high.
ii. Whether large population exists. Statistics is the science of large numbers. Where
organizations are small with few transactions, a statistical approach is inappropriate.
iii. Adequate controls must exist where they are no controls it is impossible to use statistical
techniques because of increased statistical errors
iv. The population being tested must be homogenous.
v. Sampling units must be separately identifiable and therefore sequential numbering is
essential.
vi. The expectation of the error must be low i.e. the internal control system of organization
must be reliable.
vii. The risk factors. The level of risk allowable and the degree of risk attached to an item
being tested must be considered.

Qualities of a good sample
i. It should be representative of the population. The sample should be representative of the

differing items in the whole population.
ii. The size of the sample should be appropriate given the various risk considerations i.e.
where the expected error is high, a large sample is chosen.
iii. Unpredictable. The client should not be able to know in advance which items will be
examined.
Sampling methods
1. Estimation sampling for variables.

2. Estimation sampling for attributes.
3. Acceptance sampling.
4. Discovery sampling
1. Estimation sampling for variables
This method seeks the estimate the total value of some population e.g. total value of debtors, stock
or loose tools. The procedure is to extrapolate estimate or form an opinion using the facts that are
m
co
valid for one situation (sample) supposing that they will be valid in the new situation. This estimate
a.
ny
can be compared with the book value and if any difference is within the materiality limits pre-
ke
ea
established, the auditor has evidence for the book value of the item.
om
.s
w
w
2. Estimation sampling for attributes
w
This method seeks to estimate the proportion of a population having particular characteristic e.g.
overdue debts or damaged inventory.
3. Acceptance sampling
This method seeks to discover the error rate in a population to determine a maximum error rate.
Its uses include;
i. Whether a control can be relied upon. If non compliance is greater than the acceptable
rate, the control will not be relied upon and other audit tests will have to be applied.
ii. Used to test whether stock calculation can be relied upon. If the error rate is greater than
some acceptable proportion, the auditor will have to request the client to redo the
calculations.

4. Discovery sampling
This method extends acceptance sampling to an acceptance level of zero. E.g. a system with controls
exists in an investment trust company to ensure that all bonus issues are recorded. Even if one bonus
has not been recorded, the auditor will be unable to accept the controls and will have to seek other
evidence. This method requires a large sample. A form of discovery sampling is monetary unit
sampling.
Monetary unit sampling
Monetary unit sampling is appropriate for use with large variance population e.g. debtors or stock
where individual units have widely different sizes or values. This method is suited to a population
where errors are not expected and it implicitly takes into account the auditor‟s concept of
materiality.
Procedure of monetary unit sampling
i. Determine the sample size taking into account the size of the population and the minimum
acceptable error rate.
m
co
ii. List the items of population e.g. list of debtors could be as
a.
ny
ke
ea
Debtor Amount (Sh) Cumulative
om
amount
.s
w
w
w
TMK& Co. 500 500
AQ & Sons 20 520
T Ltd 1,450 1,970
W Co. 4,420 6,390
: :
240,000
Total 240,000
iii. Assume that the total numbers of debtors is 1500. If sample size chosen is 100 items, then
a random start of say Shs 1000 can be chosen and every Shs 2100th item thereafter i.e.
using systematic sampling with random start. The idea is that the population of debtors is

not 1500 but Shs 240000 with single units of Shs 1. Therefore, we chose to sample to be
picked from the cumulative shillings amount.
iv. At the end of the process, evaluate the result which might be a conclusion that the auditor
is 95% confident that the debtors are overstated by more than Shs. X where X is the
materiality factor chosen.
v. If the conclusion is that the auditor finds that the debtors are overstated by more than Shs
X, then he may take a large sample or investigate the debtors fully.
Disadvantages of monetary unit sampling
i. Does not cope easily with errors of understatement. A debtors balance which is
understated will have a smaller chance of being selected than if it was correctly valued
hence there is a reduced chance of selecting that balance and discovering the error.
ii. It can be difficult to select samples where a computer cannot be used e.g. where the
accounting system of an organization is manual. Manual selection will involve adding
items cumulatively through the entire population which is very tiring.
iii. It is not possible to extend a sample if the error rate turns out to be higher than the
expected error. In such cases an entirely new sample must be selected and evaluated.
iv. Monetary unit sampling is useful especially in testing for overstatements where significant
m
co
understatements are not expected i.e. when dealing with debtors, fixed assets and stock it
a.
ny
is clearly not suitable for testing creditors where understatement is the primary
ke
ea
characteristic to be tested.
om
.s
w
w
w
AUDIT WORKING PAPERS
ISA 230, Audit Documentation (Revised) (1) contains the set of standards that deal with working
papers. These standards (2) are as follows:
The auditor should prepare, on a timely basis, audit documentation that provides:
1. a sufficient appropriate record of the basis for the auditor’s report, and
2. evidence that the audit was performed in accordance with ISAs and applicable legal and
regulatory requirements.
The auditor should prepare the audit documentation so as to enable an experienced auditor, having
no previous connection with the audit, to understand:
1. the nature, timing, and extent of the audit procedures performed to comply with ISAs and
applicable legal and regulatory requirements
2. the results of the audit procedures and the audit evidence obtained, and
3. significant matters arising during the audit and the conclusions reached.

In documenting the nature, timing, and extent of audit procedures performed, the auditor should
record the identifying characteristics of the specific items or matters being tested.
The auditor should document discussions of significant matters with management and others on a
timely basis.
If the auditor has identified information that contradicts or is inconsistent with the auditor’s final
conclusion regarding a significant matter, the auditor should document how the auditor addressed
the contradictions or inconsistency in forming the final conclusion.
Where, in exceptional circumstances, the auditor judges it necessary to depart from a basic principle
or an essential procedure that is relevant in the circumstances of the audit, the auditor should
document how the alternative audit procedures performed achieve the objective of the audit, and,
unless otherwise clear, the reasons for the departure.
In documenting the nature, timing, and extent of audit procedures performed, the auditor should
record:
1. who performed the audit work and the date such work was completed, and
2. who reviewed the audit work and the date and extent of such review (3).
m
co
a.
ny
The auditor should complete the assembly of the final audit file on a timely basis after the date of the
ke
ea
auditor’s report.
om
.s
w
w
After the assembly of the final audit file has been completed, the auditor should not delete or discard
w
audit documentation before the end of its retention period.
When the auditor finds it necessary to modify existing audit documentation or add new audit
documentation after the assembly of the final file has been completed, the auditor should, regardless
of the nature of the modifications or additions, document:
1. when and for whom they were made, and (where applicable) reviewed
2. the specific reasons for making them, and
3. their effect, if any, on the auditor’s conclusions.
When exceptional circumstances arise after the date of the auditor’s report that require the auditor to
perform new or additional audit procedures, or that lead the auditor to reach new conclusions, the
auditor should document:
1. the circumstances encountered
2. the new or additional audit procedures performed, audit evidence obtained, and conclusions
reached, and

3. when and by whom the resulting changes to audit documentation were made, and (where
applicable) reviewed.
These standards guide the auditor to produce audit documentation that is of an acceptable standard.
Understanding and applying the standards will protect the auditor from unwelcome and unnecessary
litigation. ISA 230 (Revised) is more comprehensive than its predecessor and is likely to prove very
useful.
Importance of working papers

Working papers are important because they:
 are necessary for audit quality control purposes
 provide assurance that the work delegated by the audit partner has been properly completed
 provide evidence that an effective audit has been carried out
 increase the economy, efficiency, and effectiveness of the audit
 contain sufficiently detailed and
 up-to-date facts which justify the reasonableness of the auditor’s conclusions
 retain a record of matters of continuing significance to future audits.
Avoiding unnecessary papers

Before deciding to prepare a particular audit working paper, the auditor should be satisfied that it is:
m
co
 necessary either because it will serve an essential or useful purpose in support of the auditor’s
a.
ny
report, or because it will provide information needed for tax or other client-related
ke
ea
statutory/regulatory purposes
om
 not practicable for the client staff to prepare the working paper, or for the auditor to make
.s
w
w
copies of papers that the client staff (including internal auditors) have prepared as part of their
w
normal regular duties.
Content
Each audit working paper must be headed with the following information:
 The name of the client
 The period covered by the audit
 The subject matter
 The file reference (4)
 The initials (signature) of the member of staff who prepared the working paper, and the date
on which it was prepared
 In the case of audit papers prepared by client staff, the date the working papers were received,
and the initials of the audit team member who carried out the audit work
 The initials of the member of staff who reviewed the working papers and the date on which
the review was carried out

 Each audit paper should meet the characteristics of a good working paper, as detailed later in
this article.
Papers prepared by client

Certain working papers required by the auditor may have already been prepared by client staff. The
auditor should make arrangements, whenever possible, for copies of these to be made available to
the audit team. If client staff prepare working papers which are to be retained by the auditor, the
auditor should agree the form of the working papers with client staff at an early stage in the audit,
and include this information in the audit timetable.
When arranging for working papers to be prepared, the auditor should take care to ensure that the
working papers will give all the information required. All such working papers should normally be
clearly identified as having been prepared by the client. The member of audit staff directly
responsible for an audit area in which working papers prepared by client staff are included should
sign those papers – this will show that they have been checked and that they can be reviewed by the
manager and the partner, and by subsequent reviewers. The signature of the audit team member
indicates that the working paper (prepared by client staff) has been ‘audited’.
Some characteristics of a good working paper

On the basis of the discussion above, a good working paper should meet the requirements of ISA
m
co
230 by displaying the following characteristics:
a.
ny
 It should state a clear audit objective, usually in terms of an audit assertion (for example, ‘to
ke
ea
ensure the completeness of trade creditors’).
om
 It should fully state the year/period end (eg 31 October 2006), so that the working paper is not
.s
w
w
confused with documentation belonging to a different year/period.
w
 It should state the full extent of the test (ie how many items were tested and how this number
was determined). This will enable the preparer, and any subsequent reviewers, to determine
the sufficiency of the audit evidence provided by the working paper.
 Where there is necessary reference to another working paper, the full reference of that other
working paper must be given. A statement that details of testing can be found on ‘another
working paper’ is insufficient.
 The working paper should clearly and objectively state the results of the test, without bias,
and based on the facts documented.
 The conclusions reached should be consistent with the results of the test and should be able to
withstand independent scrutiny.
 The working paper should be clearly referenced so that it can be filed appropriately and found
easily when required at a later date.
 It should be signed by the person who prepares it so that queries can be directed to the
appropriate person.

 It should be signed and dated by any person who reviews it, in order to meet the quality
control requirements of the review.
The reviewer of audit working papers should ensure that every paper has these characteristics. If any
relevant characteristic is judged absent, then this should result in an audit review point (ie a
comment by the reviewer directing the original preparer to rectify the fault on the working paper).
AUDIT TESTS
The auditor is not entitled to place any reliance on internal controls based solely on his preliminary
evaluation. He should carry out compliance tests to obtain reasonable assurance that the controls on
which he wishes to rely were functioning both properly and throughout the period
Stages in Audit testing

1. Internal control evaluations which will be followed by.
2. Compliance testing which gives satisfaction to some extent on the reliability of the records
and the controls. This will be followed by:-
3. An overall analytical review designed to expose apparent inconsistencies and abnormalities
in the financial statements and the underlying records. These three help us determine the
m
co
extent of substantive testing. Substantive testing consists of tests that are designed to
a.
ny
substantiate the completeness, accuracy and validity of information.
ke
ea
4. Contained in the accounting records and financial statements. They consist of:
om
a. Detailed analytical review which is designed to help locate material mis-statements in
.s
w
w
the accounts by comparing transactions and balances with related items both for the
w
same period and for previous periods.
b. Tests of details which consists of transaction testing and balance testing and are
designed to substantiate individual items in the accounts and so gain assurance either
about the validity of similar transactions or about the details that underlie the various
accounts balances. Test.: of I details consist of transaction testing which is achieved by
vouching whereby vouching is defined as proving the authenticity of a recorded
transaction, the checking of casts and cross casts, checking of postings and
reconciliations. Balance testing is achieved by direct confirmation and the physical
inspection; all these give the necessary confidence for the auditor to express an
opinion on the accounts.
Types of Audit Tests

1. Compliance testing
2. Substantive Tests
3. Analytical tests

COMPLIANCE TEST
Compliance tests are most often used by tax auditors to determine if controls which ensure the
accuracy of records are in place and working correctly. These tests can be performed directly on the
control feature itself or indirectly on the outcome of the control.
An example of a direct test would be a test to determine that invoices are pre-numbered, used in
sequence and accounted for by those issuing the invoices. Such a test would be helpful in assuring
the auditor that all invoices issued in a period are used or voided.
An example of an indirect test would be a tracing of a sample of invoices to a summary journal to

determine that the controls over recording invoices in the summary journal are working. In this case,
the controls themselves are not actually tested, but the results of those controls are examined, and
the question of whether the summary record is reliable will be answered yes or no.
Note that tax auditors do not use formal compliance testing as frequently as other types of auditors.
However, tax auditors do make judgments about the level of risk of incorrect records and the risk of
misapplication of the tax law. These are the types of judgments that can be backed up by compliance
tests.
The decision to test controls or the accuracy of records is based on auditor judgement and the
m
co
circumstances of the audit. The decision should be documented. Compliance testing may help to
a.
ny
limit the scope of the audit to areas of higher risk or point out problems with records that may have
ke
ea
otherwise appeared reliable.
om
.s
w
w
The main reason for performing compliance tests is to reduce the amount of substantive tests that
w
need to be performed. Therefore, the decision of whether to perform compliance tests should weigh
the possible compliance tests against the possible substantive tests that could be performed to
determine which test will be most efficient and effective.
For instance, if an auditor decides that he can either test the taxpayer’s summary records or use them
to perform the audit, or, rely on comparing reports to bank statements, then he or she should
determine which method will be more efficient.
If a compliance test of the summary records is performed and the records prove to be unreliable,
then the auditor may still have to rely on bank statements. However, it may be that using the
summary records will be much more efficient than using bank statements. Therefore, testing those
records is worth the time needed and the risk that the test results will be negative. Before relying on
the summary records the auditor should perform a test of transactions to determine the records are
reliable.

SUBSTANTIVE TESTS
Substantive Tests are procedures designed to test for dollar misstatements that directly affect the
correctness of financial statement balances; Substantive tests of transactions are used to determine
whether all six transaction related audit objectives have been satisfied for each class of transactions
Two types of Evidence for Substantive Tests of Transactions

a. Verifying the recording and summarizing of sales and cash receipts transactions
b. Making sure recorded sales transactions exist and existing sales are recorded
Analytical Procedures
ANALYTICAL TESTS
Comparisons of recorded amounts to expectations developed by the auditor; must be done during
planning and completing the audit; two most important purposes of analytical procedures in the
audit of account balances are to indicate possible misstatements and provide substantive evidence.
Two types of Evidence for Analytical Procedures
m
co
a. Calculating the gross margin in the completing and planning phases
a.
ny
b. Predicting the ending balance and comparing the recorded balance to the prediction
ke
ea
om
.s
w
w
w

TOPIC 6
RISKBASED AUDIT
Audit risk means the risk that the auditor may give an inappropriate audit opinion i.e. the auditor
may report that the financial statements show a true and fair view while in reality they are materially
misstated.
RISK-BASED AUDIT
A risk-based audit approach is designed to be used throughout the audit to efficiently and effectively
focus the nature, timing and extent of audit procedures to those areas that have the most potential for
causing material misstatement(s) in the financial report. ASA 315 Identifying and Assessing the
Risks of Material Misstatement through Understanding the Entity and its Environment and ASA 330
The Auditor’s Responses to Assessed Risks are auditing standards that specifically set out the
riskbased audit approach, with other auditing standards containing specific risk-related principles
and procedures appropriate to their subject matter.
The risk-based approach requires the auditor to first understand the entity and its environment in
order to identify risks that may result in material misstatement of the financial report. Next, the
m
co
auditor performs an assessment of those risks at both the financial report and assertion levels. The
a.
assessment involves considering a number of factors such as the nature of the risks, relevant internal
ny
ke
controls and the required level of audit evidence.
ea
om
.s
The result of the assessment effectively categorises the audit into a) areas of significant risk of
w
w
material misstatement that require specific responses and b) areas of normal risk that can be
w
addressed by standard audit work programs. Having assessed risks, the auditor then designs
appropriate audit responses to those risks in order to obtain sufficient appropriate audit evidence on
which to conclude. Risk assessment continues throughout the audit and the audit plan and
procedures are amended where a reassessment is necessary. So let’s work through these key steps in
more detail.
Step 1: First comes understanding
In order to identify risks that are relevant to the audit of the financial report, the auditor needs to
obtain an appropriate understanding of the entity and the environment (including internal control) in
which it operates. An experienced auditor’s professional skill and judgement is exercised in focusing
on what specific information should be obtained through this process. Using that experience, the
auditor reduces the potential for unnecessary information or information overload, by obtaining only
information directly related to the financial report audit process – saving critical time and resources.
Understanding the entity includes understanding and documenting its nature, industry, ownership
structure, regulatory environment, competitors, structure, key financial reporting processes and its
internal control environment. Information is obtained through enquiry of relevant persons,
observation and inspection of processes and documentation, and performing analytical procedures
on key financial and non-financial information.
Understanding the entity’s internal control framework is often seen as problematic for auditors,
particularly in knowing what controls to focus on, and what type of information, and how much
information, to obtain on the controls. Auditors need to understand those controls (individually or in
combination) that are considered likely to be relevant to the audit (for example controls related to
financial reporting) – not all the controls the entity employs in managing its business.
The control framework assists auditors to focus on obtaining an understanding of relevant controls
by dividing the entity’s internal controls into five components:
 Control environment: the control culture of the entity and its impact
 Entity’s own risk assessment process: how the entity identifies, assesses and responds to its
own business risks
 Information systems relevant to the financial reporting: those systems related to the capture of
significant transactions, events, conditions or accounting estimates, the procedures related to
nonstandard journal entries, reconciliations of sub-ledgers to the general ledger, the data entry
of transactions, and reporting in the financial report
 Control activities relevant to audit: those policies and procedures that help ensure that
management directives are carried out (ie control activities designed to prevent/detect
misstatements). Examples of control activities include those relating to authorisation,
performance reviews, information processing, physical controls and segregation of duties
m
co
 Monitoring of control activities: those activities the entity uses to monitor control activities
a.
ny
over financial reporting, as well as how it takes action to address any identified deficiencies.
ke
ea
Understanding internal control in this way enables the auditor to identify what relevant controls (if
om
.s
any) are in place to test, whether the absence of controls creates risk, how or when to combine
w
w
controls testing with substantive testing, how to test the operating effectiveness of controls and the
w
extent of reliance that can be placed on internal controls (thereby reducing the extent of substantive
testing).
Step 2: With understanding comes identifying and assessing risk
The auditor’s understanding of the entity’s financial reporting environment enables the auditor to
identify those risks that potentially affect the overall financial report or individual transactions,
account balances and disclosures within it (at the assertion level). Considerable professional
judgement and skill are required to not only identify such risks but also to relate how they
potentially impact the recognition, measurement, presentation and disclosure in the financial report
or the valuation, allocation, occurrence, completeness, accuracy, cut-off, classification, existence, or
rights and obligations at the assertion level. The nature of the risk will also determine how the
auditor designs the audit work program (for example, through a combination of controls testing and
substantive testing or substantive testing only).
The initial risk assessment is performed at the audit planning stage, with it being reassessed and
revised if new risks are identified during the audit. The auditor exercises professional judgement in

evaluating and classifying each risk according to its potential to create a material misstatement in the
financial report as a whole or at the account and assertion levels (for example, the accuracy, cut-off
and valuation of inventory).
Risk classification is either normal or greater than normal (significant risk). Normal risk is a risk that
has a possibility of occurring, whereas significant risk is risk that is likely to occur. Where no
significant risk(s) has been identified, a normal level of risk exists. The auditor may identify
circumstances that lead the auditor to believe the risk has a probability (likelihood) of occurring.
Any such circumstances are particular to each entity and may be identified through the auditor’s
prior experience with the entity, the knowledge that inexperienced entity staff are working in a
complex area or the auditor’s knowledge of known difficulties in obtaining or verifying particular
information required for the audit. Significant risks, by their very nature, require the auditor to
design specific/tailored audit procedures to address them – those included in a standard audit work
program are usually not appropriate.
The risk assessment determines the nature, timing and extent of audit procedures to respond to
identified risk appropriately – the general rule of thumb being the greater the level of risk, the more
persuasive the audit evidence required to reduce its potential to an acceptable level. It is therefore
critical to properly assess risks so that audit time and effort is spent efficiently and effectively in
testing significant risks.
Step 3: Responding to identified risk
m
co
Responding to risk requires the auditor “to obtain sufficient appropriate audit evidence regarding the
a.
assessed risks of material misstatement, through designing and implementing appropriate responses
ny
ke
to those risks” (ASA 330, paragraph 3). The auditor needs to relate (and document) each identified
ea
risk directly to the assertion level and the overall financial report impact, with the response planned
om
.s
to gain sufficient appropriate audit evidence on which to base the auditor’s opinion.
w
w
w
The experienced auditor designs responses to assessed risks based on the following:
 The overall effect the identified risk may have on the financial report (for example,
overstatement or understatement of certain material account balances)
 The effect that the identified risk has at the assertion level for each class of transactions,
account balance or disclosure
 The expected test results in terms of whether they will meet the test objectives.
The design of the audit program to address identified risks involves:
 Setting the test objectives (what assertions are to be tested and why)
 Identifying whether the use of experts/ specialists is required
 Identifying when to address the risk (interim and/or year-end)
 Determining, where applicable, whether previous audit evidence can be used (including how
it can be updated for the current audit)
 Identifying whether there are relevant controls to test

 Specifying the type of testing for areas with normal risk and those with significant risk – i.e
whether substantive testing alone or a combination of substantive and controls testing is
required
 Determining the extent of reliance on the test results
 Specifying additional audit procedures to be followed if the testing identifies issues/problems.
In designing audit work program steps to respond to normal risk, it is important to remember that
controls testing need only be performed when the auditor’s substantive work depends on, or
assumes, the operating effectiveness of that control or the auditor believes that substantive testing
alone doesn’t provide sufficient appropriate audit evidence (for example, with transactions that are
highly automated, with little or no manual intervention). The auditor’s substantive testing involves
the test of details and/or substantive analytical procedures.
In areas of significant risks, the auditor must include substantive procedures to specifically respond
to those risks. These can include both test of details and substantive analytical procedures. Finally, a
reminder that irrespective of the risk assessment, all material classes of transactions, account
balances and disclosures require a level of substantive testing to be performed.
Step 4: Concluding on areas of risk
Once audit procedures have been performed to address assessed risks, the auditor needs to evaluate
the evidence obtained to determine whether the initial risk assessment at the assertion level remains
appropriate and whether there is reasonable assurance that a material misstatement does not exist.
m
co
Evidence must be persuasive for each material financial report assertion, otherwise further audit
a.
procedures must be performed to obtain such evidence. If such evidence is unable to be obtained, a
ny
ke
qualified or disclaimer of opinion in the auditor’s report is required. When sufficient appropriate
ea
evidence has been obtained, the auditor is able to conclude on the overall risk of material
om
.s
misstatement to the financial report as a whole.
w
w
w
Getting risk right = Efficiency and effectiveness
A properly timed and performed risk assessment and response process by the experienced auditor
provides the foundation for the entire audit – it focuses the auditor’s attention on identifying,
assessing and responding to those risks that have the potential to materially affect the financial
report. The risk-based audit approach provides the auditor with an approach to conduct the audit as
efficiently and effectively as possible, benefiting both the audit team and the entity.
TYPES OF AUDIT RISK
Audit risk is composed of:

a) Inherent risk
b) Control risk
c) Detection risk
d) Inherent risk

a) Inherent risk
This is the risk that the account balances are transactions could be materially misstated assuming
that there were no internal control system. Inherent risk could increase a result of an adverse attitude
of managers on the internal control system i.e. if they view internal control system as unimportant.
b) Control risk
This is the risk that a material misstatement could occur in an account balance or clan of transactions
which will not be prevented or detected in a timely manner by the entity’s accounting and internal
control system.
c) Detection risk
This is the risk that the auditor’s tests of balances and transactions will not detect a material
misstatement that exists in an accounts balance or class of transactions. This implies that detection
risk is the only component of audit risk under the auditor’s control.
Risk based audit
This audit uses a model called audit risk model. If inherent risk and control risk are assessed to be
m
co
high, then to remain within an overall acceptable audit risk, the level of acceptable detection risk
a.
ny
must be low meaning that the level of tests of balances and transactions must be relatively high. If
ke
ea
inherent and control risks are assessed to be low, then the level of acceptable detection risk may be
om
higher leading to relatively lower level of tests of balances and transactions. Therefore the
.s
w
w
assessment of inherent and control risk is an essential part in deciding the overall approach to an
w
audit.
For the audit model, audit risk equals inherent risk multiplied by the control risk and detection risk.
Advantages of audit risk model
 Helps eliminate over or under auditing because the nature, extent and timing of audit
 procedures performed is determined by the risk assessment carried out.
 The results appear more rational and defensible than if the model was not used. i.e. incase the
auditor is called upon to support his decisions in a court of law, he can justify the level of
reliance on the internal control system and the amount of substantive tests carried out
 Helps allow work to be delegated to junior members of audit staff who will be able to carry
on without having to rely too much on their own judgment.
 •The increased use of computer in business has made the calculations of audit risk easier
leading to more efficient and effective audit.
Disadvantages
 The model gives an impression of accuracy which is unrealistic as in practice its difficult to
put a quantitative value on inherent risk.
 For the model to be useful, the number of items being tested need to be sufficiently large to
allow for valid statistical conclusions to be made. This rule out the use of the model in many
small audits.
 The model has a danger of adapting an overly mechanistic approach and that the auditor may
lose his „feel‟ for the audit assignment.
 It requires proper knowledge of the burden to be able to assess the audit risk.
 A wrong assessment of inherent and control risk will lead to over or under auditing
m
co
a.
ny
ke
ea
om
.s
w
w
w

TOPIC 7
COMPUTERISED AUDITING
BENEFITS AND DRWABACKS OF COMPUTERIZED ACCOUNTING SYSTEMS:
BENEFITS
1. Speed — data entry onto the computer with its formatted screens and built-in databases of
customers and supplier details and stock records can be carried out far more quickly than any
manual processing.
2. Automatic document production — fast and accurate invoices, credit notes, purchase
orders, printing ,statements and payroll documents are all done automatically.
3. Accuracy — there is less room for errors as only one accounting entry is needed for each
transaction rather than two (or three) for a manual system.
4. Up-to-date information — the accounting records are automatically updated and so account
balances (e.g. customer accounts) will always be up-to-date.
5. Availability of information — the data is instantly available and can be made available to
m
different users in different locations at the same time.
co
a.
6. Management information — reports can be produced which will help management monitor
ny
ke
and control the business, for example the aged debtors analysis will show which customer
ea
om
accounts are overdue, trial balance, trading and profit and loss account and balance sheet.
.s
w
7. GSTNAT return — the automatic creation of figures for the regular GST/VAT returns.
w
w
8. Legibility — the onscreen and printed data should always be legible and so will avoid errors
caused by pOlo figures.
9. Efficiency — better use is made of resources and time; cash flow should improve through
better debt collection and inventory control.
10. Staff motivation — the system will require staff to be trained to use new skills, which can
make them feel more motivated. Further to this with many 'off-the-shelf packages like
MYOB the training can be outsourced and thus making a particular staff member less critical
of business operations.
11. Cost savings — computerized accounting programs reduce staff time doing accounts and
reduce audit expenses as records are neat, up-to-date and accurate.
12. Reduce frustration — management can be on top of their accounts and thus reduce stress
levels associated with what is not known.
13. The ability to deal in multiple currencies easily — many computerized accounting
packages now allow a business to trade in multiple currencies with ease. Problems associated
with exchange rate changes are minimized.

DRAWBACKS
1. Power failure, computer viruses and hackers are the inherent problems of using computerized
systems;
2. Once data been input into the system, automatically the output are obtained hence the data
being input needs to be validated for accuracy and completeness, we should not forget
concept of GIGO (Garbage In(Input) Garbage out ( Output) and
3. Accounting system not properly set up to meet the requirement of the business due to badly
programmed or inappropriate software or hardware or personnel problems can caused more
havoc and
4. Danger of computer fraud if proper level of control and security whether internal and external
are not properly been instituted.
A computer system requires procedures to;
 Convert data to machine readable form.
m
co
 Input data into the computer.
a.
ny
 Process data.
ke
 Store data in machine readable form.
ea
om
 Convert data into desired output form.
.s
w
w
w
For these procedures to be undertaken, a mixture of hardware and software is needed. The hardware
will consist of;
i. Input devices. These include keyboards, optical readers, and bar code scanners.
ii. Processing devices. These are the computers themselves. i.e. CPU
iii. Storages devices include hard disk, diskettes and magnetic tapes.
iv. Output devices. These include the visual display unit (VDU) and printers.
The computer software consists of programs and operating systems.
Programs are the instructions telling the computer how each type of transaction is to be processed.
These instructions include routines of checking and controlling data, matching data with master files
and performing mathematical operations on data. E.g. for sales transactions, matching routines will
enable the computer to identify the right sales price from the sales master file and the right customer
from debtors master file. Mathematical routines will include calculating the total debtor’s amount
and updating customer’s balance in the debtors‟ master file.

Operating system relates to a series of related programs to provide instructions as to what filesare
required to be on-line, what output devices are required to be ready and what additional file need to
be created for further processing. E.g. with a batch of sales transactions, the sales price file and
debtor’s file need to be on-line. The printer must be loaded with blank invoice forms and the totals
must be retained for posting to the sales and debtors control accounts in the general ledger master
file.
An operating system will provide details of further processing runs within the system. So, for
example, in sales these will include updating the general ledger, processing cash receipts and credit
notes to the debtor’s file, printing out monthly statements and printing out analysis of due accounts
for credit control purposes.
In a batch processing system, the operating system may consist of a set of instructions provided to
the operator but increasingly the operating system is part of the computer software such that with
real time system, the computer identifies source of an incoming signal and automatically processes
that transaction using the appropriate programs and the right file.
Computer files.
These are equivalent of books and records in a manual system and are described as either transaction
m
co
files or master files.
a.
ny
ke
a) Transaction files.
ea
om
These are equivalent of journal such as sales journal, the purchases journal or the cash book. They
.s
w
w
contain details of individual transactions, but unlike books, a transaction file is not a cumulative
w
record. A separate file is set up for each batch. Thus in real time systems, a transaction file is not
necessary, but good systems will always create a transaction file for control purposes to provide a
security back up, incase of errors or computer malfunctions during processing data to master file.
b) Master files.
These contain what is referred as standing data. They may be the equivalent of ledgers but may also
contain semi permanent data needed to process transactions. E.g. a debtor‟s master file the
equivalent of debtor’s ledger but will also include data that in a manual system may be kept
separately such as invoicing address, discount terms and credit limits, even non accounting data as
cumulative sales to specific customers.
When master files are updated by processing them against a transaction file, the entire contents of
the file are usually re-written in a separate location so that after processing, the two files can be
compared and the difference agreed to the total of the transaction file. Any errors in updating the
master file will thus be detected and the process repeated. In practice, the old copy of the master file

and transaction file will be retained until the master file is updated again. This is the grandfather-
father-son approach. If the current master file is corrupted or lost due to machine or operator error,
previous versions provide back up from which the master file can be re-created. Master files holding
semi permanent data would in the case of debtor‟s system include current sales price list and in the
case of personnel department, a personnel file giving details of wage rates, authorized deductions
and cumulative record of amounts paid to date for purpose of providing tax certificates.
A special class of transactions includes those of amending standing data held in master files such as
sales price or wage rate. These transactions require special consideration because an error in such
data held in a master file will cause errors in all transactions processed against the master file. E.g.
an item priced erroneously in sales price list will mean all sales will be charged to customers at the
wrong price.
Real time and on-line systems
Traditional batch processing has the advantage that the data can be subjected to checks for validity,
accuracy and completeness before it is processed. But for organizations that need information on
strict time scale, this type of processing is unacceptable. This has led to the development of on-line
and real time systems and the number is growing particularly in airline offices, banks and other
financial institutions. The auditor‟s duties do not change but his audit techniques must change.
m
The key features of these systems are that they are based on the use of a remote terminal which is
co
a.
just a VDU and a keyboard. These terminals will be scattered within the user department and have
ny
ke
access to the central computer store. The problem for the auditor arises from the fact that master files
ea
held in the central computer store may be read and updated by the remote terminals without an
om
.s
adequate audit trail. Necessary precautions have to be made therefore to ensure that these terminals
w
w
are used in a controlled way by authorized personnel only. The security techniques include;
w
• Hardware constraints e.g. necessitating the use of a key of magnetic strip badge or card to
engage a terminal or placing the terminal in allocation to which access is carefully restricted
and which is constantly monitored by closed circuit television surveillance systems.
• The allocation of identification numbers to authorized terminal operators. With or without the
use of passwords, these are checked by the main frame computer against stored records of
authorized numbers or passwords.
• Using operator characteristics such as voice, fingerprints and hand geometry (finger length
ratios) as a means of identification by the mainframe computer.
• Restricting the access to particular programs or master files in the mainframe computer to
designated terminals.
• In top security systems, the authority to allocate authorities such as determination of
passwords and nominating selected terminals should be restricted to senior personnel other
than intended users.

• A special file maybe maintained in the central processor which records every occasion on
which access is made by particular terminals and operators to the central programs and
files. This log will be printed out on regular basis or on request by personnel with appropriate
authority.
What differentiate on-line system from real time system is that the on-line system has a buffer store
where input data is held by the central processor before accessing the master files. This enables input
from the remote terminals to be checked by a special scanning program before processing
commences.
With real systems however, action at the terminal causes an immediate response in the central
processor where the terminal is on-line. Security against unauthorized access and input is even more
important in real time systems because the effect of the input is that it instantaneously updates the
file held in the central processor and any edit checks on the input are likely to be under the control of
the terminal operators themselves. In view of these control problems, most real time systems
incorporate additional controls over the scrutiny of the master file.
In planning the audit, the auditor should consider how the presence of computerized information
systems may affect client’s accounting and internal control system and the conduct of the audit.
This is because computerized information systems have unique features compared to manual
m
systems and require inbuilt adequate controls to ensure that the accounting system can be relied
co
a.
upon for complete and accurate accounting records. These features include;
ny
ke
ea
• Consistency unlike manual systems. Computerized information systems will process
om
transactions consistently. This implies that if the system is properly programmed, the all
.s
w
transactions will be processed consistently and accurately. On the other hand, if there are any
w
w
programming errors, the transactions will be consistently processed inaccurately.
• Concentration of functions and controls. In a computerized information system, few people
are involved in processing of financial information. This may compromise segregation of
duties such that persons involved in writing of programs may also be involved in processing
transactions. This increases risk of manipulation of operating programs and data. Programs ad
data are held together increasing the potential for unauthorized access and alteration.
• Computerized information systems are designed to limit paperwork.. This result in less
visible evidence to support transactions processed which ultimately leads to loss of the audit
trail.
• Ease of access of data and computer programs. Where there are no proper controls over
access to computers at remote terminals, there is increased danger of unauthorized access and
alteration of data and programs.
• Use of programmed controls. In a computerized environment, controls are programmed
together with data processing instructions e.g. protection of data against unauthorized access
may be by way of using passwords and user profiles that grant different levels of access to the

system. Use of programmed controls implies that the auditor must adopt an audit approach to
test effectiveness of those controls.
• System generated transactions. Many systems are capable of generating transactions
automatically without manual intervention e.g. calculation of interest from customer’s
accounts may be done and charged to income automatically. If the system set up is interfered
with, this could affect the accuracy and integrity of transactions generated.
• Data and programs are stored in portable magnetic disks and tapes which are
vulnerable to theft and intentional or accidental alteration.
COMPUTER AIDED AUDIT TECHNIQUES (CAATS)
Computer-aided audit techniques (CAATs) or computer-assisted audit tools and techniques

(CANITs) is a growing field within the audit profession. CAATs are the practice of using computers
to automate the audit process. CAATs normally includes using basic office productivity software
such as spreadsheet, word processors and text editing programs and more advanced software
packages involving use statistical analysis and business intelligence tools.
Applications of auditing procedures using the computer as an audit tool (also known as CAATs).
m
In the most general terms, CAATTs can refer to any computer program utilized to improve the audit
co
a.
process. Generally, however, it is used to refer to any data extraction and analysis software. This
ny
ke
would include programs such as spreadsheets (e.g. Excel), databases (e.g. Access), statistical
ea
analysis (e.g. SAS), business intelligence (e.g. Crystal Reports and Business Objects), etc.
om
.s
w
w
There are, however, companies that have developed dedicated specialized data analytic software
w
specifically for auditors.
Computer-assisted audit techniques (CAATs) are the applications of auditing procedures using the
Computer as an audit tool.
CAAT are the use of computers for audit work. The two most commonly used CAATs are audit
software and test data.
The Overall objectives and scope of an audit do not change when an audit is conducted in a
computerised environment. However, the application of auditing procedures may require auditors to
consider techniques that use the computer as an audit tool. These uses of the computer for audit
work are known as computer-assisted audit techniques (CAATs).
Circumstances when the use of CAATS when performing audit procedures would be necessary
a. When the company has recently installed a new computer system

b. when software has been changed in the past year
c. When standard software allows the company to change the programs or add procedures
d. When there is a significant loss of audit trail in the computer system
e. When the auditor has identified weaknesses in the company accounting software.
CAATs may be used in performing various auditing procedures, including the following.
- Tests of details of transactions and balances

- Analytical review procedures
- Tests of computer information system controls
The advantages of using CAATs are:
- Auditors can test programme controls as well as general internal controls associated with
computers.
- Auditors can test a greater number of items more quickly and accurately than would be the
case otherwise.
- Auditors can test transactions rather than paper records of transactions that could be incorrect.
- CAATs are cost-effective in the long-term if the client does not change its systems.
- Results from CAATs can be compared with results from traditional testing - if the results
correlate, overall confidence is increased.
m
co
The major steps to be undertaken by the auditors in the application of a CAAT are as follows.
a.
ny
ke
- Set the objective of the CAAT application
ea
om
- Determine the content and accessibility of the entity's files
.s
w
- Define the transaction types to be tested
w
w
- Define the procedures to be performed on the data
- Define the output requirements
- Identify the audit and computer personnel who may participate in the design and application
of the CAAT
- Refine the estimates of costs and benefits
- Ensure that the use of the CAAT is properly controlled and documented
- Arrange the administrative activities, including the necessary skills and computer facilities!
- Execute the CAAT application
- Evaluate the results
There are two particularly common types of CAAT, audit software and test data.
a) Auditing round the computer.

b) Auditing through the computer.

A. AUDITING ROUND THE COMPUTER.
This means examining evidence for all items in the financial statements without getting immersed in
the details of the computerized information system. The benefits of this approach are that it saves
time and its justification is that computers are 100% accurate in processing transactions and
therefore material processing errors simply do not occur.
The draw back of this approach is that once an application is programmed to process an item
incorrectly, then it processes exactly as programmed indefinitely. However, major frauds and error
or system failures should be picked up in the assets and liabilities verification e.g. if processing of
sales is incorrect, verification of debtors can uncover the error. Also an analysis of gross profit
margins will help discover any errors in sales. This approach is suitable for small businesses but
largely unsuitable for large scale entities.
When it is possible to relate on a one to one basis, the original input to the final output or to put it
another way, where the audit trail is always preserved than the presence of the computer has
minimal effect on the auditor's work, and in that case it is possible to ignore what goes on in the
computer and concentrate audit tests on the completeness, accuracy, validity on the input and the
output, without paying any due concern to how that output has been processed. Where there is super
abundance of documentation and the output is as detailed and complete as in any manual system and
where the tr41.1 from beginning to end is complete so that all documents can be identified and
m
co
vouched and totally cross referenced, then the execution of normal audit tests on records which are
a.
ny
computer produced but which are nevertheless as complete as above then this type of auditing is
ke
called auditing around the machine. In this case, the machine is viewed as simply an instrument
ea
om
through which conventional records are produced. This approach is much criticised because:
.s
w
w
i. It indicates a lack of knowledge on the part of the auditor;
w
ii. It is extremely risky to audit and give an opinion on records that have been produced
by a system that the auditor does not understand fully, and;
iii. A computer has immense advantages for the auditor and it is inefficient to carry out an
audit in this manner.
However, problems arise when it is discovered that management can use the computer more
efficiently in running the business. This is usually done by the production of exception reports rather
than the full records. For example, the management is interested in a list of delinquent debtors,
therefore producing the whole list of debtors means the list has to be analyzed again to identify
delinquent debtors and act upon them. This is inefficient and time consuming as the printer is the
slowest piece of equipment in any computerised system. From the auditor's view, exception reports
which provide him with the very material he requires for his verification work raises a serious
problem because he cannot simple assume that the programs which produce the exception reports
are:
i. Doing so accurately;
ii. Printing all the exception which exists;
iii. Are authorised programs as opposed to dummy programs specially created for a fraudulent
purpose or out of date programs accidentally taken from the library and;
iv. That they contain programs control parameters which do in fact meet the company's
genuine internal control requirements.
So although it may be reasonable for management to have faith in their systems and programs, such
faith on the part of the auditor would be completely misplaced and may reflect very adversely on his
duty of care. This is the first situation on the loss of audit trail.
The other situation where loss of audit trail is noted where the computer generates, totals, analyses
and balances without printing out details. It therefore becomes necessary for the auditor to find a
way to audit through the computer rather than around it. But before we go on to that, the loss of
audit train can be overcome as follows:
a) We can have special print outs for auditors, remember the need to be consulted at the design
stage.
b) Inclusive audit facility: This means putting in the programs special audit instructions that
enable the computer to carry out some audit tests and produce print outs specially for the
auditor.
c) Clerical recreation: Given unlimited time and man power, maintain the possibility to recreate
m
co
manually the audit trail. This would obviously be a very tedious exercise.
a.
ny
d) Total testing and comparison: It is possible to compare results with other data, budgets,
ke
previous periods and industry averages.
ea
om
e) Alternative tests: We can perform stock takes, debtors' circularisation and examination of the
.s
w
condition of fixed assets.
w
w
f) We can use test packs to verify program performance.
B. AUDITING THROUGH THE COMPUTER.
There are two basic techniques available to the auditor for auditing through the computer. These are
use of test data and use of computer audit programs which are also called CAATs (computer assisted
audit techniques).
i) Test data
These are designed to test the performance of client‟s programs. What it involves is for the auditor
either using dummy data or live data for processing to manually work out the expected result using
the logic of the program. This is then run on the computer using the program and the results are
compared. A satisfactory outcome gives the auditor a degree of assurance that if that program is

used continuously throughout the year, then it will perform as required. This technique of test data
falls under compliance testing.
a) Live data testing has the following disadvantages
i. If the data is included with normal, separate test data totals cannot be obtained. This can
sometimes be resolved by use of dummy branches or separate codes to report the programs
effects on the test data.
ii. Side effects can occur. It has been known for an auditor’s dummy product to be included in a
catalogue.
iii. Client’s files and totals are corrupted although this may be immaterial.
iv. If the auditor is testing procedures such as debt follow up, then the testing has to be over
fairly a long time. This can be difficult to organize.
b) Dead testing has the following disadvantages
i. Difficulties will be encountered in simulating the whole system or part of it.

ii. A more detailed knowledge of the system is required than with use of live files.
iii. There is often uncertainty as to whether operational programs are really being used for the
test.
m
co
iv. The time span problem is still difficult but more capable of resolution than live testing.
a.
ny
ke
Computer programs or audit software
ea
om
These consist of computer programs used by the auditor to read magnetic files and to extract
.s
w
w
specified information from the files. They are also used to carry out audit work on the contents of
w
the files. These programs are sometimes called enquiry or interrogation programs. They can be
written by an audit firm or they can be bought from software houses. They have the advantage that
they can be used to train unskilled staff.
Uses of computer audit programs
Selection of representations or randomly chosen transactions or items for audit tests, e.g. item
number 36 and every 140th item thereafter. Scrutiny of files and selection of exceptional items for
examination e.g. all wages payments over Kshs.120, or all stock lines worth more thanKshs.1,000 in
total. Comparison of two files and printing out differences e.g. payrolls at two selected dates.
Preparation of exception reports e.g. overdue debts. Stratification of data e.g. stock lines or debtors;
with a view to examination only of material items. Carrying out detail tests and calculations.
Verifying data such as stock or fixed assets at the interim stage and the comparing of the examined
file with the year-end file so that only changed items need be examined at the final audit (with a
small sample of the other unchanged items). Comparison of files at succeeding year ends e.g. to
identify changes in the composition of stock
Advantages
1. Examination of data is more rapid;

2. Examination of data is more accurate
3. The only practical method of examining large amounts of data;
4. Gives the auditor practical acquaintance with live files;
5. Provides new opportunities to the auditor;
6. Overcomes in some cases a loss of audit trail;
7. Relatively cheap to use once set up costs have been incurred
Disadvantages
1. Can be expensive to set up or acquire.

2. Some technical knowledge is required.
3. A variety of programming languages is used in business. Standard computer audit programs
may not be compatible.
4. Detailed knowledge of systems and programs is required. Some auditors would dispute the
need for this detailed knowledge to be gained.
5. Difficulty in obtaining computer time especially for testing.
m
co
There can be no doubt that standard computer audit program packages will be in general use in the
a.
ny
near future. Use of audit software raises the visibility of the auditor in the eyes of the company. It
ke
ea
makes the audit more credible. Deficiencies in the system are often discovered and can be reported
om
to Management. This also makes the audit more credible. Packages are not however usually
.s
w
available for small machines
w
Differences between Auditing around the computer and auditing through the computer w
Auditing around the Auditing through the computer

computer
How is it done? No attempts is made to Auditing the computer processing
evaluate the internal process systems or data produced by the
of the computer. systems to test the programmed
Consists of vouching or controls
tracing to and from source
documents and outputs.
Advantages  Simplicity:-does not  Sophisticated method and may be
require computer the only method if significant
proficient personel parts of the internal control are
 May be more cost embedded in the computer
effective system
What are the Requires sufficient audit trail This method must be used if any one
“ideal” of visible evidence of the following exists:
conditions for  The presence of large volumes of
each? input/out put means that direct
examination of the records is
difficult
 Lack of visible audit trail means
that significant parts of the
internal controls are embedded in
the computer system
 System is complex and includes
key parts of the accounting
systems
Approaches Bypasses the computer Two main approaches
(auditing without the 1. Test data
computer) 2. Parallel simulation
INTERNAL CONTROLS IN A COMPUTERIZED INFORMATION SYSTEM
To mitigate the risks occasioned by the features of a computerized information system, the
m
management should design internal controls over the system. These controls are mainly classified
co
into general controls and application controls.
a.
ny
ke
ea
om
.s
1. GENERAL CONTROLS.
w
w
w
These relate to the environment within which the computer based systems are developed,
maintained and operated aimed at providing reasonable assurance that the overall objectives of
internal controls are achieved e.g. completeness, accuracy and validity of financial information.
The objective of the general controls is to ensure the proper development and implementation of
applications and the integrity of program files and information. These controls could either be
manual or programmed and are classified into;
• System development controls

• Access controls.
• Computer operations and other controls.
A) System development controls.
These relate to controls that must be exercised by the client when developing new systems or
modifying existing systems. The controls that can be exercised during systems development can be
discussed in the following groupings.
Appropriate review testing and approval of new systems.
Development of computer applications
- standards over systems design, programming and documentation

- WI testing procedures using test data
- Approval by computer users and management
- Segregation of duties so that those responsible for design are not responsible for testing
Installation procedures so that data is not corrupted in transition
- Training of staff in new procedures and availability of adequate documentation
The organization should set up a steering committee composed of senior management and high level
representatives of system users who should the development and implementation of the new system.
Management should approve specifications of the new system after the steering committee has
assessed the user needs. Before the new system is commissioned for use, appropriate testing should
be carried out to ensure that both the hardware and the application programs are operating
effectively. The testing will provide assurance that the new system is reliable.
The information technology manager, user department and the appropriate management level should
give appropriate approval of new system before being placed under operation and after reviewing
completeness of system documentation and results of its testing.
m
co
a.
ny
ke
ea
Controls over program changes
om
.s
w
Testing and documentation of program changes
w
w
- Complete testing procedures
- Documentation standards
- Approval of changes by computer users and management
- Training of staff using programs
Program changes refer to modifications made to existing programs. Changes in the computer system
should be subject to strict controls e.g. a written request for an application program changes should
be met by user department and authorized by designated manager or committee. Once changes have
been made, appropriate testing should be carried out to ensure that the modified system is reliable.
The system documentation should then be amended to reflect the changes and appropriate approval
obtained for the modified system to start running.
User training should also be carried out as appropriate.

Prevention or detection of un-authorized changes to programs
- Full records of program changes
- Password protection of programs so that access is limited to computer operations staff.
Restricted access to central computer by locked doors, keypads
- Maintenance of programs logs
- Virus checks on software: use of anti-virus software and policy prohibiting use of non-
authorised programs or files
- Back-up copies of programs being taken and stored in other locations
- Control copies of programs being preserved and regularly compared with actual programs
- Stricter controls over certain programs (utility programs) by use of read-only memory
System documentation
This involves putting together information that supports and explains computer applications. The
documentation provides details of capability of the system and how it is operated.
System documentation is important in conducting user training and also enables the management to
effectively review the system by considering whether appropriate controls have been put in place
during system development.
m
co
a.
ny
ke
Parallel running
ea
om
Before switching to the new system, the whole system should be tested by running it alongside the
.s
w
w
old system for a specified period. This is important because it provides user with the opportunity to
w
familiarize themselves with the new system before it is fully implemented and ensures that the new
system is reliable and data is correctly carried forward from the old to the new system.
B. Access controls
The success of computerized information systems is largely dependent on the accuracy, validity and
credibility of the data processed by the system. Access controls to computer hardware, software and
data files is therefore vital.
Access controls provide assurance that only authorized individuals use the system and that the usage
is for authorized purposes only.
Access may be restricted to specified persons, files, functions or computer devices. This can be
achieved using both physical and programmed controls. Examples of access controls include;

 Physical restriction of access to computer facilities to specified persons only e.g. file servers
should be maintained in a secure location where access is granted to only specified persons.
 Controls over computers stored in the user department could be improved by making sure that
vital data on programs are not left running when the computer is left unattended.
 Passwords should be used by all staff when accessing computer facilities.
 Passwords should be changed regularly and access to password data held in a
computer system should be subject to stringent controls. This will ensure that some users do
not gain access to other people‟s passwords.
 In granting user rights within the system, there should be appropriate segregation of duties to
ensure that rights granted are not excessive. E.g. a user should not have right to post data and
also make amendments on the same data.
 When designing the user rights, sensitive data and programs should only be accessible to few
individuals. In other cases, some files should be designed as „read only‟ to avoid
unauthorized amendments.
 Programs and data that do not need to be online should be stored in secure locations.
 A system’s access log to record all attempts to log in the system should be maintained
This would record name of user, data accessed or entered, time of log in and mode of access.
 When transmitting data over communication lines, it should be encrypted to make it difficult
m
for persons with access to communication lines from being able to modify the contents.
co
a.
ny
 There should be automatic log off i.e. the disconnection of active data terminal to prevent
ke
viewing of sensitive data on unattended terminals.
ea
om
.s
Controls to ensure continuity of operation
w
w
w
- Storing extra copies of programs and data files off-site
- Protection of equipment against fire and other hazards
- Back-up power sources
- Disaster recovery procedures e.g. availability of back-up computer facilities.
- maintenance agreements and insurance
- The auditors will wish to test some or all of the above general IT controls, having considered
how they affect the computer applications significant to the audit.
C. Computer operations and other controls
The organization should have a reconstruction or disaster recovery plan that will allow it to
regenerate impor6ant programs and data files incase of disasters or accidental destructions.
The recovery plan should create back up or duplicate copies of important data files and programs
which should be stored off site.

The recovery plan should also be tested on regular basis to ensure that it indeed works. Other issues
that should be addressed include:
 Undertaking protection measures against natural disasters such as setting up computer rooms
in areas protected from floods and fitted with smoke or fire detectors.
 There should be standby equipment to revert to incase of computer breakdown.
 There should be adequate virus detection. Procedures for dealing with virus infection are.
- Establishing a formal security policy which requires only clean and certified copies of
software are installed and checking data introduced from external sources for viruses.
- The company can also install antivirus software.
- Clean back up should be maintained and there should be adequate segregation of duties
such that people with powers and knowledge in making amendments to the application
programs should not have the responsibility for initiation and processing transactions and
even making amendments to existing data.
Controls to prevent wrong programs or files being used
- Operation controls over programs

- Libraries of programs
- Proper job scheduling
m
co
a.
ny
2. APPLICATION CONTROLS
ke
ea
om
The objective of application controls which may be manual or programmed is to ensure
.s
w
completeness and accuracy of accounting records and the validity of transactions processed.
w
w
Application controls are therefore important in providing assurance that all transaction are recorded
on timely basis and that only valid transactions are captured by the system. Application controls are
divided into;
1. Input controls.
2. Processing controls.
3. Output controls
4. Controls over master files and standby data
However, some of the controls management implement would cut across the four categories
mentioned above. E.g. some edit checks could provide comfort over the completeness and accuracy
of the input data by the way the data is processed and output information obtained and also provide
protection over standby data.

Input controls
Most errors in data processed by computerized information systems can be traced to errors made
when the data was being input into the system. Controls over input fulfill the following objectives.
- Completeness of input. This ensures that all transactions that took place have been
processed.
- Accuracy. This ensures that the recorded transactions have been captured accurately.
- Validity. This ensures that only valid or genuine transactions appropriately authorized have
been recorded. It also ensures credibility and reliability of recorded transactions.
To achieve the above objectives the most common types of input controls that management can
implement are called edit controls and examples include:
- Field checks. These controls check that all data fields required to process the transactions
have been filled with correct information. The controls also ensure accuracy of processed data
and its completeness because transactions cannot be properly processed if necessary data is
missing.
- Valid character checks. These check that data fields are filled with data of the correct type.
E.g. that amounts column is filled with numerical variables. This also ensures correctness of
input data.
m
- Reasonableness or limit checks. These verify that data falls within predetermined
co
a.
reasonable limits. E.g. if the authorized discount is 10%, the system would seek to verify that
ny
ke
no customer is awarded discounts beyond this limit without approved authorization. These
ea
controls ensure accuracy and validity of the input data.
om
.s
- Master file checks. These verify that the codes used in processing transactions match with
w
w
those from master files. E.g. that customer identification code keyed in matches with what is
w
on sales master file. These controls ensure that data is processed against correct master file.
- Document count. This agrees number of input records if what is expected as per batch
control. This control ensures that all transactions are processed.
- Sign checks. These ensure that data has been keyed in with correct arithmetic sign. E.g. a
positive sign for debit entry and a negative sign for credit entry. The objective is to check
validity and accuracy of the processed data.
- Zero balance checks. These verify that for every transaction process, debit entries equal
credit entries and any mismatches found are reported through an exception report. This
control ensures accuracy of input data.
OTHER INPUT CONTROLS INCLUDE;
Generation of exception reports to capture transactions that have been rejected for failing various
control checks.

Measures to ensure that the reasons behind rejected transactions are investigated and corrective
action taken
There may be need for manual controls to for instance, a check to reveal that all purchase orders
have been appropriately authorized before a transaction is submitted for processing.
Processing controls
These controls seek to ensure that transactions are processed by the right programs and against the
correct master files. They also seek to ensure that data is not lost, duplicated or altered during
processing and that errors are identified ad corrected.
Some of the controls in input could help in meeting the above objectives of processing controls. In
addition to those, processing controls include;
Physical file identification procedures. This is in form of labels which are physically attached to files
or diskettes to ensure right files are used during processing of transactions.
Sequence tests over pre-numbered documents. This ensures that all transactions are being processed.
Comparing the contents in files before and after processing a transaction to ensure that the expected
m
processing results have been achieved.
co
a.
ny
Zero balance checks that add up debits and credits of the transactions posted to ensure that the result
ke
ea
is zero as an indication that double entry has been completed.
om
.s
w
An audit trail should be created through use of input and output control logs and maintenance of
w
w
transaction listing. This trail will facilitate an attempt to trace a transaction as a way of verifying that
it has been correctly processed.
Output controls.
These are necessary to ensure that:
 Expected reports are received from input data processed.

 Results of processing are accurate.
 Output is distributed to appropriate users promptly.
Controls over output include;
 Matching and agreeing output information to the input data e.g. for input data related to
journal processed to create an additional provision for bad and doubtful debts, one may want
to compare or match the balance appearing in the ledger after the transaction is processed as a
way of verifying that output matches the input.

 Noting distribution of all output information to verify that this information is accessible to
and is distributed to the list of authorized users only.
 Error listing or exception reports should be generated on a daily basis and reviewed by an
independent person to ensure that the transactions summarized in these reports are
investigated and where appropriate resubmitted for processing.
Controls over master files and standby data
Standing data refers to the data that is required during processing of the transactions but which does
not vary or change with every transaction. E.g. customer details such as name and address do not
change with every transaction although they are required in processing every transaction with the
customer.
Controls over master files and standing data are aimed at ensuring completeness, accuracy and
credibility of the information maintained. These controls include;
 Restrictive access to standing data and ensuring that only few individuals have the user rights
within the system to make adjustments to the standing data.
 Before any changes are made to the standing data, appropriate authorization should be
obtained. E.g. before any changes are made on selling prices in the master file, appropriate
authorization should be obtained from the responsible officials.
m
 Once amendments have been made on standing data, a print out should be obtained from the
co
a.
system such that an independent person can verify that the correct amendments have been
ny
ke
made.
ea
om
 Where necessary, the organization should print out all the standing data and an independent
.s
w
check be carried out to verify that this data is accurate and complete.
w
w
 An exception report should be generated on a regular basis providing details of any
unauthorized amendments made on standing data.
Testing the internal controls in a computerized environment
The auditor tests the internal controls when he wishes to place reliance on the controls to determine
whether the accounting records are reliable.
A computerized information system may differ from a manual system by having both manual and
programmed controls. The manual controls are tested in exactly the same way as in a manual
system. The programmed controlled in the following ways:
 By examination of exception reports and rejection reports. But there is no assurance that the
items on the exception reports were the only exceptions or that they actually met the

parameters set by the management. The auditor must seek for ways to test the performance of
the programs by auditing.
 Use of CAATs (computer assisted audit techniques). Test data is mainly applied in testing
computerized information systems.
Substantive tests in computerized environment
Substantive testing of computer records is possible and necessary. The extent depends on the degree
of reliance the auditor has placed on the internal controls. Substantive testing includes two basic
approaches both of which would be used.
Manual testing techniques
 Review of exception reports. The auditor attempts to confirm these with other data. e.g.
comparison of an outstanding dispatch note listing with the actual dispatch notes.
 Totaling. Relevant totals for example for debtors and creditors can be manually verified.
 Re-performance. The auditor may re-perform a sample of computer generated calculations.
E.g. for depreciation and interest expense.
 Reconciliations. These will include reconciliations for computer listings with creditor’s
statements, bank statements, actual stock and personnel records.
 Comparison with other evidence such as results of debtor’s circularization, attendance at
m
stock take and physical inspection of fixed asset.
co
a.
ny
Computer audit programs sometimes generalized audit software. These programs are also called
ke
ea
inquiry or interrogation programs. Computer audit programs are computer programs used by the
om
.s
auditor to;
w
w
w
 Read magnetic files and to extract specified information from the files.
 To carry out audit work on the contents of the files.
Uses of computer audit programs.
 In the selection of representative or randomly chosen transactions or items for audit tests.
 The scrutiny of files and selection of exceptional items for testing. E.g. On wages payments
over Shs.1000 or all stock items worth more than Shs.100,000 in total.
 Comparison of two files and printing out the difference. E.g. payrolls at two selected dates.
 Preparing exception reports. E.g. overdue debts.
 Stratification of data such as stock items or debtors with a view to examine only the material
items.
 Carrying out detailed tests and calculations.
 Verifying data such as stock or fixed assets at the interim stage and then comparing the
examined file with the end file so that only changed items need to be examined at the final
audit.
The Control file
When auditing computerized information systems, it will be found that much reliance is placed
within the system upon standard forms and documentation in general, as well as upon strict
adherence to procedures laid down. This is no surprise, of course, since the ultimate constraining
factor in the system is the computers own capability and all users are competitors for its time. It is
therefore important that an audit control file be built as part of working papers and the auditor must
that he is on the distribution list for notifications of all new procedures, documents and system
changes in general.
The following should be included in the control file;
 Copies of all the forms which source documents might take and details of the checks that
have been carried out to ensure their accuracy.
 Details of physical controls over source documents as well as of the nature of any control
totals of numbers, quantities or values including the names of persons keeping these controls.
 Full description of how the source documents are to be converted into input media and the
checking of control procedures.
 A detailed account of the clerical, procedural and systems development controls contained in
the system. E.g. separation of programs from operators and separation of controls over assets
from records relating to the assets.
m
co
 The arrangements for retaining source documents and input media for suitable periods.
a.
ny
ke
ea
om
.s
This is of great importance as they may be required for reconstructing stored files in event of error or
w
w
mishap.
w
 A detailed flow diagram of what takes place during each routine processing run.
 Details of all tapes and discs in use including their layout, labeling, storage and retention
arrangements.
 Copies of all the forms which output documents might take and details of their sorting and
checking.
 The auditor’s comments on the effectiveness of the controls.
AUDIT SOFTWARE
Audit software consists of computer programs used by the auditors, as part of their auditing
procedures, to process data of audit significance from the entity's accounting system. It may consist
of generalised audit software or custom audit software, Audit software is used for substantive
procedures.

Generalised audit software allows auditors to perform tests on computer files and databases, such as
reading and extracting data from a client's systems for further testing; selecting data that meets
certain criteria, performing arithmetic calculations on data, facilitating audit sampling and producing
documents and reports.
Custom Audit software is written by auditors for specific tasks when generalised audit software
cannot be used
The following provides some examples of the use of audit software in the course of an audit.
Audit software: example of use
- Perform calculations and comparisons in analytical procedures

- Sampling programs to extract data for audit testing, e.g. select a sample of receivables for
confirmation
- scan a file to ensure that all documents in a series have been accounted for or to search for
large and unusual items
- Compare data elements in different files for agreement (e.g. prices on sales invoices to
authorized prices in master file)
- Reperform calculations e,g, totaling sales ledger
- Prepare documents and reports e.g. produce receivables' confirmation letters and monthly
m
statements
co
a.
ny
ke
ea
om
TEST DATA
.s
w
w
Test data techniques are used in conducting audit procedures by entering data (eg a sample of
w
transactions) into an entity's computer system, and comparing the results obtained with pre-
determined results. Test data is used for tests of controls.
Examples include:
a) Test data used to test specific controls in computer programs such as on-line password and
data access controls.
b) Test transactions selected from previously processed transactions or created by the auditors to
test specific processing characteristics of an entity's computer system. Such transactions are
generally processed separately from the entity's normal processing, Test data can for example
be Used to check the controls that prevent the processing of invalid data by entering data with
say a ;non-existent customer code or worth an unreasonable amount, or a transaction which
may if processed break customer credit limits.
c) Test transactions used in an integrated test facility. This is where a 'dummy' unit (e.g. a
department or employee) is established, and to which test transactions are posted during the
normal processing cycle.
A significant problem with test data is that any resulting corruption of data files has to be corrected.
This is difficult with modern real-time systems, which often have built-in (and highly desirable)
controls to ensure that data entered cannot be easily removed without leaving a mark.
Other problems with test data are that it only tests the operation of the system at a single point of
time, and auditors are only testing controls in the programs being run and controls which they know
about. The problems involved mean that test data is being used less as a CAAT.
m
co
a.
ny
ke
ea
om
.s
w
w
w

TOPIC 8
AUDIT REPORT
INTRODUCTION
An audit report is a written opinion of an auditor regarding an entity's financial statements. The
report is written in a standard format, as mandated by international standard reporting
An audit report may also be described as an an appraisal of A business’s complete financial status.
Completed by an independent accounting professional, this document covers a company’s assets and
liabilities, and presents the auditor’s educated assessment of the firm’s financial position and future.
Audit reports are required by law if a company is publicly traded or in an industry regulated by the
Securities and Exchange Commission. Companies seeking funding, as well as those looking to
improve internal controls, also find this information valuable. There are four types of audit report
Companies Act stipulates the statements that should be expressly stated in the auditor’s report.
These are;
1. Whether they have obtained all the information and explanations which to the best of their
m
co
knowledge and belief were necessary for the purposes of their audit.
a.
ny
2. Whether in their opinion, proper books of account have been kept by the company, so far as
ke
ea
appears from their examination of those books, and proper returns adequate for the purposes
om
.s
of their audit have been received from branches not visited by them.
w
w
3.
w
- Whether the company's balance sheet and (unless it is framed as a consolidated profit and
loss account) profit and loss account dealt with by the report are in agreement with the
books of account and returns.
- Whether, in their opinion and to the best of their information and according to the
explanations given to them, the said accounts give the information required by this Act in
the manner so required and give a true and fair view—
(a) in the case of the balance sheet, of the state of the company's affairs as at the end of
its financial year; and
(b) in the case of the profit and loss account, of the profit or loss for its financial year;
or, as the case may be, give a true and fair view thereof subject to the non-disclosure
of any matters (to be indicated in the report) which by virtue of Part III of the Sixth
Schedule are not required to be disclosed.
4. In the case of a company which is a holding company and which submits group accounts
whether, in their opinion, the group accounts have been properly prepared in accordance with
the provisions of this Act so as to give a true and fair view of the state of affairs and profit or

loss of the company and its subsidiaries dealt with thereby, so far as concerns members of the
company, or, as the case may be, so as to give a true and fair view thereof subject to the non-
disclosure of any matters (to be indicated in the report) which by virtue of Part III of the Sixth
Schedule are not required to be disclosed.
When financial statements are finalised, they usually must contain an evaluation – an auditor's report
- from a licensed accountant or auditor. This report provides an overview of the evaluation of the
validity and reliability of a company or organization’s financial statements.
PURPOSE OF THE AUDITORS REPORT
The main purpose of an auditor's report is to document reasonable assurance that a company’s
financial statements are free from error.
An audit of a company’s financial statements should result in a report wherein the accountant or
auditor is free to share their opinion about the validity and reliability of a company’s financial
statements.
In this report, the auditor should provide an accurate picture of the company and their financial
statements. The auditor should also state whether they are externally or internally connected to the
m
company.
co
a.
ny
Within the report, the auditor can share any reservations about the condition of the company’s
ke
ea
finances or relevant additional information. Reservations could arise if the auditor disagrees with
om
something found in the financial statements, e.g. if the auditor disagrees with management about the
.s
w
valuation of an asset because they believe that this has a more significant impact on the financial
w
w
statements.
In the report there are rules concerning what an auditor's report should include and the order in
which various items should be reported.
Auditor's reports must adhere to accepted standards established by governing bodies. The governing
bodies help to assure external users that the auditor's opinion on the fairness of financial statements
is based on a commonly accepted framework.
ELEMENTS OF THE AUDITORS REPORT
Basic elements of auditor's report

The Companies Act does not stipulate the form the auditor's report should take. The auditing
standards seek to ensure that the auditor's report is clear and unambiguous. To this end, it seeks to
standardize the form of the auditor's report.

It does this by giving the basic elements of the auditor's report.
i) Appropriate report title

Auditing standards require that the report be titled and that the title includes the word `independent'
e.g. independent auditors report'. The requirement that the title includes the word independent is
intended to convey to users that the audit was unbiased in all aspects. The title should indicate that
the report is by an independent auditor to confirm all the relevant ethical
Standards have been met
ii) Address
The auditor's report shall be addressed as required by the circumstances of the engagement. The
report is usually addressed to the company, its stockholders or the board of directors. For practical
reasons, it limits the users of auditor's report.
iii) Introductory paragraph

The first paragraph has three purposes, fist, it makes a statement that the practice did an audit.
Secondly, it lists all the financial statements that were audited including the balance sheet dates and
accounting periods for the income statement and cash flow statement. The wording of the financial
statements in the report should be identical to those used by management on the financial
statements. -
m
co
a.
ny
Thirdly, the introductory paragraph states that the statements are the responsibility of management
ke
ea
and that the auditor's responsibility is to express an opinion on the statements based on the audit.
om
.s
w
w
The introductory paragraph in the auditor's report shall:
w
- Identify the entity whose financial statements have been audited;
- State that the financial statements have been audited;
- Identify the title of each statement that comprises the financial statements;
- Refer to the summary of significant accounting policies and other explanatory information;
and
- Specify the date or period covered by each financial statement comprising the financial
statements.
iv) Scope paragraph
This paragraph is a factual statement about what the auditor did in the audit. This paragraph states
how the audit was planned and performed in accordance with 1SAs and states that the audit is
designed to obtain reasonable assurance whether the financial statements are free of material
misstatements.

v) Opinion paragraph
This final paragraph states the auditors conclusions based on the results of the audit. This part of the
report is so important that often the audit report is simply called the auditor's opinion.
The opinion paragraph is stated as an opinion rather than a statement of absolute fact or a guarantee.
vi) Audit report date

The appropriate date for the report is the one on which the auditor has completed the most important
audit procedures in the field. This date is important to users of financial statements as it indicates the
last day of auditor's responsibility for review of significant events that have occurred after date of
financial statements.
vii) Name of audit firm

The firm's name is used because the entire firm has the legal responsibility to ensure that the quality
of audit meets professional standards.
viii) Management's Responsibility for the Financial Statements

- This section of the auditor's report describes the responsibilities of those in the organization
that are responsible for the preparation of the financial statements.
- The auditor's report need not refer specifically to "management," but shall use the term that
appropriate in the context of the legal framework in the particular jurisdiction. In some
m
co
jurisdictions, the appropriate reference may be to those charged with governance.
a.
ny
- The auditor's report shall include a section with the heading "Management's [or other
ke
ea
appropriate term] Responsibility for the Financial Statements."
om
- The auditor's report shall describe management's responsibility for the preparation of the
.s
w
w
financial statements. The description shall include an explanation that management is
w
responsible for the preparation of the financial statements in accordance with the applicable
financial reporting framework, and for such internal control as it determines is necessary to
enable the preparation of financial statements that are free from material misstatement,
whether due to fraud or error.
- Where the financial statements are prepared in accordance with a fair presentation
framework, the explanation of management's responsibility for the financial statements in the
auditor's report shall refer to "the preparation and fair presentation of these financial
statements" or "the preparation of financial statements that give a true and fair view," as
appropriate in the circumstances.
ix) Auditor's Responsibility

- The auditor's report shall include a section with the heading "Auditor's Responsibility."
- The auditor's report shall state that the responsibility of the auditor is to express an opinion on
the financial statements based on the audit.

- The auditor's report shall state that the audit was conducted in accordance with International
Standards on Auditing. The auditor's report shall also explain that those standards require that
the auditor comply with ethical requirements and that the auditor plan and perform the audit
to obtain reasonable assurance about whether the financial statements are free from material
misstatement.
- The auditor's report shall describe an audit by stating that:
a) An audit involves performing procedures to obtain audit evidence about the amounts and
disclosures in the financial statements;
b) The procedures selected depend on the auditor's judgment, including the assessment of
the risks of material misstatement of the financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant to
the entity's preparation of the financial statements in order to design audit procedures that
are appropriate in the circumstances, but not for the purpose of expressing an opinion on
the effectiveness of the entity's internal control.
- In circumstances when the auditor also has a responsibility to express an opinion on the
effectiveness of internal control in conjunction with the audit of the financial statements, the
auditor shall omit the phrase that the auditor's consideration of internal control is not for the,
purpose of expressing an opinion on the effectiveness of internal control; and
- An audit also includes evaluating the appropriateness of the accounting policies used and the
reasonableness of accounting estimates made by management, as well as the overall
m
co
presentation of the financial statements.
a.
ny
- Where the financial statements are prepared in accordance with a fair presentation
ke
ea
framework, the description of the audit in the auditor's report shall refer to "the entity's
om
preparation and fair presentation of the financial statements" or "the entity's preparation of
.s
w
w
financial statements that give a true and fair view," as appropriate in the circumstances.
w
- The auditor's report shall state whether the auditor believes that the audit evidence the auditor
has obtained is sufficient and appropriate to provide a basis for the auditor's opinion.
x) Auditor's Opinion
Wording of the auditor's opinion prescribed by law or regulation
ISA 210 explains that, in some cases, law or regulation of the relevant jurisdiction prescribes the
wording of the auditor's report (which in particular includes the auditor's opinion) in terms that are
significantly different from the requirements of ISAs. In these circumstances, ISA 210 requires the
auditor to evaluate:
(a) Whether users might misunderstand the assurance obtained from the audit of the financial
statements and, if so,
(b) Whether additional explanation in the auditor's report can mitigate possible
misunderstanding.
If the auditor concludes that additional explanation in the auditor's report cannot mitigate possible
misunderstanding, ISA 210 requires the auditor not to accept the audit engagement, unless required

by law regulation to do so. In accordance with ISA 210, an audit conducted in accordance with such
law or regulation does not comply with ISAs. Accordingly, the auditor does not include any
reference in the auditor's report to the audit having been conducted in accordance with International
Standards on Auditing.
"Present fairly, in all material respects" or "give a true and fair view"
- Whether the phrase "present fairly, in all material respects," or the phrase "give a true and fair
view" is used in any particular jurisdiction is determined by the law or regulation governing
the audit of financial statements in that jurisdiction, or by generally accepted practice in that
jurisdiction. Where law or regulation requires the use of different wording, this does not
affect the requirement for the auditor to evaluate the fair presentation of financial statements
prepared in accordance with a fair presentation framework.
Description of information that the financial statements present

In the case of financial statements prepared in accordance with a fair presentation framework, the
auditors opinion states that the financial statements present fairly, in all material respects, or give a
true and fair view of the information that the financial statements are designed to present, for
example, in the end of the period and the entity's financial performance and cash flows for the period
then ended.
m
co
Description of the applicable financial reporting framework and how it may affect the
a.
ny
auditor's opinion
ke
ea
- The identification of the applicable financial reporting framework in the auditor's opinion is
om
intended to advise users of the auditor's report, of the context in which the auditor's opinion is
.s
w
w
expressed. The applicable financial reporting framework is identified in such terms as: "... in
w
accordance with International Financial Reporting Standards" or "... in accordance with
accounting principles generally accepted in Jurisdiction X ...
- When the applicable financial reporting framework encompasses financial reporting
standards and legal or regulatory requirements, the framework is identified in such terms as
"... in accordance with International Financial Reporting Standards and the requirements of
Jurisdiction X Corporations Act." ISA 210 deals with circumstances where there are conflicts
between the financial reporting standards and the legislative or regulatory requirements.
- The financial statements may be prepared in accordance with two financial reporting
frameworks, which are therefore both applicable financial reporting frameworks.
Accordingly, each framework is considered separately when forming the auditor's opinion on
the financial statements, and the auditor's opinion refers to both frameworks as follows:
a) If the financial statements comply with each of the frameworks individually, two
opinions ate expressed: that is, that the financial statements are prepared in accordance
with one of the applicable financial reporting frameworks (for example, the national
framewOrk) and an opinion that the financial statements are prepared in accordance

with the other applicable financial reporting framework (for example, International
Financial Reporting Standards). These opinions may be expressed separately or in a
single sentence (for example, the financial statements are presented fairly, in all material
respects, in accordance with accounting principles generally accepted in Jurisdiction X
and with International Financial Reporting Standards).
b) If the financial statements comply with one of the frameworks but fail to comply with
the other framework, an unmodified opinion can be given that the financial statements
are prepared in accordance with the one framework (for example, the national
framework) but a modified opinion given with regard to the other framework (for
example; International Financial Reporting Standards) in accordance with ISA 705.
- The financial statements may represent compliance with the applicable financial reporting
framework and, in addition, disclose the extent of compliance with another financial reporting
framework.
- Such supplementary information is covered by the auditor's opinion as it cannot be clearly.
differentiated from the financial statements.
a) If the disclosure as to the compliance with the other framework is misleading, a
modified opinion is expressed in accordance with ISA 705.
b) If the disclosure is not misleading, but the auditor judges it to be of such importance that
it is fundamental to the users' understanding of the financial statements, an Emphasis of
Matter paragraph is added in accordance with ISA 706, drawing attention to the
m
co
disclosure.
a.
ny
ke
ea
Other Reporting Responsibilities
om
- In some jurisdictions, the auditor may have additional responsibilities to report on other
.s
w
w
matters that are supplementary to the auditor's responsibility under the ISAs to report on the
w
financial statements. For example, the auditor may be asked to report certain matters if they
come to the auditor's attention during the course of the audit of the financial statements.
Alternatively, the auditor may be asked to perform and report on additional specified
procedures, or to express an opinion on specific matters, such as the adequacy of accounting
books and records. Auditing standards in the specific jurisdiction often provide guidance on
the auditor's responsibilities with respect to specific additional reporting responsibilities in
that jurisdiction.
- In some cases, the relevant law or regulation may require or permit the auditor to report on
these other responsibilities within the auditor's report on the financial statements. In other
cases, the auditor may be required or permitted to report on them in a separate report.
- These other reporting responsibilities are addressed in a separate section of the auditor's
report in order to clearly distinguish them from the auditor's responsibility under the ISAs to
report on the financial statements.

Auditor's Report Prescribed by Law or Regulation
- If the auditor is required by law or regulation of a specific jurisdiction to use a specific layout
or wording of the auditor's report, the auditor's report shall refer to International Standards on
Auditing only if the auditor's report includes, at a minimum, each of the following elements
a) A title;
b) An addressee, as required by the circumstances of the engagement;
c) An introductory paragraph that identifies the financial statements audited;
d) A description of the responsibility of management (or other appropriate term, ) for the
preparation of the financial statements;
e) A description of the auditor's responsibility to express an opinion on the financial
statements and the scope of the audit, that includes:
• A reference to International Standards on Auditing and the law or regulation; and
• A description of an audit in accordance with those standards;
f) An opinion paragraph containing an expression of opinion on the financial statements and
a reference to the applicable financial reporting framework used to prepare the financial
statements (including identifying the jurisdiction of origin of the financial reporting
framework that is not International Financial Reporting Standards or International Public
Sector Accounting Standards
g) The auditor's signature;
h) The date of the auditor's report; and
m
co
i) The auditor's address.
a.
ny
ke
ea
Auditor's Report for Audits Conducted in Accordance with Both Auditing Standards of a
om
Specific Jurisdiction and International Standards on Auditing
.s
w
w
- An auditor may be required to conduct an audit in accordance with the auditing standards of a
w
specific jurisdiction (the "national auditing standards"), but may additionally have complied
with the ISAs in the conduct of the audit. If this is the case, the auditor's report may refer to
International Standards on Auditing in addition to the national auditing standards, but the
auditor shall do so only if:.
a) There is no conflict between the requirements in the national auditing standards and those
in ISAs that would lead the auditor (i) to form a different opinion, or (ii) not to include an
Emphasis of Matter paragraph that, in the particular circumstances, is required by ISAs;
and
b) The auditor's report includes, at a minimum, each of the elements set out in above when
the auditor uses the layout or wording specified by the national auditing standards.
Reference to law or regulation shall be read as reference to the national auditing
standards. The auditor's report shall thereby identify such national auditing standards.

- When the auditor's report refers to both the national auditing standards and International
Standards on Auditing, the auditor's report shall identify the jurisdiction of origin of the
national auditing standards.
TYPES OF REPORTS
The auditor's opinion is normally based on whether the financial statements give a true and fair view
(or are presented fairly, in all material respects) in accordance with the applicable financial reporting
framework and comply with statutory requirements.
The financial reporting framework is determined by IFRS's, with due regard to local legislation. To
advise the reader of the context in which the auditor's opinion is expressed, the auditor's opinion
indicates the framework upon which the financial statements are based. This designation helps the
user to better understand which financial reporting framework was used in preparing the financial
statements.
The following are the various types of audit opinions that the auditor can issue:
a) Unqualified opinion.
b) Disclaimer opinion
m
co
c) Qualified opinion
a.
d) Adverse opinion
ny
ke
ea
om
.s
Unqualified opinion
w
w
w
This is issued when the auditor is satisfied in all material aspects that enable him express the
required opinion on financial statements without any reservation. This is sometimes called a clean
opinion. It is expressed when the auditor concludes that the financial statements give a true and fair
view in accordance with the relevant financial reporting standards.
Emphasis on matter report
There are occasions when the auditor has no reservation as to the financial statements but where they
exists unusual events, conditions or accounting policies and he feels that unless the reader may not
reach a proper understanding of the financial position and results. In such circumstances, the auditor
should express an unqualified opinion including an extra paragraph called „emphasis of the matter
paragraph‟ to draw attention of the reader to the unusual matter.
The addition of such an emphasis of matter paragraph does not lead to a qualification of the audit
opinion but is intended to enable the reader obtain a better understanding. To avoid this being

understood as a qualification, the emphasis of the matter paragraph should contain the phrase
“without qualifying our opinion‟.
Practical circumstances requiring emphasis of matter paragraph are:
i. Unusual condition would include destruction of assets after balance sheet date but the
company remains a going concern.
ii. The company being insolvent on the face of its own balance sheet but the auditor has letters
of support which he is satisfied can be fulfilled by the other party thus he will accept
appropriateness of the going concern assumption. Unusual events could also include changes
in the legislation that could have a material impact on the entity’s business operations
subsequent to the balance sheet date. Unusual accounting policies that may lead to emphasis
of matter paragraph would involve those matters not covered by any accounting standard.
iii. Inherent uncertainties that may call for emphasis of matter paragraph would include
contingencies at the balance sheet date which have not been resolved at the date of signing
the auditor’s report.
iv. Negotiations for financing which have not been financed by date of signing of the auditor’s
report.
The format of the unqualified audit report
m
co
a.
ny
Here is the illustrative unqualified report from ISA 700
ke
ea
om
.s
Auditor’s Report
w
w
w
(APPROPRIATE ADDRESSEE)

Qualifications of audit reports
When the auditor has reservation on any matter that is considered material to the financial
statements, he may introduce qualifying remarks in the audit report. The auditor’s reservation could
arise out of the following;
 Limitation on the scope of his work.
 Disagreement with management.
 Significant uncertainty affecting financial statements, the resolution of which is dependent
upon future events.
We have audited the accompanying balance sheet of the ABC Company as of December 31,
20x1, and the related statements of income, and cash flows for the year then ended. These
financial statements are the responsibility of the Company’s management. Our responsibility is to
express an opinion on these financial statements based on our audit.
We conducted our audit in accordance with International Standards on Auditing (or refer to
relevant national standards or practices). Those standards require that we plan and perform the
audit to obtain reasonable assurance about whether the financial statements are free of material
misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. An audit also includes assessing the account principles
used in significant estimates made by the management, as well as evaluating the overall financial
m
statement presentation. We believe that our audit provides a reasonable basis for our opinion.
co
a.
ny
ke
In our opinion, the financial statements give a true and view of (or „present fairly, in all material
ea
respects,‟) the financial position of the Company as of December 31, 20x1 and of results of its
om
.s
operations and its cash flows for the year then ended in accordance with … (and comply with
w
w
….)
w
AUDITOR
Date
Address‟
Footnotes:
1. Reference may be by page numbers
2. Indicate IASs or relevant national standards
3. Refer to relevant statues or law

b) Qualified audit opinion or except for opinion.
This is expressed when auditor concludes that unqualified opinion cannot be expressed but that the
effect of any disagreement with management or limitation in scope is not so material and pervasive
as to require an adverse opinion or disclaimed opinion. A qualified opinion implies that all aspects
of the financial statements are okay expect for the effects of the matters which the qualifications
relate.
c) Disclaimer of opinion.
This is issued when the possible effect of a limitation in scope or uncertainty is so material or
pervasive that the auditor has not been able to obtain sufficient appropriate audit evidence, as a
result he is unable to express an opinion on financial statements. A disclaimer of opinion implies
that the auditor is unable to form an opinion because sufficient audit evidence could not be obtained.
d) Adverse opinion.
This is expressed when the effects of a disagreement is so material and pervasive to the financial
statements that the auditor concludes that a qualification of the report is not adequate to disclose the
misleading and incomplete nature of the financial statements. The auditor states that due to the
m
co
nature of the disagreement in his opinion, the financial statements do not show true and fair view.
a.
ny
ke
ea
om
Limitation of scope
.s
w
w
w
If for any reason the auditor is unable to receive all the information and explanations he deems
necessary for the purposes of his audit, then there is a limitation in scope of his work. It means that
the auditor to conclude his work objectively. This could arise due to the following reasons;
 Refusals by management to allow the auditor examine certain documents or records.

 If the auditor is denied the opportunity to carry out an auditing procedure he considers
important and he cannot conclude through alternative procedures, then there is limitation of
scope in auditor’s work.
 Destruction of accounting records or documents through fire of other disaster meaning that
such documents or records are not available for examination by the auditor.
 Being appointed auditor after the year end with the result that certain evidence will not be
collected.

Effects of limitation in scope on the auditor’s opinion
If the possible effect of limitation in scope of an audit is material but not fundamental to the
financial statements, the auditor issues a qualified opinion. (Except for opinion.)
If the possible effect of limitation in scope of an audit is of fundamental importance that the auditor
is unable to express an opinion on the financial statements, the auditor issues a disclaimer of opinion
as mentioned above.
When there is a limitation in scope of auditor’s work that requires the expression of a qualified
opinion or a disclaimer of opinion, the auditor should describe the nature of the limitation in his
report and indicate the possible adjustments to the financial statements that might have been
determined to be necessary, had the limitation not existed.
Examples of modified reports
(a) Limitation on scope
(i) Limitation on scope – qualified person
m
co
„We have audited … (remaining words are the same as illustrated in the introductory
a.
ny
paragraph of the unqualified above).
ke
ea
om
Except as discussed in the following paragraph, we conducted our audit in accordance
.s
w
w
with….(remaining words are the same as illustrated in the scope paragraph of the
w
unqualified report above).
We did not observe the counting of the physical inventories as of December 31, 20x1,
since that date was prior to the time we were initially engaged as auditors’ fir the
company. Owing to the nature of the company’s records, we were unable to satisfy
ourselves as to inventory quantities by other audit procedures.
In our opinion, except for the effects of such adjustments, if any, as might have been
determined to be necessary had we been able to satisfy ourselves as to physical
inventory quantities, the financial statements give a true and (remaining words are the
same as illustrated in the opinion paragraph of the unqualified report above).‟

(ii) Limitation on scope – disclaimer of opinion
„We are engaged to audit the accompanying balance sheet of the ABC Company as of
December 31 20x1 and the related statements of income, and cash flows for the year then
ended. These financial statements are the responsibility of the Company’s management.
(Omit the sentence stating the responsibility of the auditor).
(The paragraph discussing the scope of the audit would either be omitted or amended
according to the circumstances.)
(Add a paragraph discussing the scope limitations as follows:)
We were not able to observe all physical inventories and confirm accounts receivable due
to limitations placed on the scope of our work by the company.
Because of the significance of the matters discussed in the preceding paragraph we do not
express an opinion on the financial statements.
m
co
a.
ny
Inherent uncertainties
ke
ea
om
Inherent uncertainties result from circumstances in which it is impossible for the auditor to reach any
.s
w
w
objective conclusion as to the outcome of a situation due to the circumstances themselves rather than
w
a limitation of scope of the audit. Such uncertainties are only resolved through the passage of time
e.g. to wait for the outcome of a litigation. However, time is a great constraint and financial
statements must be prepared within the required time. The auditor should form an opinion on the
adequacy of the accounting treatment of such uncertainties. This will involve consideration of:
 The appropriateness of any accounting policies adopted by the management in treating the
effect of such uncertainties.
 The reasonableness of the estimates included in the financial statements.
 The adequacy of disclosure of the uncertainties.
Some inherent uncertainties are fundamental. These are uncertainties where the degree of
uncertainty and its potential impact on the view given by the financial statements may very great.
In determining whether an uncertainty is fundamental, the auditor considers the following:
 The risk of the estimate included in the balance sheet being subject to change.
 The range of possible outcomes.

 The consequences of those outcomes on the view given by the financial statements. Inherent
uncertainties are considered fundamental when they involve a significant level of concern
about the validity of the going concern assumption or other matters whose potential effect on
the financial statements is usually great.
Disagreement
Under disagreement, the auditor is able to conclude objectively that he has received all the
information and explanations he considers necessary for the purpose of the audit. But his conclusion
is at variance with the position adopted by the management or the view given by the financial
statements. Circumstances giving rise to disagreements include;
 Application of inappropriate records by the management.

 Some facts or amounts included in the financial statements e.g. the auditor may feel that the
amount provided for as a contingent loss arising from a lawsuit against the company is too
low.
 Interpretation of accounting policies or legislation.
 Manner, mode or extent of disclosure of facts or amounts in the financial statements.
m
Whether the auditor agrees with the accounting treatment or disclosure of a matter in the financial
co
a.
statements and in the auditor’s opinion, the effect of that disagreement is material to the financial
ny
ke
statements, the auditor should;
ea
 Include in his report a description of all the factors giving rise to the disagreement.
om
.s
 The implications of such factors on the financial statements.
w
w
w
 A quantification of the effect on the financial statements.

Examples
(i) Disagreement on Accounting Policies- Inappropriate Accounting method – Qualified

Opinion
„We have audited ….(remaining words are the same as illustrated in the introductory
paragraph of the unqualified report above.)
We conducted our audit in accordance with … (remaining words are the same as
illustrated in the scope paragraph of the unqualified report above).
As discussed in Note X to the financial statements, no depreciation has been provided in

the financial statements which practice, in our opinion, isn’t in accordance with
International
Accounting Standards. The provision for the year ended December 31, 20x1 should be
based on the straight line method of depreciation using annual rates of 5% for the
building and 20% for the equipment. Accordingly the non current assets should be
reduced by the accumulated depreciation of xxx and the loss for the year and
accumulated deficit should be increased by xxx and xxx respectively.
m
co
a.
ny
In our opinion, except for the effect on the financial statements of the matter referred to
ke
ea
in the preceding paragraph, the financial statements give a true and …. (Remaining
om
words are the same as illustrated in the opinion paragraph of the unqualified report
.s
w
w
above).
(ii) Disagreement on Accounting Policies – inadequate disclosure – qualified opinion w

„We have audited … (remaining words are the same as illustrated in the introductory
paragraph of the unqualified report above).
We conducted our audit in accordance with…. (Remaining words are the same as
illustrated in the scope paragraph of the unqualified report above.

On January 15, 2OO7, the company issued debentures in the amount of xx for the
purpose of financing plant expansion. The debenture agreement restricts the payment
of future cash dividends to earnings after December 31, 20x1. In our opinion,
disclosure of this information is required by …. (Insert reference to statutory or
regulatory requirement).
In our opinion, except for the omission of the information included in the preceding
paragraph, the financial statements give a true and … (remaining words are the same as
illustrated in the opinion paragraph of the unqualified report above).
(iii) Disagreement on Accounting Policies – inadequate disclosure – adverse opinion
We have audited … (remaining words are the same as illustrated in the introductory
paragraph of the unqualified report above).
We conducted our audit in accordance with.. (Remaining words are the same as illustrated
in the scope paragraph of the unqualified report above.
m
co
In our opinion, because of the effects of the matters discussed in the preceding
a.
ny
paragraph(s), the financial statements do not give a true and fair of (or do not „present
ke
ea
fairly‟) the financial position of the company as at December 31, 20x1, and of result of its
om
operations and its cash flows for the year then ended in accordance with (insert relevant
.s
w
w
IASs or national standards) ..
w
And do not comply with …… (Insert relevant statutes or law).
Effects of disagreements on auditor’s opinion
When the auditor concludes that the effect of the matter giving rise to disagreement is so
fundamental that the financial statements are misleading, the auditor should issue an adverse
opinion.
If the nature of the disagreement is material but not fundamental, the auditor should issue a qualified
opinion indicating that all other aspects of the financial statements are okay except for the matter
giving rise to the disagreement.

Material but not pervasive
The auditor may not include qualifying remarks in his audit report unless the matter is material.
Material but not pervasive means that the reservation the auditor has is material in the context of a
segment of the financial statements but not to the financial statements taken as a whole.
Material and pervasive
A matter becomes material and pervasive when it is material in the context of the financial
statements taken as a whole. A limitation of scope becomes pervasive when it makes the financial
statements misleading for decision making purposes or of little value for decision making purposes.
A disagreement becomes pervasive when it makes the financial statements taken as a whole to be
totally misleading.
Qualification matrix
Nature of circumstance Material but not significant Fundamental
Limitation of scope or Qualified opinion (except Disclaimer of opinion

uncertainty for opinion)
m
Disagreement Qualified opinion (except Adverse opinion
co
a.
for opinion)
ny
ke
ea
om
.s
Going Concern (ISA 570)
w
w
w
The going concern concept is a fundamental concept of IAS 1 (disclosure of accounting policies)
which governs the preparation and presentation of financial statements. This concept states that the
transactions and the financial statements have to be recognized and prepared in such a way that the
entity shall continue with operations for the foreseeable future period and shall not cease to be in
existence, stop or curtail is present production either currently or in the near future.
The auditor when reporting on the financial statements is categorically concerned of the going
concern concept because;
 It affects true and fair view of the financial statements
 It facilitates qualification of audit reports.
 It confirms compliance of financial statements with the generally accepted accounting
principles and policies.
 The auditor’s main interest will be that all material matters affecting the financial statements
have been disclosed.

If fundamental accounting principles governing the financial statements have been properly
observed in all material aspects, the financial statements presented show a true and fair view.
Appropriateness of going concern assumption
The auditor should consider the risk that the going concern assumption may no longer be
appropriate. Indications of the risk that the continuance as a going concern may be questionable
could come from the financial statements or from other sources. Examples of such indications are as
follows:
a. Financial indicators.
 Changes of the financial position of the company drastically within a short period of time
especially from bad to worse.
 Financial difficulties affecting the company’s production process and sales.
 Changes of credit policies especially from credit to cash on delivery.
 Difficulties in paying salaries and wages of employees.
 Increased financial borrowing.
m
co
a.
b. Non financial indicators.
ny
ke
 High staff turnover in key accounting and managerial officials and finance personnel
ea
especially without replacement.
om
.s
 Unfriendly environment between management and management and employees
w
w
w
 Unusual pressure within the entity for no apparent reason.
 Circumstances of labour disputes e.g. strikes by employees leading to demonstrations ad
protests.
 Where the entity relies heavily on a customer for sale of its products or for marketing its
output.
 Pending legal proceedings against the entity that may, if successful, result in judgements that
could not be met.
 Non compliance with capital and other statutory requirements.
The significance of such indications can often be mitigated by other factors. For example, the effect
of an entity being unable to make its normal debt repayments may be counterbalanced y
management’s plans to maintain adequate cash flows by alternative means, such as by disposal of
assets, rescheduling of loan repayments, or obtaining additional capital. Similarly, the loss of a
principal supplier may be mitigated by the availability of a suitable alternative source of supply.

TOPIC 9
PROFESSIONAL ETHICS
Professional ethics are professionally accepted standards of personal and business behaviour, values
and guiding principles. Codes of professional ethics are often established by professional
organizations to help guide members in performing their job functions according to sound and
consistent ethical principles.
IMPORTANCE OF PROFESSIONAL ETHICS
The purpose of assurance engagements is to increase the confidence of end users of information by
reducing their level of risk. It therefore follows that the user needs to trust the professional who is
providing the assurance. In order to be trusted the auditor needs to be independent of their clients
and be sufficiently competent and diligent to complete their assignments satisfactorily.
The last thirty years has witnessed a number of high profile corporate scandals that have had far
reaching implications for companies, economies and accountancy firms.
m
co
To improve the image of the profession and to restore trust between users of accountancy services
a.
ny
and the practitioners, it is vital that accountants operate (and are perceived to operate) according to
ke
an accepted code of ethics.
ea
om
.s
Whilst it is expected that practitioners apply the spirit of the code to every day practice the
w
w
framework and principles would be of little use if they could not be enforced.
w
Business organizations often develop several different policies, rules and guidelines for governing
their operations. While home-based or sole proprietorship businesses usually require fewer policies,
larger organizations use these guidelines to manage employee behavior. A code of ethics is a
common organizational policy used in business organizations. The code of ethics policy usually sets
the minimum standards for business owners, managers and employees to follow when completing
various business functions.
 Facts
In a small business, a code of ethics is usually based on the business owner’s personal morals
or values. As the business grows and expands, the ethical values can be implemented into the
business' organizational mission or values statement. This statement helps provide companies
with a compass to guide the organization through the business environment. Companies often
refer to the mission or values statement when guidance is needed regarding questionable
situations.

 Improve Business Relationships
A code of ethics can help companies improve business relationships. Ethical values are often
designed to provide guidance when working with other companies and the general public.
These values dictate how businesses handle contract negotiations, customer questions and
feedback or negative business situations.
 Prohibit Inappropriate Behavior
Many companies use a code of ethics to prohibit inappropriate employee behavior.

Inappropriate behavior can include lying to managers or clients, engaging in fraud or
embezzlement, failing to meet specific operational standards or other similar conduct. A code
of ethics can help employees understand why these actions are inappropriate and the reasons
companies expect better behavioral performance. Companies may also limit their legal liability
from poor employee performance by using a code of ethics.
 Hold Management Accountable
Owner, director or upper-level management accountability is an important function of a

company’s code of conduct. These individuals are usually required to exhibit honesty,
transparency and integrity in their daily roles. Not only do these actions set the company’s
ethical tone, it also keeps individual owners and managers accountable for their actions.
m
Allowing an unethical manager free rein in a business capacity can create difficult business
co
situations that overextend the company’s resources.
a.
ny
ke
 Considerations
ea
om
.s
w
Companies often use refresher seminars to continually educate and inform employees about the
w
w
importance of ethical behavior. The seminars may also provide information regarding new
business policies or past violations of the company’s code of ethics. This information ensures
that employees have a clear understanding about the importance of ethics and why they should
adhere to the company’s policy. Companies can use an employee or third-party agency to
conduct these refresher seminars or meetings.

FUNDAMENTAL ETHICAL PRINCIPLES
The Code of Ethics is a statement of principles and expectations governing behaviour of individuals
and organisations in the conduct of internal auditing.
Summary
Rule Principle
Integrity The integrity of internal auditors establishes trust and thus
provides the basis for reliance on their judgement.
Objectivity Internal auditors exhibit the highest level of professional
objectivity in gathering, evaluating, and communicating
information about the activity or process being examined. Internal
auditors make a balanced assessment of all the relevant
circumstances and are not unduly influenced by their own interests
or by others in forming judgements.
Confidentiality Internal auditors respect the value and ownership of information
they receive and do not disclose information without appropriate
authority unless there is a legal or professional obligation to do so.
Competency Internal auditors apply the knowledge, skills and experience
needed in the performance of internal auditing services
m
co
a.
ny
ke
The Code of Ethics
ea
om
This is the full text of the Institute's Code of Ethics.
.s
w
w
w
The purpose of the Code is to promote an ethical culture in the profession of internal auditing.
A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is
on the trust placed in its objective assurance about risk management, control, and governance.
The Institute's Code of Ethics provides principles and rules of conduct under four headings:
 Integrity
 Objectivity
 Confidentiality
 Competency
The Rules of Conduct describe behaviour norms expected of internal auditors. These rules are an
aid to interpreting the Principles into practical applications and are intended to guide the ethical
conduct of internal auditors. Below they are set out together with the principle they interpret.

The Code of Ethics provides guidance to internal auditors serving others. 'Internal auditors' refers to
Institute members and those who provide internal auditing services within the definition of internal
auditing.
Applicability and enforcement
This Code of Ethics applies to both individuals and entities that provide internal auditing services.
For Institute members, breaches of the Code of Ethics will be evaluated and administered according
to The Institute's Disciplinary Procedures. The fact that a particular conduct is not mentioned in the
Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the
member liable to disciplinary action.
The Code of Ethics
1. Integrity Principle
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their
judgement.
m
co
a.
Rules of Conduct
ny
ke
ea
Internal auditors:
om
.s
 Shall perform their work with honesty, diligence and responsibility.
w
w
w
 Shall observe the law and make disclosures expected by the law and the profession.
 Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable
to the profession of internal auditing or to the organisation.
 Shall respect and contribute to the legitimate and ethical objectives of the organisation.
2. Objectivity Principle
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being examined. Internal auditors make a
balanced assessment of all the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgements.

Rules of Conduct
Internal auditors:
 Shall not participate in any activity or relationship that may impair or be presumed to impair
their unbiased assessment. This participation includes those activities or relationships that
may be in conflict with the interests of the organisation.
 Shall not accept anything that may impair or be presumed to impair their professional
judgement.
 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting
of activities under review.
3. Confidentiality Principle
Principle Internal auditors respect the value and ownership of information they receive and do not
disclose information without appropriate authority unless there is a legal or professional obligation
to do so.
Rules of Conduct
Internal auditors:
m
co
a.
 Shall be prudent in the use and protection of information acquired in the course of their
ny
ke
duties.
ea
om
 Shall not use information for any personal gain or in any manner that would be contrary to
.s
w
the law or detrimental to the legitimate and ethical objectives of the organisation.
w
w
4. Competency Principle
Internal auditors apply the knowledge, skills and experience needed in the performance of internal
auditing services.
Rules of Conduct
Internal auditors:
 Shall engage only in those services for which they have the necessary knowledge, skills and
experience.
 Shall perform internal auditing services in accordance with the International Standards for the
Professional Practice of Internal Auditing.
 Shall continually improve their proficiency and the effectiveness and quality of their services.

TYPES OF THREATS TO COMPLIANCE WITH THE FUNDAMENTAL PRINCIPLES
Threats to objectivity/independence
The following are all examples of behaviour that could threaten the practitioner's objectivity or
independence from their clients:
Self interest threat
This occurs when an auditor has a beneficial interest in a client's performance. Examples include:
 When the auditor or a member of their family owns shares in a client. They would directly
benefit from increases in client profits and would be reluctant to raise any concerns that could
adversely affect the performance of the client.
 When a firm is dependent upon one client for a significant proportion of their total fee
income. The firm may not raise issues with the client for fear of losing them.
 The acceptance of gifts and hospitality. This could be perceived as bribery to keep quiet about
issues in the financial statements
Self review threat
This occurs when an auditor has to review work that they previously performed. For example: if the
external auditor prepared the financial statements and then audited them.
m
co
a.
There is a risk that the auditor would not identify any shortcomings in their own work for fear of
ny
ke
penalty (either financial or reputational).
ea
om
.s
Advocacy threat
w
w
w
This can occur when the auditor is asked to promote or represent their client in some way. In this
situation the auditor would have to be biased in favour of the client and therefore cannot be
objective. This could happen if the client asked the auditor to promote their shares for a stock
exchange listing or if the client asked the auditor to represent them in court.
Familiarity threat
This occurs when the auditor is too sympathetic or trusting of the client because of a close
relationship with them. This may be because a close friend or relative of the auditor works in a key
role for the client. The auditor may trust their friend or relative to not make mistakes and therefore
not review their work as thoroughly as they should and as a result allow material errors to go
undetected in the financial statements. This can also arise after a long association with a client.
Intimidation threat
Clients may try to harass or bully auditors into giving preferential audit reports. They may use the
fee as leverage. The auditor should not give in to such pressure and, in the circumstances, may
choose to resign from such a client.
Confidentiality
External auditors are in a unique position of having a legal right of access to all information about
their clients. The client must be able to trust the auditor not to disclose anything about their business
to anyone as it could be detrimental to their operations.
As a basic rule, members of an audit team should not disclose any information to those outside of
the audit team, whether or not they work for the same firm. There is little point using different teams
for different work assignments if staff from different teams are disclosing information to each other!
Information should only be disclosed under certain circumstances. In some circumstances the
auditor must disclose the information and in others the auditor may chose to disclose the
information, as follows:
m
co
a.
ny
ke
ea
om
.s
Public interest
w
w
w
 Whether or not it is in the public interest is difficult to prove and the auditor must proceed
with caution if thinking of disclosing information for this reason. Such examples could
include fraud, environmental pollution, or simply companies acting against the public good.
Legal advice should be sought beforehand to avoid the risk of being sued. Matters to consider before
disclosing information in the public interest are whether that matter is likely to be repeated and how
serious the effects of the client's actions are.
Conflicts of interest
Any advice given should be in the best interests of the client. However, where clients' interests
conflict (for example, clients in the same line of business), the firm's work should be arranged to
avoid the interests of one being adversely affected by those of another.

The steps to be taken by the auditor are:
 once a conflict is noted, you should advise both clients of the situation
 reassure the client that adequate safeguards will be implemented, e.g. separate engagement
leaders for each, separate teams, to prevent the transfer of client information between teams
and a second partner review
 suggest they seek additional independent advice
 if adequate safeguards can't be implemented, the auditor should resign.
m
co
a.
ny
ke
ea
om
.s
w
w
w

?NOTES Auditing-W

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

?NOTES Auditing-W

Uploaded by

Copyright:

Available Formats

AUDITING

www.someakenya.com Contact: 0707 737 890 Page 1

1. Nature, purpose and scope of auditing

- Definition of auditing, auditor and an audit

2. Planning for the audit

- Objectives of planning for the audit work

3. Internal control system

4. Errors and fraud

- Definition of error and fraud

- Nature and source of audit evidence

6. Risk based audit

- Definition of audit risks

- Benefits and drawbacks of computerised accounting systems

- Purpose of the auditor's report

www.someakenya.com Contact: 0707 737 890 Page 3

Topic 1: Nature, purpose and scope of auditing……………………………………………….…5

Topic 2: Planning for the audit………………………………………………………………...…63

Topic 3: Internal control system ……………………………………………………………..…...78

Topic 4: Errors and fraud………………………………………………………………...……….99

Topic 5: Audit evidence…………………………………………………………………………108

Topic 6: Risk based audit………………………………………………………………………..132

Topic 7: Computerised auditing…………………………………………………………………138

Topic 8: Auditor's report……………………………………………………………..….……….161

Topic 9: Professional ethics………………………………………………………….…………..180

www.someakenya.com Contact: 0707 737 890 Page 4

NATURE, PURPOSE AND SCOPE OF AUDITING

DEFINITION OF AUDITING, AUDITOR AND AN AUDIT

www.someakenya.com Contact: 0707 737 890 Page 5

www.someakenya.com Contact: 0707 737 890 Page 6

An Audit of Financial Statements

www.someakenya.com Contact: 0707 737 890 Page 7

Preparation of the Financial Statements

www.someakenya.com Contact: 0707 737 890 Page 8

 The applicable financial reporting framework often encompasses financial reporting

www.someakenya.com Contact: 0707 737 890 Page 9

i) Statement of changes in owners' equity.

www.someakenya.com Contact: 0707 737 890 Page 10

Considerations Specific to Audits in the Public Sector

Form of the Auditor's Opinion

Overall Objectives of the Auditor

www.someakenya.com Contact: 0707 737 890 Page 11

a) Applicable financial reporting framework — The financial reporting framework adopted

www.someakenya.com Contact: 0707 737 890 Page 13

k) Professional judgment — The application of relevant training, knowledge and experience,

Ethical Requirements Relating to an Audit of Financial Statements

www.someakenya.com Contact: 0707 737 890 Page 14

www.someakenya.com Contact: 0707 737 890 Page 15

Professional skepticism includes being alert to, for example:

• Audit evidence that contradicts other audit evidence obtained.

• Overlooking unusual circumstances.

www.someakenya.com Contact: 0707 737 890 Page 16

• Materiality and audit risk.

www.someakenya.com Contact: 0707 737 890 Page 17

www.someakenya.com Contact: 0707 737 890 Page 18

Risks of Material Misstatement

The risks of material misstatement may exist at two levels:

• The overall financial statement level; and

www.someakenya.com Contact: 0707 737 890 Page 19

Inherent Limitations of an Audit

www.someakenya.com Contact: 0707 737 890 Page 20

• The nature of financial reporting;

The Nature of Financial Reporting

The preparation of financial statements involves judgment by management in applying the