Professional Documents
Culture Documents
m
ACCOUNTING TECHNICIAN DIPLOMA
co
a.
ny
ke
ea
om
.s
w
w
ATD LEVEL III
w
STUDY TEXT
m
co
- Definition of internal controls and internal control systems
a.
ny
- Purpose of internal control system
ke
ea
- Designing an internal control system
om
- Benefits and limitations of internal control system
.s
w
w
- General controls on:
w
• Sales
• Purchases
• Cash and bank
• Inventory
5. Audit evidence
7. Computerised auditing
8. Auditor's report
9. Professional ethics
m
co
a.
- Importance of professional ethics
ny
ke
- Fundamental ethical principles
ea
om
.s
10. Emerging issues and trends
w
w
w
m
co
a.
ny
ke
ea
om
.s
w
Revised on: June 2016
w
w
Auditing
The Institute of Certified Public Accountants of Kenya (ICPAK) defines auditing as the independent
examination of and expression of opinion on, the financial statements of an enterprise by an
appointed auditor in pursuance of that appointment and in compliance with any relevant statutory
obligation,
Auditing the independent examination of and expression of opinion on, the financial statements of
an enterprise by an appointed auditor in pursuance of that appointment and in compliance with any
relevant statutory obligation
Auditor---"Auditor" is used to refer to the person or persons conducting the audit, usually the
engagement partner or other members of the engagement team, or, as applicable, the firm. Where an
m
co
ISA expressly intends that a requirement or responsibility be fulfilled by the engagement partner, the
a.
ny
term "engagement partner" rather than "auditor" is used. "Engagement partner" and "firm" are to be
ke
ea
read as referring to their public sector equivalents where relevant.
om
.s
w
An official whose job it is to carefully check the accuracy of business records. An auditor can be
w
w
either an independent auditor unaffiliated with the company being audited or a captive auditor, and
some are elected public officials. The term is sometimes synonymous with "comptroller." Auditors
are used to ensure that organizations are maintaining accurate and honest financial records and
statements
Audit This is the independent investigation into the quality of published accounting information.
An audit is the independent examination of and expression of an opinion on the financial statements
of an economic entity by appointed auditor in pursuance of that appointment and incompliance with
any relevant statutory obligation.
The objective of an audit is to enable the auditor express an opinion whether financial statements
show a true and fair view of the company state of affairs in accordance with an identified financial
reporting framework.
CONDUCT OF AN AUDIT
Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with International Standards on Auditing (LAS 200)
The objective of an audit of financial statements is to enable the auditor to express an opinion on
whether the financial statements are prepared, in all material respects, in accordance with an
applicable financial reporting framework.
This International Standard on Auditing (ISA200) deals with the independent auditor's overall
m
responsibilities when conducting an audit of financial statements in accordance with ISAs.
co
a.
Specifically, it sets out the overall objectives of the independent auditor, and explains the
ny
ke
nature and scope of an audit designed to enable the independent auditor to meet those
ea
objectives. It also explains the scope, authority and structure of the ISAs, and includes
om
requirements establishing the general responsibilities of the independent auditor applicable in
.s
w
all audits, including the obligation to comply with the ISAs. The independent auditor is
w
w
referred to as "the auditor" hereafter.
ISAs are written in the context of an audit of financial statements by an auditor. They are to
be adapted as necessary in the circumstances when applied to audits of other historical
financial information. ISAs do not address the responsibilities of the auditor that may exist in
legislation, regulation or otherwise in connection with, for example, the offering of securities
to the public. :Such responsibilities may differ from those established in the ISAs.
Accordingly, while the ;auditor may find aspects of the ISAs helpful in such circumstances, it
is the responsibility of the Uuditor to ensure compliance with all relevant legal, regulatory or
professional obligations.
The auditor's opinion on the financial statements deals with whether the financial statements are
prepared, in all material respects, in accordance with the applicable financial reporting framework.
Such an opinion is common to all audits of financial statements.
The auditor's opinion therefore does not assure, for example, the future viability of the entity
nor the efficiency or effectiveness with which management has conducted the affairs of the
entity. In some jurisdictions, however, applicable law or regulation may require auditors to
provide opinions on other specific matters, such as the effectiveness of internal control, or the
consistency of a separate management report with the financial statements.
While the ISAs include requirements and guidance in relation to such matters to the extent
that they are relevant to forming an opinion on the financial statements, the auditor would be
required to undertake further work if the auditor had additional responsibilities to provide
such opinions.
The purpose of an audit is to enhance the degree of confidence of intended users in the financial
statements. This is achieved by the expression of an opinion by the auditor on whether the financial
statements are prepared, in all material respects, in accordance with an applicable financial reporting
framework. In the case of most general purpose frameworks, that opinion is on whether the financial
m
co
statements are presented fairly, in all material respects, or give a true and fair view in accordance
a.
ny
with the framework. An audit conducted in accordance with ISAs and relevant ethical requirements
ke
ea
enables the auditor to form that opinion
om
.s
w
The financial statements subject to audit are those of the entity, prepared by management of The
w
w
entity with oversight from those charged with governance. ISAs do not impose responsibilities on
management or those charged with governance and do not override laws and regulations that govern
their responsibilities. However, an audit in accordance with ISAs is conducted on the premise that
management and, where appropriate, those charged with governance have acknowledged certain
responsibilities that are fundamental to the conduct of the audit. The audit of the financial statements
does not relieve management or those charged with governance of their responsibilities:
As the basis for the auditor's opinion, ISAs require the auditor to obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement, whether due to
fraud or error. Reasonable assurance is a high level of assurance. It is obtained when the auditor has
obtained sufficient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor
expresses an inappropriate opinion when the financial statements are materially misstated) to an
acceptably low level. However, reasonable assurance is not an absolute level of assurance, because
there are inherent limitations of an audit which result in most of the audit evidence on which the
auditor draws conclusions and bases the auditor's opinion being persuasive rather than conclusive.
The ISAs contain objectives, requirements and application and other explanatory material that are
designed to support the auditor in obtaining reasonable assurance. The ISAs require that the auditor
exercise professional judgment and maintain professional skepticism throughout the planning and
performance of the audit and, among other things:
Identify and assess risks of material misstatement, whether due to fraud or error, based on an
understanding of the entity and its environment, including the entity's internal control.
Obtain sufficient appropriate audit evidence about whether material misstatements exist,
m
through designing and implementing appropriate responses to the assessed risks.
co
a.
Form an opinion on the financial statements based on conclusions drawn from the audit
ny
ke
evidence obtained.
ea
om
.s
w
The form of opinion expressed by the auditor will depend upon the applicable financial reporting
w
w
framework and any applicable law or regulation.
The auditor may also have certain other communication and reporting responsibilities to users,
management, those charged with governance, or parties outside the entity, in relation to matters
arising from the audit. These may be established by the ISAs or by applicable law or regulation.
Law or regulation may establish the responsibilities of management and, where appropriate,
those charged with governance in relation to financial reporting.
However, the extent of these responsibilities, or the way in which they are described, may
differ across jurisdictions. Despite these differences, an audit in accordance with ISAs is
conducted on the premise that management and, where appropriate, those charged with
governance have acknowledged and understand that they have responsibility:
a) For the preparation of the financial statements in accordance with the applicable financial
reporting framework, including, where relevant, their fair presentation;
The preparation of the financial statements by management and, where appropriate, those charged
with governance requires:
• The identification of the applicable financial reporting framework, in the context of any
relevant laws or regulations.
• The preparation of the financial statements in accordance with that framework.
• The inclusion of an adequate description of that framework in the financial statements.
The preparation of the financial statements requires management to exercise judgment in making
m
co
accounting estimates that are reasonable in the circumstances, as well as to select and apply
a.
ny
appropriate accounting policies. These judgments are made in the context of the applicable financial
ke
reporting framework.
ea
om
.s
The financial statements may be prepared in accordance with a financial reporting framework
w
w
w
designed to meet:
• The common financial information needs of a wide range of users (that is, "general purpose
financial statements"); or
• The financial information needs of specific users (that is, "special purpose financial
statements").
m
co
statements are intended to provide information about the financial position, financial
a.
ny
performance and cash flows of an entity.
ke
For such frameworks, a complete set of financial statements would include a balance sheet;
ea
om
an income statement; a statement of changes in equity; a cash flow statement; and related
.s
notes. For some other financial reporting frameworks, a single financial statement and the
w
w
w
related notes might constitute a complete set of financial statements:
• For example, the International Public Sector Accounting Standard (IPSAS), Financial
Reporting under the Cash Basis of Accounting, issued by the International Public Sector
Accounting Standards Board states that the primary financial statement is a statement of
cash receipts and payments when a public sector entity prepares its financial statements in
accordance with that IPSAS.
• Other examples of a single financial statement, each of which would include related notes,
are:
i. Balance sheet.
ii. Statement of income or statement of operations.
iii. Statement of retained earnings.
iv. Statement of cash flows
Statement of assets and liabilities that does not include owner's equity
'The Mandates for audits of the financial statements of public sector entities may be broader than
those of other entities. As a result, the premise, relating to management's responsibilities, on which
an audit of the financial statements of a public sector entity is conducted may include additional
responsibilities, such as the responsibility for the execution of transactions and events in accordance
with law, regulation or other authority.
The opinion expressed 'by the auditor is on whether the financial statements are prepared, in all
material respects, in accordance with the applicable financial reporting framework. The form of the
auditor's opinion, however, will depend upon the applicable financial reporting framework and any
m
applicable law or regulation. Most financial reporting frameworks include requirements relating to
co
a.
the presentation of the financial statements; for such frameworks, preparation of the financial
ny
ke
statements in accordance with the applicable financial reporting framework includes presentation.
ea
om
Where the financial reporting framework is a fair presentation framework, as is generally the case
.s
w
w
for general purpose financial statements, the opinion required by the ISAs is on whether the
w
financial statements are presented fairly, in all material respects, or give a true and fair view. Where
the financial reporting framework is a compliance framework, the opinion required is on whether the
financial statements are prepared, in all material respects, in accordance with the framework. Unless
specifically stated otherwise, references in the ISAs to the auditor's opinion cover both forms o
opinion.
In conducting an audit of financial statements, the overall objectives of the auditor are:
a) To obtain reasonable assurance about whether the financial statements as a whole are free
from material misstatement, whether due to fraud or error, thereby enabling the auditor to
express an opinion on whether the financial statements are prepared, in all material respects,
in accordance with an applicable financial reporting framework; and
b) To report on the financial statements, and communicate as required by the ISAs, in
accordance with the auditor's findings.
For purposes of the ISAs, the following terms have the meanings attributed below:
m
requires compliance with the requirements of the framework, but does not contain the
co
a.
acknowledgements in (i) or (ii) above.
ny
ke
ea
b) Audit evidence — Information used by the auditor in arriving at the conclusions on which
om
the auditor's opinion is based. Audit evidence includes both information contained in the
.s
w
accounting records underlying the financial statements and other information.
w
w
For purposes of the ISAs:
(i) Sufficiency of audit evidence is the measure of the quantity of audit evidence. The
quantity of the audit evidence needed is affected by the auditor's assessment of the
risks; of material misstatement and also by the quality of such audit evidence.
(ii) Appropriateness of audit evidence is the measure of the quality of audit evidence;
that i!§, its relevance and its reliability in providing support for the conclusions on
which the auditor's opinion is based.
c) Audit risk — The risk that the auditor expresses an inappropriate audit opinion when the
financial statements are materially misstated. Audit risk is a function of the risks of material
misstatement and detection risk.
d) Auditor — The person or persons conducting the audit, usually the engagement partner or
other members of the engagement team, or, as applicable, the firm. Where an ISA expressly
intends that a requirement or responsibility be fulfilled by the engagement partner, the term
"engagement partner" rather than "auditor" is used. "Engagement partner" and "firm" are to
be read as referring to their public sector equivalents where relevant.
e) Detection risk — The risk that the procedures performed by the auditor to reduce audit risk
to an acceptably low level will not detect a misstatement that exists and that could be
material, either individually or when aggregated with other misstatements.
www.someakenya.com Contact: 0707 737 890 Page 12
f) Financial statements — A structured representation of historical financial information,
including related notes, intended to communicate an entity's economic resources or
obligations at a point in time or the changes therein for a period of time in accordance with a
financial reporting framework. The related notes ordinarily comprise a summary of
significant accounting policies and other explanatory information. The term "financial
statements" ordinarily refers to a complete liet of financial statements as determined by the
requirements of the applicable financial reporting Framework, but can also refer to a single
financial statement.
g) Historical financial information — Information expressed in financial terms in relation to
a particular entity, derived primarily from that entity's accounting system, about economic
events occurring in past time periods or about economic conditions or circumstances at
points in time in the past.
h) Management -- The person(s) with executive responsibility for the conduct of the entity's
operations. For some entities in some jurisdictions, management includes some or all of
those charged with governance, for example, executive members of a governance board, or
an owner-manager.
i) Misstatement A difference between the amount, classification, presentation, or disclosure of
a reported financial statement item and the amount, classification, presentation, or disclosure
that is 'required for the item to be in accordance with the applicable financial reporting
framework. Misstatements can arise from error or fraud.
Where the auditor expresses an opinion on whether the financial statements are presented
fairly, in all material respects, or give a true and fair view, misstatements also include those
m
adjustments of amounts, classifications, presentation, or disclosures that, in the auditor's
co
a.
judgment, are iecessary for the financial statements to be presented fairly, in all material
ny
ke
respects, or to give a true and fair view.
ea
om
j) Premise, relating to the responsibilities of management and, where appropriate, those
.s
'Charged with governance, on which an audit is conducted — That management and,
w
w
where appropriate, those charged with governance have acknowledged and understand that
w
they have the following responsibilities that are fundamental to the conduct of an audit in
accordance with ISAs. That is, responsibility:
i. For the preparation of the financial statements in accordance with the applicable financial
reporting framework, including, where relevant, their fair presentation;
ii. For such internal control as management and, where appropriate, those charged with
governance determine is necessary to enable the preparation of financial statements that
are free from material misstatement, whether due to fraud or error; and
iii. To provide the auditor with:
a) Access to all information of which management and, where appropriate, those charged
with governance are aware that is relevant to the preparation of the financial statements
such as records, documentation and other matters;
b) Additional information that the auditor may request from management and, where
appropriate, those charged with governance for the purpose of the audit; and
c) Unrestricted access to persons within the entity from whom the auditor determines it
necessary to obtain audit evidence.
The "premise, relating to the responsibilities of management and, where appropriate, those
charged with governance, on which an audit is conducted" may also be referred to as the
"premise."
m
account balance or disclosure to a misstatement that could be material, either
co
a.
individually or when aggregated with other misstatements, before consideration of
ny
1 any related controls.
ke
ea
ii) Control risk The risk that a misstatement that could occur in an assertion about a
om
class of transaction, account balance or disclosure and that could be material, either
.s
w
individually or when aggregated with other misstatements, will not be prevented,
w
w
or detected and corrected, on a timely basis by the entity's internal control.
o) (o) Those charged with governance — The person(s) or organ ization(s) (for example, a
corporate trustee) with responsibility for overseeing the strategic direction of the entity and
obligations related to the accountability of the entity. This includes overseeing the financial
reporting process. For some entities in some jurisdictions, those charged with governance may
include management personnel, for example, executive members of a governance board of a
private or public sector entity, or an owner-manager.
Requirements
The auditor shall comply with relevant ethical requirements, including those pertaining to
independence, relating to financial statement audit engagements.
In the case of an audit engagement it is in the public interest and, therefore, required by the
IESBA Code, that the auditor be independent of the entity subject to the audit. The IESBA
Code describes independence as comprising both independence of mind and independence in
appearance. The auditor's independence from the entity safeguards the auditor's ability to
form an audit opinion without being affected by influences that might compromise that
opinion. Independence enhances the auditor's ability to act with integrity, to be objective and
m
co
to maintain [An attitude of professional skepticism.
a.
ny
ke
ea
International Standard on Quality Control (ISQC), or national requirements that are at least as
om
.s
demanding, deal with the firm's responsibilities to establish and maintain its system of quality
w
w
control for audit engagements. ISQC I sets out the responsibilities of the firm for establishing
w
policies and procedures designed to provide it with reasonable assurance that the firm and its
personnel comply with relevant ethical requirements, including those pertaining to
independence.
ISA 220 sets out the engagement partner's responsibilities with respect to relevant ethical
requirements. These include remaining alert, through observation and making inquiries as
necessary,-for evidence of non-compliance with relevant ethical requirements by members of
the engagement team, determining the appropriate action if matters come to the engagement
partner's attention that indicate that members of the engagement team have not complied with
relevant ethical requirements, and forming a conclusion on compliance with independence
requirements that apply to the audit engagement. ISA 220 recognizes that the engagement
team is entitled to rely on a firm's system of quality control in meeting its responsibilities
with respect to quality control procedures applicable to the individual audit engagement,
unless information provided by the firm or other parties suggests otherwise.
The, auditor shall plan and perform an audit with professional skepticism recognizing that
circumstances may exist that cause the financial statements to be materially misstated.
Maintaining professional skepticism throughout the audit is necessary if the auditor is, for example,
to reduce the risks of:
m
co
Professional skepticism is necessary to the critical assessment of audit evidence. This includes
a.
ny
questioning contradictory audit evidence and the reliability of documents and responses to
ke
ea
inquiries and other information obtained from management and those charged with governance.
om
It also includes consideration of the sufficiency and appropriateness of audit evidence obtained in
.s
w
the light of the circumstances, for example, in the case where fraud risk factors exist and a single
w
w
document, of a nature that is susceptible to fraud, is the sole supporting evidence for a material
financial statement amount.
The auditor may accept records and documents as genuine unless the auditor has reason to
believe the contrary. Nevertheless, the auditor is required to consider the reliability of
information to be used as audit evidence. In cases of doubt about the reliability of information or
indications of possible fraud (for example, if conditions identified during the audit cause the
auditor to believe that a document may not be authentic or that terms in a document may have
been falsified), the ISAs require that the auditor investigate further and determine what
modifications or additions to audit procedures are necessary to resolve the matter.
The auditor cannot be expected to disregard past experience of the honesty and integrity of the
entity's management and those charged with governance. Nevertheless, a belief that management
and those charged with governance are honest and have integrity does not relieve the auditor of
the need to maintain professional skepticiSm or allow the auditor to be satisfied with less than
persuasive audit evidence when obtaining reasonable assurance.
The auditor shall exercise professional judgment in planning and performing an audit of financial
statements.
Professional judgment is essential to the proper conduct of an audit. This is because interpretation of
relevant ethical requirements and the 1SAs and the informed decisions required throughout the audit
cannot be made without the application of relevant knowledge and experience to the facts and
circumstances. Professional judgment is necessary in particular regarding decisions about:
The drawing of conclusions based on the audit evidence obtained, for example, assessing the
reasonableness of the estimates made by management in preparing the financial statements.
m
co
The distinguishing feature of the professional judgment expected of an auditor is that it is
a.
ny
exercised by an auditor whose training, knowledge and experience have assisted in
ke
developing the necessary competencies to achieve reasonable judgments.
ea
om
The exercise of professional judgment in any particular case is based on the facts and
.s
circumstances that are known by the auditor. Consultation on difficult or contentious matters
w
w
during the course of the audit, both within the engagement team and between the engagement
w
team and others at the appropriate level within or outside the firm, such as that required by
ISA ,1220, assist the auditor in making informed and reasonable judgments.
Professional judgment can be evaluated based on whether the judgment reached reflects a
;competent application of auditing and accounting principles and is appropriate in the light of
and consistent with, the facts and circumstances that were known to the auditor up to the date
of the auditor's report.
Professional judgment needs to be exercised throughout the audit. It also needs to be
appropriately documented. In this regard, the auditor is required to prepare audit
documentation sufficient to enable an experienced auditor, having no previous connection
with the audit, to understand the significant professional judgments made in reaching
conclusions on significant matters arising during the audit. Professional judgment is not to be
used as the justification for decisions that are not otherwise supported by the facts and
circumstances of the engagement or sufficient appropriate audit evidence.
- To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to
reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable
conclusions on which to base the auditor's opinion.
- Audit evidence is necessary to support the auditor's opinion and report: It is cumulative in
nature and is primarily obtained from audit procedures performed during the course of the
audit. It may, however, also include information obtained from other sources such as previous
audits (provided the auditor has determined whether changes have occurred since the previous
audit that may affect its relevance to the current audit or a firm's quality control procedures for
client acceptance and continuance. In addition to other sources inside and outside the entity, the
entity's accounting records are an important source of audit evidence.
- Also, information that may be used as audit evidence may have been prepared by an expert
employed or engaged by the entity. Audit evidence comprises both information that supports
and corroborates management's assertions, and any information that contradicts such assertions.
In addition, in some cases, the absence of information (for example, management's refusal to
provide a requested representation) is used by the auditor, and therefore, also constitutes audit
evidence. Most of the auditor's work in forming the auditor's opinion consists of obtaining and
evaluating audit evidence.
- The sufficiency and appropriateness of audit evidence are interrelated. Sufficiency is the
measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by
the auditor's assessment of the risks of misstatement (the higher the assessed risks, the more
audit evidence is likely to be required) and also by the quality of such audit evidence (the
m
co
higher the quality, the less may be required). Obtaining more audit evidence, however, may not
a.
ny
compensate for its poor quality.
ke
- Appropriateness is the measure of the quality of audit evidence; that is, its relevance and its
ea
om
reliability in providing support for the conclusions on which the auditor's opinion is based. The
.s
reliability of evidence is influenced by its source and by its nature, and is dependent on the
w
w
individual circumstances under which it is obtained.
w
- Whether sufficient appropriate audit evidence has been obtained to reduce audit risk to an
acceptably low level, and thereby enable the auditor to draw reasonable conclusions on which
to base the auditor's opinion, is a matter of professional judgment. ISA 500 and other relevant
ISAs establish additional requirements and provide further guidance applicable throughout
the.audit regarding the auditor's considerations in obtaining sufficient appropriate audit
evidence.
Audit Risk
- Audit risk is a function of the risks of material misstatement and detection risk. The
assessment of risks is based on audit procedures to obtain information necessary for that
purpose and evidence obtained throughout the audit. The assessment of risks is a matter of
professional judgment, rather than a matter capable of precise measurement.
- For purposes of the ISAs, audit risk does not include the risk that the auditor might express an
opinion that the financial statements are materially misstated when they are not. This risk is
ordinarily insignificant. Further, audit risk is a technical term related to the process of
m
inherent risk and control risk. Inherent risk and control risk are the entity's risks; they exist
co
a.
independently of the audit of the financial statements.
ny
ke
- Inherent risk is higher for some assertions and related classes of transactions, account
ea
balances, and disclosures than for others. For example, it may be higher for complex
om
calculations or for accounts consisting of amounts derived from accounting estimates that
.s
w
are subject to significant estimation uncertainty. External circumstances giving rise to
w
w
business risks may also influence inherent risk. For example, technological developments
might make a particular product obsolete, thereby causing inventory to be more
susceptible to overstatement.
- Factors in the entity and its environment that relate to several or all of the classes of
transactions, account balances, or disclosures may also influence the inherent risk related
to a specific assertion. Such factors may include, for example, a lack of sufficient working
capital to continue operations or a declining industry characterized by a large number of
business failures.
- Control risk is a function of the effectiveness of the design, implementation and
maintenance of internal control by management to address identified risks that threaten
the achievement of the entity's objectives relevant to preparation of the entity's financial
statements. However, internal control, no matter how well designed and operated, can
only reduce, but not eliminate, risks of material misstatement in the financial statements,
because of the inherent limitations of internal control. These include, for example, the
possibility of human errors or mistakes, or of controls being circumvented by collusion or
inappropriate management override. Accordingly, some control risk will always exist. The
ISAs provide the conditions under which the auditor is required to, or may choose to, test
Detection Risk
For a given level of audit risk, the acceptable level of detection risk bears an inverse relationship to
the assessed risks of material misstatement at the assertion level. For example, the greater the risks
of material misstatement the auditor believes exists, the less the detection risk that can be accepted
and, accordingly, the more persuasive the audit evidence required by the auditor.
Detection risk relates to the nature, timing and extent of the auditor's procedures that are determined
by the auditor to reduce audit risk to an acceptably low level. It is therefore a function of the
m
co
effectiveness of an audit procedure and of its application by the auditor. Matters such as:
a.
ny
ke
• adequate planning;
ea
om
• proper assignment of personnel to the engagement team;
.s
• the application of professional skepticism; and
w
w
w
• Supervision and review of the audit work performed assist to enhance the effectiveness of an
audit procedure and of its application and reduce the possibility that an auditor might select
an inappropriate audit procedure, misapply an appropriate audit procedure, or misinterpret
the; audit results.
ISA 300 and ISA 330 establish requirements and provide guidance on planning an audit of financial
statements and the auditor's responses to assessed risks. Detection risk, however, can only be
reduced, not eliminated, because of the inherent limitations of an audit. Accordingly, some detection
risk will always exist.
The auditor is not expected to, and cannot, reduce audit risk to zero and cannot therefore obtain
absolute assurance that the financial statements are free from material misstatement due to fraud or
error. This is because there are inherent limitations on f an audit, which result in most of the audit
m
management's judgments.
co
a.
ny
ke
ea
om
The Nature of Audit Procedures
.s
w
w
There are practical and legal limitations on the auditor's ability to obtain audit evidence. For
w
example:
• There is the possibility that management or others may not provide, intentionally or
unintentionally, the complete information that is relevant to the preparation of the financial
statements or that has been requested by the auditor. Accordingly, the auditor cannot be
certain of the completeness of information, even though the auditor has performed audit
procedures to obtain assurance that all relevant information has been obtained.
• Fraud may involve sophisticated and carefully organized schemes designed to conceal it.
Therefore, audit procedures used to gather audit evidence may be ineffective for detecting an
intentional misstatement that involves, for example, collusion to falsify documentation which
may cause the auditor to believe that audit evidence is valid when it is not.
• An audit is not an official investigation into alleged wrongdoing.
• Accordingly, the auditor is not given specific legal powers, such as the power of search,
which may be necessary for such an investigation.
Timeliness of Financial Reporting and the Balance between Benefit and Cost
m
The ISAs contain requirements for the planning and performance of the audit and require the
co
a.
auditor, among other things, to:
ny
ke
ea
• Have a basis for the identification and assessment of risks of material misstatement at the
om
financial statement and assertion levels by performing risk assessment procedures and related
.s
w
'activities; and
w
w
• Use testing and other means of examining populations in a manner that provides a reasonable
basis for the auditor to draw conclusions about the population.
In the case of certain assertions or subject matters, the potential effects of the inherent limitations on
the auditor's ability to detect material misstatements are particularly significant. Such assertions or
subject matters include:
Relevant ISAs identify specific audit procedures to assist in mitigating the effect of the inherent
limitations.
www.someakenya.com Contact: 0707 737 890 Page 22
Because of the inherent limitations of an audit, there is an unavoidable risk that some material
misstatements of the financial statements may not be detected, even though the audit is properly
planned and performed in accordance with ISAs. Accordingly, the subsequent discovery of a
material misstatement of the financial statements resulting from fraud or error does not by itself
indicate a failure to conduct an audit in accordance with ISAs.
However, the inherent limitations of an audit are not a justification for the auditor to be satisfied
with less than persuasive audit evidence. Whether the auditor has performed an audit in accordance
with ISAs is determined by the audit procedures performed in the circumstances, the sufficiency and
appropriateness of the audit evidence obtained as a result thereof and the suitability of the auditor's
report based on an evaluation of that evidence in light of the overall objectives of the auditor.
- The auditor shall comply with all ISAs relevant to the audit. An ISA is relevant to the audit
when the ISA is in effect and the circumstances addressed by the ISA exist.
m
- The auditor shall have an understanding of the entire text of an ISA, including its application
co
and other explanatory material, to understand its objectives and to apply its requirements
a.
ny
properly.
ke
ea
- The auditor shall not represent compliance with ISAs in the auditor's report unless the auditor
om
has complied with the requirements of this ISA and all other ISAs relevant to the audit.
.s
w
w
w
Objectives Stated in Individual ISAs
To achieve the overall objectives of the auditor, the auditor shall use the objectives stated in relevant
ISAs in planning and performing the audit, having regard to the interrelationships among the ISAs,
to:
a) Determine whether any audit procedures in addition to those required by the ISAs are
necessary in pursuance of the objectives stated in the ISAs; and
b) Evaluate whether sufficient appropriate audit evidence has been obtained.
The auditor shall comply with each requirement of an ISA unless, in the circumstances of the audit:
The need for the auditor to depart from a relevant requirement is expected to arise only where the
requirement is for a specific procedure to be performed and, in the specific circumstances of the
audit, that procedure would be ineffective in achieving the aim of the requirement.
If an objective in a relevant ISA cannot be achieved, the auditor shall evaluate whether this prevents
the auditor from achieving the overall objectives of the auditor and thereby requires the auditor, in
accordance with the ISAs, to modify the auditor's opinion or withdraw from the engagement (where
withdrawal is possible under applicable law or regulation). Failure to achieve an objective represents
a significant matter requiring documentation in accordance with ISA 230.
The ISAs, taken together, provide the standards for the auditor's work in fulfilling the overall
m
co
objectives of the auditor. The ISAs deal with the general responsibilities of the auditor, as well as the
a.
ny
auditor's further considerations relevant to the application of those responsibilities to specific topics.
ke
ea
om
.s
w
w
- The scope, effective date and any specific limitation of the applicability of a specific ISA is
w
made clear in the ISA. Unless otherwise stated in the ISA, the auditor is permitted to apply an
ISA before the effective date specified therein.
- In performing an audit, the auditor may be required to comply with legal or
regulatoryrequirements in addition to the ISAs. The ISAs do not override law or regulation
that governs an audit of financial statements. In the event that such law or regulation differs
from the ISAs, an audit conducted only in accordance with law or regulation will not
automatically comply with ISAs.
- The auditor may also conduct the audit in accordance with both ISAs and auditing standards
of a specific jurisdiction or country. In such cases, in addition to complying with each of the
ISAs relevant to the audit, it may be necessary for the auditor to perform additional audit
procedures in order to comply with the relevant standards of that jurisdiction or country.
The ISAs are relevant to engagements in the public sector. The public sector auditor's
responsibilities, however, may be affected by the audit mandate, or by obligations on public sector
In addition to objectives and requirements (requirements are expressed in the ISAs using "shall"), an
ISA contains related guidance in the form of application and mother explanatory material. It may
also contain introductory material that provides context relevant to a proper understanding of the
ISA, and definitions. The entire text of an ISA, therefore, is relevant to an understanding of the
objectives stated in an ISA and the proper application of the requirements of an ISA.
Where necessary, the application and other explanatory material provides further explanation of the
requirements of an ISA and guidance for carrying them out. In particular, it may:
m
• Include examples of procedures that may be appropriate in the circumstances.
co
a.
ny
ke
ea
While such guidance does not in itself impose a requirement, it is relevant to the proper application
om
of the requirements of an ISA. The application and other explanatory material may also provide
.s
w
background information on matters addressed in an ISA.
w
w
- Appendices form part of the application and other explanatory material. The purpose and
intended use of an appendix are explained in the body of the related ISA or within the title
and introduction of the appendix itself.
- Introductory material may include, as needed, such matters as explanation of:
• The purpose and scope of the ISA, including how the ISA relates to other ISAs.
• The subject matter of the ISA.
• The respective responsibilities of the auditor and others in relation to the subject matter
of the ISA.
• The context in which the ISA is set.
An ISA may include, in a separate section under the heading "Definitions," a description of the
meanings attributed to certain terms for purposes of the ISAs.
These are provided to assist in the consistent application and interpretation of the
When appropriate, additional considerations specific to audits of smaller entities and public sector
entities are included within the application and other explanatory material of an ISA. These
additional considerations assist in the application of the requirements of the ISA in the audit of such
entities. They do not, however, limit or reduce the responsibility of the auditor to apply and comply
with the requirements of the ISAs.
For purposes of specifying additional considerations to audits of smaller entities, a "smaller entity"
refers to an entity which typically possesses qualitative characteristics such as:
m
ii) Simple record-keeping;
co
iii) Few lines of business and few products within business lines;
a.
ny
iv) Few internal controls;
ke
ea
v) Few levels of management with responsibility for a broad range of controls; or
om
vi) Few personnel, many having a wide range of duties.
.s
w
These qualitative characteristics are not exhaustive, they are not exclusive to smaller entities, and
w
w
smaller entities do not necessarily display all of these characteristics.
- The considerations specific to smaller entities included in the ISAs have been developed
primarily with unlisted entities in mind. Some of the considerations, however, may be helpful
in audits of smaller listed entities.
- The ISAs refer to the proprietor of a smaller entity who is involved in running the entity on a
day-to-day basis as the "owner-manager."
Each ISA contains one or more objectives which provide a link between the requirements and the
overall objectives of the auditor. The objectives in individual ISAs serve to focus the auditor on the
desired outcome of the ISA, while being specific enough to assist the auditor in:
• Understanding what needs to be accomplished and, where necessary, the appropriate means
of doing so; and
In using the objectives, the auditor is required to have regard to the interrelationships among the
ISAs. This is because; the ISAs deal in some cases with general responsibilities and in others with
the application of those responsibilities to specific topics. For example, this ISA requires the auditor
to adopt an attitude of professional skepticism; this is necessary in all aspects of planning and
performing an audit but is not repeated as a requirement of each ISA. At a more detailed level, ISA
315 and ISA 330 contain, among other things, objectives and requirements that deal with the
auditor's responsibilities to identify and assess the risks of material misstatement and to design and
perform further audit procedures to respond to those assessed risks, respectively; these objectives
and requirements apply throughout the audit. An ISA dealing with specific aspects of the audit (for
example, ISA 540) may expand on how the objectives and requirements of such ISAs as ISA 315
and ISA 330 are to be applied in relation to the subject of the ISA but does not repeat them. Thus, in
achieving the objective stated in ISA 540, the auditor has regard to the objectives and requirements
of other relevant ISAs.
m
Use of Objectives to Determine Need for Additional Audit Procedures
co
a.
ny
The requirements of the ISAs are designed to enable the-auditor to achieve the objectives specified
ke
ea
in the ISAs, and thereby the overall objectives of the auditor. The proper application of the
om
requirements of the ISAs by the auditor is therefore expected to provide a sufficient basis for the
.s
w
w
auditor's achievement of the objectives.
w
However, because the circumstances of audit engagements vary widely and all such circumstances
cannot be anticipated in the ISAs, the auditor is responsible for determining the audit procedures
necessary to fulfill the requirements of the ISAs and to achieve the objectives. In the circumstances
of an engagement, there may be particular matters that require the auditor to perform audit
procedures in addition to those required by the
Use of Objectives to Evaluate Whether Sufficient Appropriate Audit Evidence Has Been Obtained
The auditor is required to use the objectives to evaluate whether sufficient appropriate audit
evidence has been obtained in the context of the overall objectives of the auditor. If as a result the
auditor concludes that the audit evidence is not sufficient and appropriate, then the auditor may
follow one or more of the following approaches:
Relevant Requirements
- In some cases, an ISA (and therefore all of its requirements) may not be relevant in the
circumstances. For example, if an entity does not have an internal audit function, nothing in
ISA 610 is relevant.
- Within a relevant ISA, there may be conditional requirements. Such a requirement is relevant
when the circumstances envisioned in the requirement apply and the condition exists. In
general, the conditionality of a requirement will either be explicit or implicit, for example:
• The requirement to modify the auditor's opinion if there is a liMitation of scope
represents an explicit conditional requirement.
• The requirement to communicate significant deficiencies in internal control identified
m
during the audit to those charged with governance, which depends on the existence of
co
a.
such identified significant deficiencies; and the requirement to obtain sufficient
ny
ke
appropriate audit evidence regarding the presentation and disclosure of segment
ea
information in accordance with the applicable financial reporting framework, which
om
depends on that framework requiring or permitting such disclosure, represent implicit
.s
w
w
conditional requirements,
w
- In some cases, a requirement may be expressed as being conditional on applicable law or
regulation. For example, the auditor may be required to withdraw from the audit engagement,
where withdrawal is possible under applicable law or regulation, or the auditor may be
required to do something, unless prohibited by law or regulation. Depending on the
jurisdiction, the legal or regulatory permission or prohibition may be explicit or implicit.
Departure from a Requirement
- ISA 230 establishes documentation requirements in those exceptional circumstances where
the auditor departs from a relevant requirement. The ISAs do not call for compliance with a
requirement that is not relevant in the circumstances of the audit.
Whether an objective has been achieved is a matter for the auditor's professional judgment. That
judgment takes account of the results of audit procedures performed in complying with the
requirements of the ISAs, and the auditor's evaluation of whether sufficient appropriate audit
evidence has been obtained and whether more needs to be done in the particular circumstances of the
Prevent the auditor from complying with the relevant requirements of an ISA.
• Result in its not being practicable or possible for the auditor to carry out the additional audit
procedures or obtain further audit evidence as determined necessary from the use of the
objectives, for example, due to a limitation in the available audit evidence.
- Audit documentation that meets the requirements of ISA 230 and the specific documentation
requirements of other relevant ISAs provides evidence of the auditor's basis for a conclusion
about the achievement of the overall objectives of the auditor.
- While it is unnecessary for the auditor to document separately (as in a checklist, for example)
that individual objectives have been achieved, the documentation of a failure to achieve an
objective assists the auditor's evaluation of whether such a failure has prevented the auditor
from achieving the overall objectives of the auditor.
In carrying out an audit, the firm and each member of the engagement team is required to:
- Comply with the ethical guidelines relating to audit engagements which comprise the
COE as promulgated by ICPAK, which are more restrictive in certain areas. In general, each
member of the engagement team is required to behave with integrity in all professional
relationships which implies honesty, fair dealing, sincerity and professional independence.
m
An auditor should be objective in all judgements and not allow prejudice, bias or any other
co
a.
interest to influence the auditor's objectivity. Auditors are required to respect the
ny
confidentiality of information obtained in the course of an audit and not disclose any
ke
ea
information to a third party unless it is legally or professionally required ,of us. Moreover, the
om
firm should only undertake work which it is competent and experienced to perform and all
.s
w
professional work must be conducted with due care, skill and diligence.
w
w
- Comply with the quality control requirements as stipulated in ISA 220 which requires the
engagement partner to take responsibility for the overall quality on each audit engagement,
but recognises that the engagement team is entitled to rely on the firm's systems in meeting its
responsibilities with respect to quality control procedures applicable to the individual audit
engagement.
- Conduct the audit in accordance with ISA's which provide the basic principles and
essential procedures which have to be applied in the context of explanatory notes and
appendices. In addition to this, we should consider the IAPS's applicable to the audit
engagement. In determining the scope of an audit, the engagement team should comply with
each ISA relevant to the audit and should not represent compliance with ISA's unless we have
complied with all of the ISA's relevant to the audit.
- Plan and perform an audit with an attitude of professional scepticism recognizing that
circumstances may exist that cause the financial statements to be materially misstated. The
engagement team is required to make a critical assessment of the validity of the audit
evidence obtained and should be alert to evidence that contradicts or brings into question the
reliability of documents and responses to inquiries and other information obtained from the
management and those charged with governance. The attitude of professional scepticism is
necessary throughout the audit to reduce the risk of overlooking unusual circumstances, of
www.someakenya.com Contact: 0707 737 890 Page 29
over generalising conclusions drawn from audit observation, and of using incorrect
assumptions in determining the nature, timing and extent of the audit procedures and
evaluating the results. The engagement team should obtain persuasive audit evidence that
those charged with governance are honest and have integrity.
- Obtain reasonable assurance that the financial statements taken as a whole are free
from material misstatement, whether due to fraud or error. This is applicable to the
whole audit process and requires the accumulation of audit evidence necessary for the
engagement team to conclude that there are no material misstatements in the financial
statements taken as a whole. Material misstatements are considered at both the overall
financial statement level and in relation to classes of transactions, account balances, and
disclosures and related assertions. Due to the inherent limitations in the use of testing and the
operations of internal controls, most audit evidence is persuasive and not conclusive. As
absolute assurance is unattainable, an audit is therefore not a guarantee that the financial
statements are free from material misstatement. Moreover, an audit opinion does not assure
the future viability of an entity nor the '0 efficiency effectiveness with which the
management conducts the affairs of the entity. Mandpm;enf; representations are not a
substitute for obtaining sufficient appropriate audit evidence on which to base an audit
opinion.
- Plan and perform the audit to reduce the audit risk to an acceptably low level that is
consistent with the objectives of an audit. The audit risk is the risk that the auditor
expresses an inappropriate opinion when the financial statements are materially misstated.
The engagement team reduces this risk by designing and performing audit procedures to
obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on
m
co
which to base the audit opinion. Reasonable assurance is obtained when the audit risk has
a.
ny
been reduced to an acceptably low level.
ke
- Determine whether the financial reporting framework adopted by the management in
ea
om
preparing the financial statements is acceptable in view of the nature of the entity and the
.s
objective of the financial statements. In Kenya, the reporting framework promulgated by
w
w
w
ICPAK is IFRS. However, in exceptional circumstances where the firm is required to report
on special purpose financial statements prepared for reporting to donor agencies or to comply
with the reporting framework of the parent company, the engagement team should compare
the accounting conventions adapted to the requirements of an existing acceptable framework.
Where the engagement team concludes that the framework adopted by the management is not
acceptable, the engagement partner should consider the implication in relation to engagement
acceptance, (IOA' 210) and the auditor's report (ISA 700).
Fundamental principles are those according to which the books of business accounts are audited.
These principles can be changed according the desire of the auditor.
1. Planning:-
It is the basic principle of auditing. The auditor should plan before starting the work. In
planning auditor decides accounting about the system and internal control procedure.
2. Honesty:-
Honesty and sincerity is the second important principle of auditing. The loyalty of auditor to
work and profession must be beyond the doubts.
3. Impartiality:-
In case of audit the attitude of the auditor must be impartial. Keeping in view this principle his
personal views may not be included in the audit report.
4. Secrecy:
Secrecy must be maintained by the auditor during the process of audit. He cannot disclose any
information to the third party.
5. Evidence:-
During the audit the auditor can collect the evidence through the working papers. He can
frame his opinion on the audit evidence. The nature and source of evidence must be kept in
m
co
view by the auditor.
a.
ny
6. Consistency:-
ke
ea
It is an important principle of auditing. In case of selecting the rates of depreciation and
om
valuation of stock the accountant must follow the rates of the coming years. In this regard
.s
w
w
there should be consistency and changes are not acceptable.
w
7. Legal Frame Work:-
The business activities may run within the rules and legal formalities. To protect the rights of
the interested parties' rules must be applied.
8. Working Paper Preparation:-
The auditors collect documents providing evidence that audit was carried out according the
principles.
The: auditor prepares the working paper and kept in this custody as a proof.
9. Internal Control:-
The auditor will examine the accounting system and inter control. To frame his opinion, he
keeps in view the evidence obtained from the books.
10. Report:-
According the principle of auditing a report will be prepared by the auditor at the end. It may
be conditional or unconditional. The auditor can draw conclusion and disclose the facts and
figures about the business for general information
Techniques of auditing mean the procedure and method which is adopted by the auditor in checking
the accounts.
1. Examination of Record:-
This technique is commonly used by the auditors; the inspection of books and documents is
made to verity the validity of data.
2. Inquiry:-
The auditor can also use the technique of inquiry. He can get the information from resource
persons inside or outside the enterprise.
3. Sampling:-
Auditor can select few items from whole accounting information. This technique enables the
auditor to obtain and evaluate the evidence of some characteristics of the whole class. It is
helpful in forming the conclusion.
4. Confirmation:-
To ensure the accuracy of the data auditor can collect the information from the debtor.
Confirmation; is response to an inquiry to prove certain data recorded in the books.
5. Compliance:-
To check the arithmetical accuracy of accounting record, the balancing accounts can be
m
co
compared with the vouchers to test the reliability of data.
a.
ny
6. Compliance Test:-
ke
ea
These tests are designed to check the effectiveness and compliance of internal control. In
om
obtaining the audit evidence, auditor is concerned with the existence of effective internal
.s
w
w
control.
w
7. Use of Computer Techniques:-
There is large number of audit techniques like audit software, test packs and mapping which
can be used by the auditor to test the accuracy of the data.
8. Substantive Test:-
There are designed to obtain evidence that data produced by accounting system is accurate or
not. It has two kinds:
i. Test of detail transaction.
ii. Test of significant ratios and trends.
9. Dependence on Experts and Auditors:-
The auditor has to rely on the internal and other auditors to complete his work. He has also to
rely on other experts like lawyers, engineers and doctors for their expert opinion about the
business.
10. Analytical Review:-
It consists of studying significant ratios, trends and investigating different changes. This
review procedure is based on the expectations of relationship among the past and present data
The suggested audit approach is designed to gather sufficient and reliable evidence to support the
audit opinion in the most efficient and effective way and to enable the engagement team to fully
understand the client's business. There is no difference between an audit of a large and a small entity
except that the procedures adopted may differ depending on the particular circumstances of each
audit.
- The client acceptance and continuation procedures have been carried out;
- The terms of engagement have been agreed in writing;
- The quality control aspects for the assignment have been reviewed including review of the
competency of the team to carry out the assignment, review of compliance with the ethical
requirements, including review of the independence requirements.
m
co
a.
ny
ke
ii) Planning
ea
om
Planning is an essential component in focusing the audit efforts. The key components of planning
.s
w
are:
w
w
- Identifying the scope of the assignment.
- Developing an audit strategy taking into consideration the scope of the engagement; the
business and the regulatory environment in which the entity operates; entity specific issues
including reliance on the work of internal audit; reporting objectives, timing of the audit and
the nature of communication required; matters affecting the direction of the audit including
preliminary setting of materiality levels, preliminary review of risk including fraud risk,
preliminary review of internal control including the control environment, the process adopted
by the entity to identify, measure, monitor and control risks.
- Developing, based on the above, the overall audit plan detailing the nature, timing and extent
of the audit procedures to be performed in order to reduce the audit risk to an acceptably low
level; the nature of tests to be adopted; procedures to be adopted at the assertion level; and
tailoring the audit programmes.
- Ascertaining the nature and the extent of the resources required to perform the audit.
- Carrying out the test of controls and substantive tests on transactions and balances including
substantive analytical procedures to obtain sufficient and appropriate audit evidence to enable
the engagement team to draw reasonable conclusions on which to base the audit opinion.
- Evaluating significant assumptions used in fair value measurement to determine the
reasonableness of the basis used and the disclosures.
- Identification of related parties and obtaining sufficient and appropriate audit evidence in
respect of measurement and disclosure of related party transactions.
- Documenting the nature, timing and extent of the audit procedures performed and the results
and conclusions drawn from the audit evidence obtained.
While pre-printed forms and programmes are available in the Manual, the extent and the timing of
the tests should be tailored to the specific assignment. Different tests and different levels will be
appropriate for each assignment. The control of the audit at this stage must be maintained by a
senior team member with the appropriate experience and expertise.
m
co
a.
The review and completion procedures focus on ensuring that sufficient and appropriate evidence
ny
ke
has been obtained to support the audit opinion. This involves ensuring that:
ea
om
- All outstanding matters have been cleared.
.s
w
- Consultations on difficult or contentious matters have been documented and • adequately
w
w
resolved and conclusions therefrom implemented.
- Analytical procedures have been performed to form a conclusion on whether the financial
statements taken as a whole are consistent with the firm's knowledge of the business.
- Where other appropriate audit evidence cannot be reasonably obtained, written management
representations have been obtained on areas material to the financial statements.
- Review has been carried out of any material uncertainty relating to events or conditions that
may exist which alone or in aggregate cast a significant doubt on the entity's ability to
continue as a going concern.
- There is evidence that the engagement team has considered and confirmed that the financial
Reporting framework adopted by the entity is suitable, and that the financial statements
comply with the framework as to both recognition and measurement and presentation and
disclosure. In the context of Kenya, this in most cases will be the IFRS's.
- The engagement partner has reviewed the audit file and is satisfied that sufficient and
appropriate evidence has been obtained to support the conclusions derived and the audit
opinion to be issued. As much of the audit evidence obtained is persuasive rather than
conclusive, absolute certainty is rarely obtainable and therefore the engagement partner
should ensure that the audit risk is reduced to the lowest level possible.
Though not covered by the terms of audit engagement, the engagement team may, as part of the
audit process carry out a business review of the key issues facing the entity and take a strategic look
at the business and at areas where the firm can add value to the entity. In providing other value
added services, the firm and in particular the engagement partner should be conscious of the
independence requirements of the code of ethics
m
co
a.
Financial accounting entails provision of information about a business or company in form of
ny
ke
financial statements which are then made public. These statements are generally prepared on an
ea
om
annual basis and used by management and other interested parties to make decisions. The
.s
information contained in these financial statements must give a true and fair view of the state of
w
w
w
affairs in the organization.
Auditing is a check carried out by an independent auditor to make sure that what a company is
saying about its financial statement is true. Auditing therefore adds credibility to the financial
statements by ensuring the availability of accurate and reliable financial information.
Auditing
a) Involves examination of financial statements to prove the true and fair view of company's
affairs.
b) It is done mainly at year-end after the directors have prepared the financial statements,
although planning work could be carried out earlier. 1i
c) An audit is mainly governed by the international standards on auditing (ISA).
d) The auditor must be independent of all the stakeholders such as management.
e) It is a statutory requirement that financial statements are audited.
An auditor is the guy who asks everyone questions and an accountant is the guy who gives the
auditor elusive answers'. While this is a humorous way of putting it, it depicts quite accurately what
happens in most organisations — the accountant produces the accounts and the auditor audits and
qualifies them.
Accounting and auditing are related professions; indeed accountants and auditors usually hold the
same qualifications. An accountant is a practitioner of accountancy. Accounting involves
maintaining and recording of the financial transactions of a company. Accountants ensure that there
is proper record keeping within the organisation. The main goal of accounting is to provide the
m
company with clear, comprehensive and reliable information on the operations of the company for
co
a.
decision making. This information in presented in the form of an income statement, balance sheet,
ny
ke
statement of changes in equity and cash flow statement.
ea
om
.s
Essentially, auditing starts where accounting ends. Auditors use the financial reports in the
w
w
evaluation, verification and review of the accounts books of the company. Auditors do an
w
independent appraisal of the strength of the internal control system and compliance of the books of
accounts to Generally Accepted Accounting Principles and international accounting standards. They
also check on non¬financial issues like risk analysis.
An audit can be internal or external. External audits are done by independent bodies, like audit
firms; KPMG and Ernst and Young. Internal audits are carried out by the company's own internal
audit department. Other types of audits are forensic and security.
i) Accountants are usually employees of the company whereas external auditors are employees
of the audit firm who perform an independent appraisal of the books of accounts. An internal
auditor is an employee of the company but is not part of the accounts department. They do
not report to anyone in the finance department to avoid a conflict of interest.
ii) Accounting is governed by Generally Accepted Accounting Principles and international
accounting standards. In contrast, an auditors check for material misstatements and their
auditing processes are governed by auditing standards.
Accounting and auditing are related and complementary, though the work is done by different sets
of accountants with separate skills within the financial field
m
co
Advantages of auditing
a.
ny
- Dispute resolution. A partnership business with a complex profit sharing agreement may
ke
ea
require an independent examination of those accounts to ensure accurate assessment and
om
division of those profits.
.s
w
- Significant changes in ownership and structure can be easily effected if past accounts contain
w
w
unqualified audit reports. e.g. in mergers.
- Auditors have access to the corporate strategy of the company thus are able to give advice on
gaining competitive advantage and on improvement of business efficiency.
- Borrowing of finances from third parties is enhanced with availability of unqualified audit
report on the company's financial statements.
- Auditing protects the interests of the shareholders who are separated from the management of
their savings invested in the company.
- Auditing assists in prevention and detection of fraud and error in financial statements
although this is not the primary objective of an audit
Disadvantages of auditing
- Audit fees are normally high since auditors are highly qualified professionals hence small
firms such as sole proprietorships may not afford their financial statements to be audited.
- The audit exercise interrupts the clients operations because client staffs have to spend time in
availing the required information to the auditors.
Both auditing and accounting are statutory requirements i.e. that companies must maintain proper
books of accounts at that their financial statement must be audited
After examining the end year financial statements the auditor then forms his opinion as to whether
the financial statements show a true and fair view and reports this to the shareholders.
Whereas the split between the systems and balance sheet audits is concerned with the type of work
covered, that between the interim and final audits is concerned with timing. The interim audit will
normally take place approximately three-quarters of the way throughout the financial year.
There is an element of similarity between systems/balance sheet work and interim/final audits in as
m
much as the majority of the systems work will be carried out during the interim audit and the
co
a.
majority ofthe balance-sheet work during the final audit. However, it will be necessary to complete
ny
ke
some 'sy8t.dms work during the final audit so that transactions between the time of the interim and
ea
final audits do not escape the auditor's attention. Similarly, some substantive testing is very likely to
om
.s
be carried out during the interim (e.g. verifying fixed assets additions to date).
w
w
w
With very small audits, it is sometimes considered unnecessary to carry out an interim audit. This
means that, as a matter of convenience, all the audit work will be carried out in a single phase
commencing typically, a short time before the year-end and continuing into the post balance sheet
period.
At the other extreme, with large companies it is sometimes necessary to carry out more than one
interim audit or, alternatively adopt a continuous auditing approach. In the case of a continuous audit
the auditor's staff will either make several visits to the client spread throughout the year or, as in the
case of very large companies, some of the audit staff will be present at the client's premises virtually
all the time.
Interim audits
This is an audit that is usually carried out mid way through the accounting period an interim audit
usually precedes a final audit and is ideal for large to medium size companies.
www.someakenya.com Contact: 0707 737 890 Page 38
Works carried out during an interim audit usually include;
Note that
An interim audit is usually carried in preparation for the final audit at which the financial statements
wi 1l be reviewed.
Final audits
Final Audits are usually done at the end of the year on the financial statements i.e. the balance sheet
and the profit and loss account. A final audit can be conducted in two ways;
m
co
1. As a continuation of the interim audit for large to medium size organisations;
a.
ny
2. For small organisations the audit could be carried out in one single session after the end of the
ke
financial period.
ea
om
.s
w
w
w
PRIVATE AND STATUTORY AUDITS
Statutory audits
These are carried out as per the requirements of the various statutes e.g. the Companies Act cap 486
requires that all public limited companies must have their financial statements subjected to an
independent audit. The objectives of the audit are to express an opinion as to whether the balance
sheet and the profit and loss account show a true and fair view. The rights and duties of the auditor
are laid out in the Companies Act or the relevant statute. The powers of appointment of the auditor
are vested on the shareholders.
These are audits that are not governed by the Act. These are performed by an independent auditor
because the owners, members or other interested parties require them and not because the law
requires them to be carried out. Private audits are carried out for organisations such as NG0s,
partnerships, clubs and charities among others. The appointment of the auditor is usually carried out
as a private contract between the auditor and the relevant stakeholder. The scope and objective of the
work is determined by the agreed terms between the auditor and the client. The auditors' rights and
duties are also laid out in the contract.
Similarities
Differences
m
co
a.
Statutory Audits
ny
ke
ea
i. It is a requirement of an Act of parliament e.g. the Companies Act.
om
ii. The scope and objective of work is defined in the Act
.s
w
iii. The report is addressed to the shareholders.
w
w
iv. Appointment of the auditor is stipulated in the Act (Sec.159). It can either be by shareholders,
directors or registrar of companies.
v. The auditor is liable to third parties.
vi. The auditor has full independence.
Private Audits
This is an approach whereby the audit is carried out throughout the financial period. The audit work
is carried out at predetermined intervals usually around three audit visits. This approach is ideal for
large organisations with tight reporting deadlines e.g. multinational banks.
Assuming that the work is carried out in three-audit visits spread over duration of four months, the -
first 'audit visit will mainly entail carrying out detailed planning of the audit. Work carried out will
include;
The second audit visit will be carried out usually half way through the financial period work carried
out will include;
a) Ascertaining, recording and testing the clients internal control systems.
m
b) Concluding on the level of reliance to be placed on the internal control system.
co
a.
c) Carrying out limited analytical-review on the interim financial performance of the company.
ny
ke
This Will include carrying out ratio analysis.
ea
d) Deciding on the level of substantive testing and the nature of substantive procedures to be
om
carried out
.s
w
w
w
The final audit visit will mainly entail review of the financial statements at the end of the financial
year. Work carried out will include;
a) Carrying out substantive procedures on the various account balances
b) Concluding whether there are any significant misstatements in the financial statements.
c) Final analytical review to verify whether the information obtained is consistent and whether
the view presented by the financial statements is consistent with the auditors understanding of
the business.
d) Forming an opinion as to whether the financial statements show a true and fair view.
Advantages
Procedural audits
Requires an examination of procedures or records for reliability and accuracy. At the end the auditor
can add new ones, modify existing ones or scrap old ones. Attention is paid mainly to:
Advantages
m
co
2. Identifies strengths and weaknesses in the internal control system.
a.
ny
3. Creates harmony and co-ordination of company decision making process.
ke
4. Identifies any bureaucracies
ea
om
.s
w
w
Disadvantages
w
1. It is expensive.
2. Management can frustrate the whole process if they do not want to reveal inefficiencies.
3. It could lead to duplication of effort.
4. It is tedious especially when many procedures are involved.
5. Sometimes the auditor may not understand technical procedures.
6. Procedures change to respond to changes in the economy on the social setting.
7. Where the internal control system is weak, it is of limited applicability.
Management audits
This involves investigation of the company's entire management to ascertain whether the
management is running the organisation in the best interest of the stakeholders. It investigates
company's managerial aspects of the business from high to low management. It assesses the
efficiency of management to run the organisation in the most viable way.
This audits tests the strength of the internal control system by working backwards to get the initial
transactions. It is based on verification of assets by checking;
m
co
Introduction
a.
ny
ke
Internal audit is a function established by management to assist in corporate governance by
ea
om
assessing internal controls and helping in risk management. It can be a department of employees or
.s
w
can be outsourced to expert service providers.
w
w
Internal auditing is different from external auditing, although the techniques used by both are very
similar. While the techniques used may be similar, the focus and reasons behind the audit are
different.
• Both auditors are concerned about the strength and proper functioning of the internal control
system. The internal auditor is concerned it is his or her responsibility while the external
auditor is concerned as he or she relies on the strength of internal control system to carry out
systems based audits.
• Both auditors have as part of their duties to ensure that the company adheres to all relevant
laws and regulations.
• Both auditors interested in ensuring that the company keeps proper books of records. The
internal auditor uses the company accounts to appraise the functioning of the internal control
system while external auditor uses them to collect audit evidence to corroborate his audit
opinion.
Although many of the techniques internal and external auditors use may be similar, the basis and
reasoning of their work is different.
The external audit is focused on the financial statements, whereas the internal audit is focused on the
operations of the entire business.
The following table highlights the differences between internal and external audit.
The table demonstrates that the whole basis and reasoning of internal audit work is fundamentally
different to that of external audit work.
m
co
a.
Internal audit External audit
ny
Objective Designed to add value and An exercise to enable auditors
ke
ea
improve an organization’s to express an opinion on the
om
operations. financial statements
.s
w
Reporting Reports to the board of Reports to the shareholders or
w
w
directors, or other people members of a company on the
charged with governance, such truth and fairness of the
as the audit committee. accounts. Audit report is
Reports are private and for the publicly available to the
directors and management of shareholders and other
the company interested parties.
Scope Work relates to the operations Work relates to the financial
of the organisation. statements.
Relationship Often employees of the Independent of the corn
organisation, although management. Usually
sometimes the function is appointed by the shareholders.
outsourced.
Internal auditing is not regulated in the same way as statutory external auditing
There are no legal requirements associated with becoming an internal auditor. The scope and nature
of internal audit's work is more likely to be set by company policy than by any external guidelines.
In contrast to external auditors, internal auditors are not required to be members of a professional
body such as the ICPAK. However, this does not mean they cannot be, and many are.
It is the responsibility of management and those charged with governance to prevent and detect
fraud, in this respect, internal auditors may have a role to play.
Internal audit has two key roles to play in relation to organisational risk management:
The internal audit department has a two-fold role in relation to risk management.
m
co
a.
• It monitors the company's overall risk management policy to ensure it operates effectively.
ny
ke
• It monitors the strategies implemented to ensure that they continue to operate effectively
ea
om
.s
w
As a significant risk management policy in companies is to implement internal controls, internal
w
w
audit has la key role in assessing systems and testing controls.
Internal audit may assist in the development of systems. However, its key role will be in monitoring
the overall process and in providing assurance that the systems which the departments have designed
meet objectives and operate effectively.
It is important that the internal audit department retains its objectivity towards these aspects of its
role, which is another reason why internal audit would generally not be involved in the assessment
of risks and the design of the system.
It is the responsibility of management and those charged with governance to prevent and detect
fraud, and in this respect, internal auditors may have a role to play
Although the presence of an internal audit department within an organisation is indicative of good
internal control, by its very nature, there are some limitations of the internal audit function.
Internal auditors are employed by the organisation and this can impair their independence and
objectivity and ability to report fraud/error to senior management because of perceived threats to
their continued employment within the company.
To ensure transparency, best practice indicates that the internal audit function should have a dual
reporting relationship, i.e. report both to management and those charged with governance (the audit
committee). If this reporting structure is not in place, management may be able to unduly influence
the internal audit plan, scope, and whether issues are reported appropriately.
This results in a serious conflict, limits the scope and compromises the effectiveness of the internal
audit function.
Internal auditors are not required to be professionally qualified (as accountants are) and so there may
be limitations in their knowledge and technical expertise
m
co
a.
ny
1. Increase in size of business
ke
As businesses grow in size and increase the level of operations it becomes necessary to have a
ea
om
function that overlooks the all the internal controls that have been put in place.
.s
w
w
w
2. Dynamic business
Due to changes in technology a number of companies have become so dynamic such that their
controls are updated on a continuous basis and this calls for constant feedback on those
controls that 1, necessitate updating. This meant that, to cope with these demands companies
had to improvise and use expert advice, which was available from the Internal Auditor.
4. Competition
Under perfect competition companies can only survive if they are operationally efficient and
this calls for stronger controls and cost effectiveness.
International Standard on Auditing (ISA) 610 (Revised}, Using the Work of Internal Auditors
This International Standard on Auditing (ISA) deals with the external auditor's responsibilities if
using the work of the internal audit function in obtaining audit evidence.
Relationship between the Internal Audit Function and the External Auditor
The objectives of the internal audit function are determined by management and, where applicable,
those charged with governance. While the objectives of the internal audit function and the external
auditor are different, some of the ways in which the internal audit function and the external auditor
achieve their respective objectives may be similar.
Irrespective of the degree of autonomy and objectivity of the internal audit function, such function is
not independent of the entity as is required of the external auditor when expressing an opinion on
m
co
financial statements. The external auditor has sole responsibility for the audit opinion expressed, and
a.
ny
that responsibility is not reduced by the external auditor's use of the work of the internal auditors.
ke
ea
om
Objectives of the external auditor
.s
w
w
The objectives of the external auditor, where the entity has an internal audit function that the
w
external auditor has determined is likely to be relevant to the audit, are:
a) To determine whether, and to what extent, to use specific work of the internal auditors; and
b) If using the specific work of the internal auditors, to determine whether that work is adequate
for the purposes of the audit.
- In order for the external auditor to use specific work of the internal auditors, the external
auditor shall evaluate and perform audit procedures on that work to determine its adequacy
for the external auditor's purposes.
- To determine the adequacy of specific work performed by the internal auditors for the
external iauditor's purposes, the external auditor shall evaluate whether:
a) The work was performed by internal auditors having adequate technical training and
proficiency;
b) The work was properly supervised, reviewed and documented;
Documentation
If the external auditor uses specific work of the internal auditors, the external auditor shall include in
the audit documentation the conclusions reached regarding the evaluation of the adequacy of the
work of the internal auditors, and the audit procedures performed by the external auditor on that
work.
Scope of this ISA {International Standard on Auditing (ISA) 610 (Revised), Using the Work of
internal Auditors)
- The entity's internal audit function is likely to be relevant to the audit if the nature of the
internal audit function's responsibilities and activities are related to the entity's financial
reporting, and the auditor expects to use the work of the internal auditors to modify the nature
or timing, or reduce the extent, of audit procedures to be performed.
- Carrying out procedures in accordance with this ISA may cause the external auditor to re-
m
co
evaluate the external auditor's assessment of the risks of material misstatement.
a.
ny
Consequently, this may affect the external auditor's determination of the relevance of the
ke
internal audit function to the audit.
ea
om
- Similarly, the external auditor may decide not to otherwise use the work of the internal
.s
auditors to affect the nature, timing or extent of the external auditor's procedures. In such
w
w
circumstances, the external auditor's further application of this ISA may not be necessary.
• Monitoring of internal control. The internal audit function may be assigned specific
responsibility for reviewing controls, monitoring their operation and recommending
improvements thereto.
• Examination of financial and operating information. The internal audit function may be
assigned to review the means used to identify, measure, classify and report financial and
operating information, and to make specific inquiry into individual items, including detailed
testing of transactions, balances and procedures.
Determining Whether and to What Extent to Use the Work of the Internal Auditors Whether
the Work of the Internal Auditors is likely to be Adequate for Purposes of the Audit
Factors that may affect the external auditor's determination of whether the work of the internal
auditors is likely to be adequate for the purposes of the audit include:
Objectivity
• The status of the internal audit function within the entity and the effect such status has on the
ability of the internal auditors to be objective.
• Whether the internal audit function reports to those charged with governance or an officer
with, appropriate authority, and whether the internal auditors have direct access to those
charged with governance. I ;
• Whether the internal auditors are free of any conflicting responsibilities. !
m
• Whether those charged with governance oversee employment decisions related to the internal
co
a.
audit function.
ny
ke
• Whether there are any constraints or restrictions placed on the internal audit function by
ea
management or those charged with governance.
om
• Whether, and to what extent, management acts on the recommendations of the internal audit
.s
w
w
function, and how such action is evidenced.
w
Technical competence
• Whether activities of the internal audit function are properly planned, supervised, reviewed
and documented.
• The existence and adequacy of audit manuals or other similar documents, work programs and
internal audit documentation.
Communication between the external auditor and the internal auditors may be most effective when
the internal auditors are free to communicate openly with the external auditors, and:
Planned Effect of the Work of the Internal Auditors on the Nature, Timing or Extent of the
External Auditor's Procedures
Where the work of the internal auditors is to be a factor in determining the nature, timing or extent
of the external auditor's procedures, it may be useful to agree in advance the following matters with
the internal auditors:
m
co
levels for particular classes of transactions, account balances or disclosures), and performance
a.
materiality;
ny
ke
• Proposed methods of item selection;
ea
• Documentation of the work performed; and
om
.s
• Review and reporting procedures.
w
w
w
The nature, timing and extent of the audit procedures performed on specific work of the internal
auditors will depend on the external auditor's assessment of the risk of material misstatement, the
evaluation of the internal audit function, and the evaluation of the specific work of the internal
auditors. Such audit procedures may include:
The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is
not reduced by the external auditor's use of the work of the internal audit function on the
engagement. A ItI4igh the function may perform audit procedures similar to those performed by the
external auditor, neither the internal audit function nor the internal auditors are independent of the
This ISA, therefore, defines the conditions that are necessary for the external auditor to be able to
use the work of internal auditors. It also defines the necessary work effort to obtain sufficient
appropriate -evidence that the work of the internal audit function is adequate for the purposes of the
audit. The requirements are designed to provide a framework for the external auditor's judgments
regarding the use of the work of the internal audit function to prevent over or undue use of such
work.
Objectives
The objectives of the external auditor, where the entity has an internal audit function and the
external auditor expects to use the work of the function to modify the nature or timing, or reduce the
extent, of audit procedures to be performed directly by the external auditor are:
a) To determine whether the work of the internal audit function can be used, and if so, in which
areas and to what extent; and having made that determination:
b) If using the work of the internal audit function, to determine whether that work is adequate
for purposes of the audit.
m
Determining Whether, in Which Areas, and to What Extent the Work of the Internal Audit
co
a.
Function Can Be Used
ny
ke
ea
Evaluating the Internal Audit Function
om
.s
The external auditor shall determine whether the work of the internal audit function can be used for
w
w
w
purposes of the audit by evaluating the following:
a) The extent to which the internal audit function's organizational status and relevant policies and
procedures support the objectivity of the internal auditors;
b) The level of competence of the internal audit function; and
c) Whether the internal audit function applies a systematic and disciplined approach, including
quality control.
The external auditor shall not use the work of the internal audit function if the external auditor
determines that:
a) The function's organizational status and relevant policies and procedures do not adequately
support the objectivity of internal auditors;
b) The function lacks sufficient competence; or
c) The function does not apply a systematic and disciplined approach, including quality control.
The external auditor shall make all significant judgments in the audit engagement and, to prevent
undue use of the work of the internal audit function, shall plan to use less of the work of the function
and perform more of the work directly:
- The external auditor shall also evaluate whether, in aggregate, using the work of the internal
audit function to the extent planned would still result in the external auditor being sufficiently
involved in the audit, given the external auditor's sole responsibility for the audit opinion
m
expressed.
co
- The external auditor shall, in communicating with those charged with governance an overview
a.
ny
of the planned scope and timing of the audit communicate how the external auditor has planned
ke
ea
to use the work of the internal audit function.
om
- If the external auditor plans to use the work of the internal audit function, the external auditor
.s
w
shall discuss the planned use of its work with the function as a basis for coordinating their
w
w
respective activities.
- The external auditor shall read the reports of the internal audit function relating to the work of
the function that the external auditor plans to use to obtain an understanding of the nature and
extent of audit procedures it performed and the related findings.
- The external auditor shall perform sufficient audit procedures on the body of work of the
internal audit function as a whole that the external auditor plans to use to determine its adequacy
for purposes of the audit, including evaluating whether:
a) The work of the function had been properly planned, performed, supervised, reviewed and
documented;
b) Sufficient appropriate evidence had been obtained to enable the function to draw reasonable
conclusions; and
c) Conclusions reached are appropriate in the circumstances and the reports prepared by the
function are consistent with the results of the work performed.
- The nature and extent of the external auditor's audit procedures shall be responsive to the
external auditor's evaluation of:
a) The amount of judgment involved;
b) The assessed risk of material misstatement;
Documentation
If the external auditor uses the work of the internal audit function, the external auditor shall include
in the audit documentation:
i. Whether the function's organizational status and relevant policies and procedures
adequately support the objectivity of the internal auditors;
ii. The level of competence of the function; and
iii. Whether the function applies a systematic and disciplined approach, including quality
control;
(b) The nature and extent of the work used and the basis for that decision; and f
m
(c) The audit procedures performed by the external auditor to evaluate the adequacy of the work
co
a.
used.
ny
ke
ea
The objectives and scope of internal audit functions typically include assurance and consulting
om
activities designed to evaluate and improve the effectiveness of the entity's governance processes,
.s
w
risk management and internal control such as the following:
w
w
Activities Relating to Governance
The internal audit function may assess the governance process in its accomplishment of objectives
on ethics and values, performance management and accountability, communicating risk and control
information to appropriate areas of the organization and effectiveness of communication among
those charged with governance, external and internal auditors, an'd management.
• The internal audit function may assist the entity by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management and internal
control (including effectiveness of the financial reporting process).
• The internal audit function may perform procedures to assist the entity in the detection of
fraud
www.someakenya.com Contact: 0707 737 890 Page 53
Activities Relating to Internal Control
• Evaluation of internal control. The internal audit function may be assigned specific
responsibility for reviewing controls, evaluating their operation and recommending
improvements thereto. In doing so, the internal audit function provides assurance on the
control. For example, the internal audit function might plan and perform tests or other
procedures to provide assurance to management and those charged with governance
regarding the design, implementation and operating effectiveness of internal control,
including those controls that are relevant to the audit.
• Examination of financial and operating information. The internal audit function may be
assigned to review the means used to identify, recognize, measure, classify and report
financial and operating information, and to make specific inquiry into individual items,
including detailed testing of transactions, balances and procedures.
• Review of operating activities. The internal audit function may be assigned to review the
economy, efficiency and effectiveness of operating activities, including non-financial
activities of an entity.
• Review of compliance with laws and regulations. The internal audit function may be assigned
to review compliance with laws, regulations and other external requirements, and with
management policies and directives and other internal requirements.
• Activities similar to those performed by an internal audit function may be conducted by
functions with other titles within an entity. Some or all of the activities of an internal audit
function may also be outsourced to a third party service provider. Neither the title of the
function, nor whether it is performed by the entity or a third-party service provider, is sole
m
co
determinants of whether or not the external auditor can use the work of the function. Rather,
a.
ny
it is the nature of the activities; the extent to which the internal audit function's organizational
ke
status and relevant policies and procedures support the objectivity of the internal auditors;
ea
om
competence; and systematic and disciplined approach of the function that are relevant.
.s
• References in this ISA to the work of the internal audit function include relevant activities of
w
w
other functions or third-party providers that have these characteristics.
w
• In addition, those in the entity with operational and managerial duties and responsibilities
outside of the internal audit function would ordinarily face threats to their objectivity that
would preclude them from being treated as part of an internal audit function for the purpose
of this ISA, although they may perform control activities that can be tested in accordance
with ISA 330.9 For this reason, monitoring controls performed by an owner-manager would
not be considered equivalent to an internal audit function.
While the objectives of an entity's internal audit function and the external auditor differ, the function
may ,perform audit procedures similar to those performed by the external auditor in an audit of
financial statements. If so, the.external auditor may make use of the function for purposes of the
audit in one or more of the following ways:
• To obtain information that is relevant to the external auditor's assessments of the risks of
material misstatement due to error or fraud. In this regard, ISA 315 (Revised) requires the
external auditor to obtain an understanding of the nature of the internal audit function's
responsibilities, its status within the organization, and the activities performed, or to be
1. The external auditor exercises professional judgment in determining whether the work of the
internal audit function can be used for purposes of the audit, and the nature and extent to
which the work of the internal audit function can be used in the circumstances.
2. The extent to which the internal audit function's organizational status and relevant policies
and procedures support the objectivity of the internal auditors and the level of competence of
the function are particularly important in determining whether to use and, if so, the nature and
extent of the use of the work of the function that is appropriate in the circumstances.
3. Objectivity refers to the ability to perform those tasks without allowing bias, conflict of
interest or undue influence of others to override professional judgments. Factors that may
affect the external auditor's evaluation include the following:
• Whether the organizational status of the internal audit function, including the function's
m
authority and accountability, supports the ability of the function to be free from bias,
co
a.
conflict of interest or undue influence of others to override professional judgments. FOf
ny
ke
example, whether the internal audit function reports to those charged with governance or
ea
an officer with appropriate authority, or if the function reports to management, whether it
om
has direct access to those charged with governance.
.s
w
• Whether the internal audit function is free of any conflicting responsibilities, for example,
w
w
having managerial or operational duties or responsibilities that are.outside of the internal
audit function.
• Whether those charged with governance oversee employment decisions related to the internal
audit function, for example, determining the appropriate remuneration policy.
• Whether there are any constraints or restrictions placed on the internal audit function by
management or those charged with governance, for example, in communicating the internal
audit function's findings to the external auditor.
• Whether the internal auditors are members of relevant professional bodies and their
memberships obligate their compliance with relevant professional standards relating to
objectivity, or whether their internal policies achieve the same objectives.
• Competence of the internal audit function refers to the attainment and maintenance of
knowledge and skills of the function as a whole at the level required to enable assigned tasks
to be performed diligently and in accordance with applicable professional standards. Factors
that may affect the external auditor's determination include the following:
• Whether the internal audit function is adequately and appropriately resourced relative to the
size of the entity and the nature of its operations.
• Whether there are established policies for hiring, training and assigning internal auditors to
internal audit engagements.
www.someakenya.com Contact: 0707 737 890 Page 55
• Whether the internal auditors have adequate technical training and proficiency in auditing.
Relevant criteria that may be considered by the external auditor in making the assessment
may include, for example, the internal auditors' possession of a relevant professional
designation and experience.
• Whether the internal auditors possess the required knowledge relating to the entity's financial
reporting and the applicable financial reporting framework and whether the internal audit
function possesses the necessary skills (for example, industry-specific knowledge) to perform
work related to the entity's financial statements.
• Whether the internal auditors are members of relevant professional bodies that oblige them to
comply with the relevant professional standards including continuing professional
development requirements.
4. Objectivity and competence may be viewed as a continuum. The more the internal audit function's
organizational status and relevant policies and procedures adequately support the objectivity of
the internal auditors and the higher the level of competence of the function, the more likely the
external auditor may make use of the work of the function and in more areas.
5. However, an organizational status and relevant policies and procedures that provide strong
support for the objectivity of the internal auditors cannot compensate for the lack of sufficient
competence of the internal audit function. Equally, a high level of competence of the internal
audit function cannot compensate for an organizational status and policies and procedures that do
not adequately support the objectivity of the internal auditors.
m
co
a.
- The application of a systematic and disciplined approach to planning, performing,
ny
ke
supervising, reviewing and documenting its activities distinguishes the activities of the
ea
internal audit function from other monitoring control activities that may be performed within
om
.s
the entity.
w
w
- factors that may affect the external auditor's determination of whether the internal audit
w
function 'applies a systematic and disciplined approach include the following:
• The existence, adequacy and use of documented internal audit procedures or guidance
covering such areas as risk assessments, work programs, documentation and reporting,
the nature and extent of which is commensurate with the size and circumstances of an
entity.
• Whether the internal audit function has appropriate quality control policies and
procedures, for example, such as those policies and procedures that would be applicable
to an internal audit function (such as those relating to leadership, human resources and
engagement performance) or quality control requirements in standards set by the
relevant professional bodies for internal auditors.
• Such bodies may also establish other appropriate requirements such as conducting
periodic external quality assessments.
- The external auditor's evaluation of whether the internal audit function's organizational status
and relevant policies and procedures adequately support the objectivity of the internal
www.someakenya.com Contact: 0707 737 890 Page 56
auditors, the level of competence of the internal audit function, and whether it applies a
systematic and disciplined approach may indicate that the risks to the quality of the work of
the function are too significant and therefore it is not appropriate to use any of the work of the
function as audit .evidence.
- Consideration of the factors in paragraphs 3and 4 of Evaluating the Internal Audit Function
above individually and in aggregate is important because an individual factor is often not
sufficient to conclude that the work of the internal audit function cannot be used for purposes
of the audit. For example, the internal audit function's organizational status is particularly
important in evaluating threats to the objectivity of the internal auditors.
- If the internal audit function reports to management, this would be considered a significant
threat to the function's objectivity unless other factors such as those described in paragraph 3
of evaluating the Internal Audit Function above collectively provide sufficient safeguards to
reduce the threat to an acceptable level.
- In addition, self-review threat is created when the external auditor accepts an engagement to
provide internal audit services to an audit client, and the results of those services will be used
in conducting the audit. This is because of the possibility that the engagement team will use
the results of the internal audit service without properly evaluating those results or without
exercising the same level of professional skepticism as would be exercised when the internal
audit work is performed by individuals who are not members of the firm.
Factors Affecting the Determination of the Nature and Extent of the Work of the internal
Audit function that can be used
m
co
a.
ny
- Once the external auditor has determined that the work of the internal audit function can be
ke
used for purposes of the audit, a first consideration is whether the planned nature and scope of
ea
om
the work of the internal audit function that has been performed, or is planned to be performed,
.s
is relevant to the overall audit strategy and audit plan that the external auditor has established
w
w
- Examples of work of the internal audit function that can be used by the external auditor
w
include the following:
- Testing of the operating effectiveness of controls.
- Substantive procedures involving limited judgment.
- Observations of inventory counts.
- Tracing transactions through the information system relevant to financial reporting.
- Testing of compliance with regulatory requirements.
- In some circumstances, audits or reviews of the financial information of subsidiaries that are
not significant components to the group
- The external auditor's determination of the planned nature and extent of use of the work of
the internal audit function will be influenced by the external auditor's evaluation of the extent
to which the internal audit function's organizational status and relevant policies and
procedures adequately support the objectivity of the internal auditors and the level of
competence of the internal audit function. In addition, the amount of judgment needed in
planning, performing and evaluating such work and the assessed risk of material
misstatement at the assertion level are inputs to the external auditor's determination.
- The greater the judgment needed to be exercised in planning and performing the audit
procedures and evaluating the audit evidence; the external auditor will need to perform more
procedures directly, because using the work of the internal audit function alone will not
provide the external auditor with sufficient appropriate audit evidence.
- Since the external auditor has sole responsibility for the audit opinion expressed, the external
auditor needs to make the significant judgments in the audit engagement.
m
co
Assessed risk of material misstatement
a.
ny
ke
- For a particular account balance, class of transaction or disclosure, the higher an assessed risk
ea
om
of material misstatement at the assertion level, the more judgment is often involved in
.s
planning and performing the audit procedures and evaluating the results thereof. In such
w
w
circumstances, the external auditor will need to perform more procedures directly, and
w
accordingly, make less use of the work of the internal audit function in obtaining sufficient
appropriate audit evidence.
- Furththermore, the higher the assessed risks of material misstatement, the more persuasive the
audit evidence required by the external auditor will need to be, and, therefore, the external
auditor will need to perform more of the work directly.
- Significant risks require special audit consideration and therefore the external auditor's ability
to use the work of the internal audit function in relation to significant risks will be restricted
to procedures that involve limited judgment. In addition, where the risk of material
misstatement is other than low, the use of the work of the internal audit function alone is
unlikely to reduce audit risk to an acceptably low level and eliminate the need for the external
auditor to perform some tests directly.
- Carrying out procedures in accordance with this ISA may cause the external auditor to
reevaluate the external auditor's assessment of the risks of material misstatement.
Consequently, this may affect the external auditor's determination of whether to use the work
of the internal audit function and whether further application of this ISA is necessary.
- The external auditor is required to communicate with those charged with governance an
overview of the planned scope and timing of the audit.
- The planned use of the work of the internal audit function is an integral part of the external
auditor's overall audit strategy and is therefore relevant to those charged with governance for
their understanding of the proposed audit approach.
- In discussing the planned use of their work with the internal audit function as a basis for
coordinating the respective activities, it may be useful to address the following:
• The timing of such work.
• The nature of the work performed.
• The extent of audit coverage.
• Materiality for the financial statements as a whole (and, if applicable, materiality level
or levels for particular classes of transactions, account balances or disclosures), and
performance materiality.
• Proposed methods of item selection and sample sizes.
m
co
• Documentation of the work performed.
a.
ny
• Review and reporting procedures.
ke
ea
- Coordination between the external auditor and the internal audit function is effective when,
om
for example:
.s
• Discussions take place at appropriate intervals throughout the period.
w
w
w
• The external auditor informs the internal audit function of significant matters that may affect
the function.
The external auditor has access to relevant reports of the internal audit function and is informed of
any significant matters that come to the attention of the function when such matters may affect the
work of the external auditor so that the external auditor is able to consider the implications of such
matters for the audit engagement.
- ISA 200 discusses the importance of the auditor planning and performing the audit with
Professional skepticism, including being alert to information that brings into question the
reliability of documents and responses to inquiries to be used as audit evidence. Accordingly,
communication with the internal audit function throughout the engagement may provide
opportunities for internal auditors to bring matters that may affect the work of the external
auditor to the external auditor's attention.
- The external auditor is then able to take such information into account in the external
auditor's identification and assessment of risks of material misstatement. In addition, if such
information may be indicative of a heightened risk of a material misstatement of the financial
www.someakenya.com Contact: 0707 737 890 Page 59
statements or may be regarding any actual, suspected or alleged fraud, the external auditor
can take this into account in the external auditor's identification of risk of material
misstatement due to fraud
- The external auditor's audit procedures on the body of work of the internal audit function as a
whole that the external auditor plans to use provide a basis for evaluating the overall quality
of the function's work and the objectivity with which it has been performed.
- The procedures the external auditor may perform to evaluate the quality of the'work
performed and the conclusions reached by the internal audit function, in addition to
reperformance include the following:
• Making inquiries of appropriate individuals within the internal audit function.
• Observing procedures performed by the internal audit function.
• Reviewing the internal audit function's work program and working papers.
The more judgment involved, the higher the assessed risk of material misstatement, the less the
internal audit function's organizational status and relevant policies and procedures adequately
support the objectivity of the internal auditors, or the lower the level of competence of the internal
audit function, the more audit procedures are needed to be performed by the external auditor on the
m
co
overall body of work of the function to support the decision to use the work of the function in
a.
ny
obtaining sufficient appropriate audit evidence on which to base the audit opinion.
ke
ea
om
.s
w
w
Reperformance
w
- For purposes of this ISA, reperformance involves the external auditor's independent
execution of procedures to validate the conclusions reached by the internal audit function.
This objective may be accomplished by examining items already examined by the internal
audit function, or where it is not possible to do so, the same objective may also be
accomplished by examining sufficient other similar items not actually examined by the
internal audit function.
- Reperformance provides more persuasive evidence regarding the adequacy of the work of the
internal audit function compared to other procedures.
- While it is not necessary for the external auditor to do reperformance in each area of work of
the internal audit function that is being used, some reperformance is required on the body of
work Of'. the internal audit function as a whole that the external auditor plans to use.
- The external auditor is more likely to focus reperformance in those areas where more
judgment was exercised by the internal audit function in planning, performing and evaluating
the results of the audit procedures and in areas of higher risk of material misstatement.
The annual accounts and report are primarily prepared by the directors to the shareholders. However,
the following parties need financial statements.
- Employees.
- Creditors or suppliers
- Lenders and debenture holders
- The management
- The shareholders to whom the financial statements are addressed.
- Credit rating agencies.
- Potential shareholders
- Trustees
- Suppliers
- Customers
m
3. Those with representative interests
co
a.
ny
- Lawyers
ke
- The government
ea
om
- The general public.
.s
w
w
w
4. Others
- Competitors
- Stock brokers
- Statisticians
- Financial journalists
- Trade unions.
• Present and potential investors. These risk capital providers and their advisors are concerned
the risk that is inherent in their investment. They need information to help them determine
whether they should buy more shares, hold on to the shares they have or sell the shares they
have.
• Employees. These and their representative groups such as trade unions are interested in
information about the stability and profitability of their employers. They are also interested in
information which enable them assess the ability of the company to provide adequate
remuneration, retirement benefits and employment opportunities.
m
co
a.
ny
ke
ea
om
.s
w
w
w
INTRODUCTION
An Audit plan is the specific guideline to be followed when conducting an audit. it helps the auditor
obtain sufficient appropriate evidence for the circumstances, helps keep audit costs at a reasonable
level, and helps avoid misunderstandings with the client.
m
co
a.
It helps the auditor obtain sufficient appropriate evidence for the circumstances
ny
It helps to keep audit costs at a reasonable level.
ke
ea
It helps to avoid misunderstandings with the client.
om
It helps to ensure that potential problems are promptly identified
.s
w
It helps to know the scope of audit program by an Auditor.
w
OBJECTIVES OF PLANNING FOR THE AUDIT w
Planning for the audit is a vital area of the audit primarily conducted at the beginning of audit
process to ensure that the:-
The plan developed needs to be revised as necessary during the course of audit
Overall Plan
It’s the general strategy for audit, which sets the direction for audit, describe the expected scope and
conduct of audit and provides guiding for the development of audit programme.
Audit Programme
Detailed set of instructions to implement overall plan for the nature, timing and extent of audit
procedure.
The following administrative details of an audit should be considered while developing audit plan.
1. Logistics
2. Use of IT
3. Time budgets
4. Subsidiary objectives of the assignment
5. Logistics
When planning an audit engagement partners or manager has to considers many practical areas like
m
co
a.
1. Staff
ny
2. Client management
ke
ea
3. Location of the audit
om
4. Dead lines
.s
w
w
w
Staff
For the selection of audit staff for a particular assignment following considerations should be made.
Client Management
The management of the client may have preferences regarding audit staff. Audit manager should
consider their recommendations in the light of independence rule to decide the changing of audit
team as consistency of audit staff helps audit efficiency.
Dead Line
It is important that the auditors know the deadlines and the key dates:
m
Date of which audit report is due to be signed
co
a.
Date of AGM
ny
ke
ea
om
.s
w
Uses of IT
w
w
There are several factors to be considered
Time Management
Audit must be cost effective therefore, the time to be taken to conduct each part of the audit is to be
estimated and the fee set accordingly it is important that
Subsidiary Objectives
Along with the key purpose of audit i.e. to express an opinion on the financial statements, there may
be certain other objectives of audit assignment e.g.
Audit Principal
Auditor should perform the audit with an attitude of “Professional Skepticism” recognizing that
circumstances may exist, which cause the financial statements to be materially misstated, such
circumstances include.
m
ACCEPTING AUDIT ENGAGEMENTS
co
a.
ny
Preconditions for an audit
ke
ea
om
Auditors should only accept a new audit engagement, or continue an existing audit engagement if
.s
w
the 'preconditions for an audit' required by ISA 210 Agreeing the terms of audit engagements are
w
w
present.
Determine whether the financial reporting framework to be applied in the preparation of the
financial statements is appropriate; and
Obtain the agreement of management that it acknowledges and understands its
responsibilities.
If the preconditions for an audit are not present, the auditor should discuss the matter with
management, and should not accept the engagement unless required to do so by law or regulation.
Procedures
ask the client for permission to contact the outgoing auditor (reject role if client refuses)
Engagement letters
The engagement letter will be sent before the audit. It specifies the nature of the contract between
the audit firm and the client and minimises the risk of any misunderstanding of the auditor's role.
It should be reviewed every year to ensure that it is up to date but does not need to be reissued every
year unless there are changes to the terms of the engagement. The auditor must issue a new
engagement letter if the scope or context of the assignment changes after initial appointment.
m
co
a.
ny
ISA 210 requires the auditor to consider whether there is a need to remind the entity of the existing
ke
terms of the audit engagement for recurring audits and many firms choose to send a new letter every
ea
om
year, to emphasise its importance to clients.
.s
w
w
The contents of the engagement letter
w
The contents of a letter of engagement for audit services are listed in ISA 210 Agreeing the Terms
of Audit Engagements. They should include the following:
In addition to the above the engagement letter may also make reference to:
The unavoidable risk that some material misstatements may go undetected due to the inherent
limitations in an audit;
Arrangements regarding the planning and performance of the audit;
The expectation that management will provide written representations;
Before accepting any client for services, the auditor should undertake following procedures and duly
consider the factors/matters
Client Business/Industry
The auditor should seek information about the nature of client’s business (type of industry) to
m
co
assess the relevant regulations/standards relevant to client’s industry.
a.
ny
ke
Risk
ea
om
The auditor has to evaluate apparent with client to ensure that audit is being conducted
.s
carefully.
w
w
NB: Indicators of risky clients in exams scenario would be Weak accounting systems/poor
w
systems
– Rapid turnover of employees particularly accounts department
– Directors/Mgt casual attitude about disclosures/reporting requirements
– Frequent change of auditors in short time period (e.g. Auditors changed 3-4 times in 4-
5 years)
– Bad reputation of client mgt
– Mgt requirement to conduct audit within short time period
– Operating Losses/Lack of Finances/Lack of Funds
– Unusual Transactions/Related Party Transactions
– Negative media comments about client etc)
Expertise/Competence/ Skills
Before accepting any client, the auditors should ensure that they have relevant
expertise/competence/skills to do the audit of the client.(TIP: Even if auditors do not have
relevant experience of doing the audit of companies from same industry, still they may accept
the audit to gain experience by learning the relevant requirements and to enter into client’s
industry.)
Resources Availability
Before acceptance auditors should evaluate the availability of resources in terms of relevant
audit team members and time to conduct the audit.
Ethical Requirements
Acceptance of any client should not create any conflicts or threats to independence, integrity
and objectivity of auditors.
m
co
before replying back to new/proposed auditors, the old/previous auditors would also seek
a.
ny
permission of the client to reply back and if client does not grant permission the
ke
new/proposed auditor should decline the nomination.
ea
om
.s
– NB: Communication with previous auditors is mandatory requirement and it has to be
w
w
w
done formally in writing (letter).
– After going through all above matters auditor may decide to accept or decline the client.
If auditor decides to accept the client, following further procedure would be undertaken.
– Confirm that removal/resignation of previous/predecessor auditor has been conducted in
accordance with legal requirements.
– Ensure that appointment of new/proposed auditors is also in accordance with statutory
requirement.
– Submit “Engagement Letter”.
Media comments/remarks
Latest Financial Statements
Financial Analyst’s Report
Credit Rating Report
m
co
Test nature and inherent limitation of audit
a.
Unrestricted access to information and records
ny
ke
Description of Management Letter
ea
Description of Management Representation Letter
om
.s
Arrangements of involvement of “others”(including Internal auditor, Experts and predecessor
w
w
Auditors)
w
Basis of fees
Request for client to confirm the terms of audit
Terms of other services, if any
Any other matter
NB: However if client demands a restriction/limitation in scope of audit, the auditors should not
accept the change in engagement letter.
Past arguments over the scope of the audit, the type of opinion issued, fees etc may give the auditor
pause to reconsider the association with the particular client. The auditor may also decide to
discontinue the relationship if the client is deemed to lack integrity. Under the Ethical Standards the
auditor may have to discontinue association if there are ethical issues (if the client is involved in
litigation against the auditor, there are unpaid fees, independence issues etc.). The auditor may also
decide the particular engagement is too high risk. Client acceptance and continuance is an important
part of determining audit risk.
A clear understanding of the terms of the engagement should exist between the client and the
auditor. ISA 210 describes the contents of an engagement letter. Although the standard does not
require use of an engagement letter, the guidance is provided in a manner that presumes use of an
engagement letter. According to ISA 210, „the auditor and the client should agree on the terms of
the engagement." ISA 210' states that the auditor should ensure that the engagement letter or other
form of suitable contract documents and confirms the auditors" acceptance of the appointment and
includes a summary of the responsibilities of those charged with governance and of the auditor. The
terms of the engagement include consideration of what is to be done (the objective, scope, and report
of the audit) by who (the staff) and for how much (the fee). The agreed terms would need to be
m
co
recorded in an audit engagement letter or other suitable form of contract. The engagement letter may
a.
ny
also include an agreement to provide other services such as tax returns. It should also state any
ke
assistance to be provided by the client personnel in obtaining books and records, and schedules to be
ea
om
prepared for the auditor. It will outline the auditor's responsibilities in relation indictable offences
.s
w
and money laundering. It also serves the purpose of informing the client that the auditor cannot
w
w
guarantee that all fraud will be detected.
ISA 300 necessitates that the overall audit strategy should be established at the beginning, and
updated and amended as required during the course of the audit. The auditor may need to revise his
Overall Audit Strategy and Overall Audit Plan (mid thereby the planned nature, extent and timing of
further audit procedures) when unexpected events, changed conditions or the audit evidence
achieved from audit procedures lead to information that is significantly different from information
available to the auditor when he first planned his audit.
The, purpose of the overall audit strategy is to develop an effective response to the risk of material
Misstatement. The auditor considers what they found in preliminary planning activities such as
client acceptance, ethical position of the audit firm and their understanding of the entity and its
environment, including its internal control, to develop an effective and efficient overall audit
strategy that will appropriately respond to assessed risks. The overall audit strategy includes
consideration of planned audit responses to specific risks through the development of the audit plan.
www.someakenya.com Contact: 0707 737 890 Page 71
The overall audit strategy also helps the auditor determine the resources required for the
engagement, including engagement staffing. Therefore, at a minimum the following matters should
be included in the overall audit strategy:
- Relevant characteristics of the audit engagement, such as the reporting framework used in
order to set the scope of the engagement.
- Key dates for reporting and other communications
- Setting of materiality
- Preliminary risk assessment and whether internal controls are to be tested
- Consideration of resources available and how they are to be used
Appropriate staff, knowledgeable about the client's industry, must be assigned to the engagement
order that they may effectively carry out their work, the assigned engagement staff should have the;
- following capabilities and competencies:
1. An understanding of, and practical experience with, audit engagements of similar nature and
complexity through appropriate training and participation.
2. Appropriate technical knowledge, including knowledge of relevant information technology.
3. Knowledge of relevant industry in which the client operates.
4. Ability to apply professional judgment.
m
5. An understanding of the firm's quality control policies and procedures
co
6. An understanding of professional standards and regulatory and legal requirements.
a.
ny
ke
ea
om
For existing clients there may also be a need for continuity from year to year. In addition, ISA 300
.s
w
states that „The auditor should plan the nature, timing, and extent of direction and supervision of
w
w
engagement team members and review of their work". In reviewing the work of engagement team
members, it should be ensured that:
1. The work has been performed in accordance with professional standards and regulatory and
legal requirements
2. The work performed supports the conclusions reached
3. The work performed is appropriately documented.
4. The evidence obtained is sufficient and appropriate to support the auditor's report.
5. The objectives of the engagement have achieved.
6. Any need to revise the nature, timing and extent of audit work performed has been identified
7. Significant matters have been raised for further consultation
8. Appropriate consultations have taken place and the resulting conclusion have been
documented and implemented.
The engagement team will usually consist of a partner, manager, audit senior and junior.
ISA 310 requires a reasonable understanding of the client's business and industry. The nature of the
client's business and industry affects client business risk and the risk of material misstatement in the
financial statements. Auditors use the knowledge of these risks to determine the appropriate amount
of audit evidence to gather. Auditors have been exposed to problems resulting from the auditor's
failure to understand comprehensively the nature of transactions in client's industry. The auditor
must also have an understanding of the client's external environment, including economic
conditions, impact of competition, reporting obligations, legal and regulatory requirements. The
auditor should source this information by reading industry trade publications, and regulatory
requirements. The auditor should identify factors such as major sources of income, key customers
and suppliers, sources of finance, related parties and transactions with related parties requiring
disclosure that may be high-risk areas within the client. The auditor should make inquiries of
m
co
management and others within the entity in relation to the above. Visiting the client's premises is
a.
ny
also useful in this regard because it gives an opportunity to observe operations firsthand and to meet
ke
ea
key employees. Transactions with related parties are important to auditors because the International
om
.s
Accounting Standards require that such transactions be disclosed in the financial statements if they
w
w
are material. As management are pivotal in establishing an entity's strategies and business processes
w
the auditor should consider Management's philosophy and operating style and its ability to identify
and respond to risks as this significantly affects the risk of material misstatement in the financial
statements. In this regard, the auditor should read the memorandum and articles of association, read
minutes of board of directors and shareholders, and inquire of management.
The auditor should understand the client's objectives related to reliability of financial reporting;
effectiveness and efficiency of operations; and compliance with laws and regulations. Auditors need
knowledge about operations to assess client business risk and inherent risk in the financial
statements.
The auditor should make inquiries of management; review prior year working papers; inspect legal
documents (such as share options and pension plans), minutes of meetings and significant contracts.
The auditor needs also to consider to client's performance measurement system. Inherent risk may be
increased if the client has set unreasonable objectives or if the performance measurement systems
encourage manipulation of amounts in the financial statements. The auditor should read financial
The auditor uses knowledge gained from the strategic understanding of the client-business and
industry to assess client business risk, the risk that client will fail to achieve its objectives. It is
management's responsibility to identify the business risks facing the company and respond
accordingly to those risks. The auditor's main concern is the risk of material misstatement in the
financial statements due to client business risk. It is important to note that not all business risks will
turn into risks leading to material misstatement in the financial statements. ISA 315 stresses the
importance of all members of the audit team understanding the potential risk of misstatements in
each client's financial statements. In particular, the standard introduces the concept that the auditor is
required to obtain an understanding of business risks and significant risks to the extent that they are
relevant to the financial statements. ISA 315 requires the audit team to discuss risk factors as part of
the audit planning process.
Analytical procedures applied at the planning stage can assist the auditor in gaining an
understanding of the client's business and in assessing client business risk. ISA 520 states, "The
m
auditor should apply analytical procedures at the planning and overall review stages of the audit."
co
a.
ISA 520 Analytical Procedures states that analytical procedures include the consideration of
ny
ke
comparisons of the entity's financial information with, for example:
ea
om
- Comparable information for prior periods
.s
w
- Anticipated results of the entity, such as budgets or forecasts, or expectations of the auditor,
w
w
such as an estimate for depreciation
- Similar industry information, such as comparison of the entity's ratio of sales to receivables
with industry averages or with other entities of comparable size in the same industry.
Application of analytical procedures may indicate aspects of the business of which the auditor was
unaware. In order to gain a better understanding of the client's business and industry, the auditor will
calculate typical ratios and compare the company ratios to those of the industry. Analytical
procedures identify significant deviation from predicted amounts, which show the auditor where to
increase procedures to obtain corroborative evidence. ISA 315 paragraph 10 contains additional
guidance on I applying analytical procedures as risk assessment procedures.
Overall audit plan describes the expected scope and conduct of the audit:
Factors Affecting The Form And Content Of Overall Audit Plan
Size of the entity.
a) Knowledge Of
Business
General economic factors and industry conditions
Important characteristics of the entity, its business
Performance and reporting requirements and changes therein
Level of competence of management
The expected assessment of inherent and control risk and identification of significant audit
m
areas.
co
a.
The setting of materiality level.
ny
ke
The possibility of material misstatement
ea
The identification of complex accounting areas
om
.s
w
d) Nature, Timing and Extent Of Procedure
w
w
Possible change of emphasis of specific audit areas
The effect of information technology on the audit
The work of internal auditing and its effect on external auditing
f) Other Matters
Audit program ensures that the work is carried out in accordance with audit plan
These are written instruction, which lay down the procedures to be performed by the assistants in
order to implement the audit plan. It helps in controlling proper execution of the audit work. It may
also contain the following.
m
Plans should be revised during the course of audit. Audit planning is a continuous process because
co
a.
of changes in conditions. Circumstances ma causes us to alter the plan; therefore, it is important to
ny
ke
record the significant changes.
ea
om
Audit Planning Memorandum
.s
w
w
w
APM is documentary evidence that the adequate planning is carried out. The audit-planning
memorandum should include intended audit approach, risks evaluation, materiality levels, timetable,
staffing requirement, and consideration of going concern basis and client’s use of computer systems.
For the above it is apparent that audit plan and APM are the same things
An audit plan is necessary to ensure that the entire course of an audit process runs progressively and
systematically. It also confirms that a pre-determined audit procedure and coordination is followed
and in correct timing and direction. Although this plan is an important component of the audit, it is
not without its shortcomings.
An audit plan follows a standard approach and set patterns. This may stifle flexibility and
initiative, therefore dampening professional judgment of the parties involved. Rigidity also
makes the process too mechanistic undermining the audit staffs' abilities, creativity and
talents. This will consequently leave them with less freedom in performing their task and also
technically challenged.
A plan will make the audit process automated and will loosen the sense of responsibility for
the audit staff. It can potentially decrease initiative and inventiveness, with less application of
staff talents and abilities. They therefore do not reinforce the plan with any improvements,
which will lower its future effectiveness. The automation also leaves the staff performing
their task with normality, which can cause boredom.
Incompatibility
The strategies and procedures adopted from an audit plan may not be in accordance with a
client's standards. An auditor will likely need to prepare a new procedural plan that meets the
needs of the client; in some cases, this backtracking may cause the client to lose faith and/or
trust in the auditor. Staff may also feel manipulated since they will have to participate in the
preparation of the new plan, which can vary significantly from the standard audit.
m
co
a.
Constant Update
ny
ke
ea
An audit plan needs to change regularly -- usually each year -- to keep it current with the
om
changing economic environment and business structures. If this change is not done, the plan
.s
w
w
may turn out to be too rigid in nature and its application in an audit process may be in-
w
effective and out-dated. This updating requires more time and resource devotion to the plan,
which would be better used in other productive activities.
Internal control is the process, effected by an entity's Board of Trustees, management, and other
personnel, designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
Internal Control Systems are basic management practices that usually involve two elements: a
policy establishing what should be done and procedures used to support the policy. Internal control
systems typically come from senior management's interpretation of the companes strategic
initiatives, laws and regulations, or industry standards and practices.
m
Types of Internal Controls:
co
a.
ny
1. Detective: Designed to detect errors or irregularities that may have occurred.
ke
2. Corrective: Designed to correct errors or irregularities that have been detected.
ea
om
3. Preventive: Designed to keep errors or irregularities from occurring in the first place.
.s
w
w
w
Key Internal Control Activities
Segregation of Duties
Duties are divided, or segregated, among different people to reduce the risk of error or inappropriate
actions. For example, responsibilities for receiving cash or checks, preparing the deposit to the
Cashier's Office, and reconciling the deposit to the cashier's receipt and Balances should be
separated.
Structure
Organizational structure - lines of authority and responsibility - should be clearly defined so that
employees know where to go to report performance of duties, problems and questions related to
position and the organization as a whole. An organization chart is a good means of defining this
structure as long as it is kept up to date. Part of the structure is also the rules that employees must
abide by. Written policies and procedures provide guidance to employees in carrying out their
Transactions should be authorized and approved to help ensure the activity is consistent with
departmental or institutional goals and objectives. For example, a department may have a policy that
all purchase requisitions and invoice vouchers must be approved by the director. The important thing
is that the person who approves transactions must have the authority to do so and the necessary
knowledge to make informed decisions.
Security
m
co
inventories, cash, checks and other assets should be secured physically, and periodically counted and
a.
compared with amounts shown on control records. For example, the periodic physical confirmation
ny
ke
of equipment by individual departments is a physical security control. Virus detection software
ea
should be current and updated regularly to help protect integrity of systems. Hardware and access
om
.s
controls (passwords) should be changed periodically and rigorously safeguarded to protect from
w
w
unauthorized access to database, computer systems, etc. Special physical and software controls (such
w
as encryption software) should be developed for systems containing sensitive and/or confidential
information.
Internal Control objectives are desired goals or conditions for a specific event cycle which, if
achieved, minimize the potential that waste, loss, unauthorized use or misappropriation will occur.
They are conditions which we want the system of internal control to satisfy. For a control objective
to be effective, compliance with it must be measurable and observable.
Internal Audit evaluates Mercer's system of internal control by accessing the ability of individual
process controls to achieve seven pre-defined control objectives. The control objectives include
authorization, completeness, accuracy, validity, physical safeguards and security, error handling and
segregation of duties.
A well designed process with appropriate internal controls should meet most, if not all of these
control objectives.
Major Components:
1. Control environment: Factors that set the tone of the organization, influencing the control
m
co
consciousness of its people. The seven factors are (ICHAMPBO):
a.
ny
o I - Integrity and ethical values,
ke
o C - Commitment to competence,
ea
om
o H - Human resource policies and practices,
.s
o A - Assignment of authority and responsibility,
w
w
o M - Management's philosophy and operating style,
w
o B - Board of Director's or Audit Committee participation, and
o O - Organizational structure.
2. Risk Assessment: Risks that may affect an entity's ability to properly record, process,
summarize and report financial data:
o Changes in the Operating Environment (e.g. Increased Competition)
o New Personnel
o New Information Systems
o Rapid Growth
o New Technology
o New Lines, Products, or Activities
o Corporate Restructuring
o Foreign Operations
o Accounting Pronouncements
3. Control Activities: Various policies and procedures that help ensure those necessary actions
are taken to address risks affecting achievement of entity's objectives (PIPS):
o P - Performance reviews (review of actual against budgets, forecasts)
o I - Information processing (checks for accuracy, completeness, authorization)
When we recommend improving controls within a department, we often hear three basic arguments
for not implementing our recommendations:
m
co
problem that needs to be resolved.
a.
ny
ke
1. The problem of not having enough staff or other resources should be discussed with your
ea
supervisor. In most cases, compensating controls can be implemented in situations where one
om
.s
person has to do all of the business-related transactions for a department.
w
w
2. If implementing a recommended control seems too expensive, be sure to consider the full cost
w
of a fraud that could occur because of the missing control. In addition to any funds that may
be lost, consider the cost of time that would have been spent by the department during the
time of an investigation of the matter, and the cost of hiring a new employee. Fraud is always
expensive and the prevention of fraud is worth the cost.
3. Finally consider the issue of trust. Most employees are trustworthy and responsible, which is
an important factor in employee relations and departmental operations. However, it is also
the responsibility of administrators to remain objective. Experience shows that it is often the
most trusted employees who are involved in committing frauds.
Departments conducting research are good examples of areas where sound internal controls are
needed. Research departments that have grants and contracts with outside sponsors are at risk that
inappropriate charges will be posted to the project account, perhaps affecting current or future
funding. Each department not only has the responsibility to ensure that all of their transactions are
have been processed properly, but also to ensure that other researchers are not "hiding" improper
transactions in the department's accounts.
Although an adequate internal control system should prevent errors, an effective system will help
detect errors when they occur within a reasonable time period. There are several tools available to
assist in the design of an internal control system. These methods highlight strengths and weaknesses
which may exist in the internal control system.
A checklist review process is one form of evaluating a system. Issues of separation of duties,
completeness of data, checks and balances, effect on operating efficiency, and possible
overrides should be addressed. Checklists can be directed to the general environment as well
as cycles within the operation. The checklist should state the objective to be achieved,
possible risks if it’s not achieved, and question if the controls achieve the objective. The
questions should relate to whether or not the controls are actually in use. If the questions are
answerable by "yes/no", then they need to be worded in such a way that "yes" is not
automatically the "correct" answer. An "incorrect" answer indicates a weakness and requires
additional questions or investigation.
Flowcharting is another means of designing and evaluating an internal control system.
Flowcharts can show the flow of document processing and/or the controls of a system.
Decision trees are similarly helpful in designing proper controls, but these tools are useful
only if they are updated as changes occur.
"Walk-throughs" and "transaction tracing" can be a useful tool. A transaction is walked
through the system to determine if the procedure on paper can be accurately translated to
actuality.
m
co
a.
ny
ke
ea
om
.s
BENEFITS AND LIMITATIONS OF INTERNAL CONTROL SYSTEMS
w
w
w
BENEFITS
Application of internal control provides the following benefits to the various parties:
1. Internal control helps to protect the assets of the business from misuse, theft, accident etc.
2. Internal control helps to implement management policies to attain corporate goals.
3. Internal control helps the auditor in his/her work detecting all the errors and frauds which are
committed in the books of accounts.
4. Internal control helps to increase the accuracy and reliability of financial statement and
books of accounts.
5. Internal control helps to regulate the work of staffs through division of work among the
staffs in a scientific manner which helps to make the daily works of staffs effective.
6. Internal control helps the management to prepare and implement effective plans by
providing correct and fact information.
7. Internal control helps to put moral pressure on staffs.
No matter how well internal controls are designed, they can only provide reasonable assurance that
objectives have been achieved. Some limitations are inherent in all internal control systems. These
include:
1. Judgment: The effectiveness of controls will be limited by decisions made with human
judgment under pressures to conduct business based on the information at hand.
2. Breakdowns: Even well designed internal controls can break down. Employees sometimes
misunderstand instructions or simply make mistakes. Errors may also result from new
technology and the complexity of computerized information systems.
3. Management Override: High level personnel may be able to override prescribed policies
and procedures for personal gain or advantage. This should not be confused with
management intervention, which represents management actions to depart from prescribed
policies and procedures for legitimate purposes.
4. Collusion: Control systems can be circumvented by employee collusion. Individuals acting
collectively can alter financial data or other management information in a manner that cannot
be identified by control systems.
Inherent limitations of any internal control system and examples of each include:
m
1. Human judgement
co
a.
Faulty decision-making or human error may lead to breakdowns in internal control. For
ny
ke
example, in the design of computer processing controls.
ea
om
.s
2. Failure to understand or take action
w
w
w
There may be ineffective control because individuals may not understand the purpose of a
specific control. For example, the purpose of a payroll exception report.
m
co
GENERAL CONTROLS ON:
a.
ny
ke
ea
om
SALES
.s
w
w
The tests of controls in the sales system will be based around:
w
• Selling (authorization)
• Goods outwards (custody)
• Accounting (recording)
Control objectives
One person is not responsible for taking orders, recording sales and receiving payment.
Recorded sales transactions represent goods shipped.
Goods and services are only supplied to customers with good credit ratings.
Goods and services are provided at authorised prices and on authorised terms.
Customers are encouraged to pay promptly.
Segregation of duties
Sales recorded only with approved sales order form and shipping documentation.
Accounting for numerical sequences of invoices.
Monthly customer statements sent out and customer queries and complaints handled
independently.
Authorisation of credit terms to customers (senior staff authorisation, references/credit checks
for new customers, regular review of credit limits)
Authorisation by senior staff required for changes in other customer data such as address etc.
Orders not accepted unless credit limits reviewed first.
Authorised price lists and specified terms of trade in place.
Tests of controls
m
co
- Review entity's procedures for granting credit to customers. ; 1
a.
ny
- Examine a sample of sales orders for evidence of proper credit approval by the appropriate
ke
senior staff member.
ea
om
- Examine application controls for credit limits.
.s
w
- Authorised price lists and specified terms of trade in place.
w
w
- Review all new customer files to ensure satisfactory credit references have been obtained.
- Compare prices and terms on a sample of sales invoices to the authorised price list and terms
of trade.
- Examine application controls for authorised prices and terms.
Assertion: Completeness
Control objectives
Controls
Tests of controls
- Review and test entity's procedures for accounting for numerical sequences of invoices.
Trace a sample of shipping documents to the sales invoices and ledger.
- Review a sample of reconciliations performed.
- inspect the open- order file for unfilled orders.
Assertion: Accuracy
Control objectives
All sales and adjustments are correctly journalised, summarised and posted to the correct accounts.
Controls
Tests of controls
m
co
a.
ny
ke
Assertion: Cut-off
ea
om
Control objectives
.s
w
w
w
Transactions have been recorded in the correct period.
Controls
All shipping documentation is forwarded to the invoicing section on a daily basis. Daily invoicing of
goods shipped.
Tests of controls
Assertion: Classification
Control objectives
Tests of controls
• Buying (authorisation)
• Goods inwards (custody)
• Accounting (recording)
m
co
a.
ny
Assertion: Occurrence and existence
ke
ea
om
Control objectives
.s
w
w
Recorded purchases represent goods and services received.
w
Controls
- Authorisation procedures and policies in place for ordering goods and services.
Segregation of duties.
- Purchase orders raised for each purchase and authorised by appropriate senior personnel.
- Approved purchase order for each receipt of goods.
- Staff receiving goods and check them against the purchase order.
- Stores clerks sign for goods received.
- Purchase orders and GRNs are matched with the supplies' invoices
Tests of controls
Assertion: Completeness
Control objectives
Controls
- Purchase orders and GRNs are matched with the suppliers' invoices
- Periodic accounting for prenumbered GRNs and purchase orders. Independent check of
amount recorded in the purchase journal.
Tests of control
m
- Examine supporting documentation for a sample of invoices.
co
a.
- Review entity's procedures for accounting for prenumbered documents.
ny
ke
- Examine application controls.
ea
om
- Examine documentation for evidence of this check.
.s
w
w
w
Assertion: Rights and obligations
Control objectives
Controls
Purchase orders and GRNs are matched with the suppliers' invoices.
Tests of control
Controls
- Purchase orders and GRNs are matched- with the suppliers' invoices.
- 'Mathematical accuracy of the supplier's invoice is verified.
- Amount posted to general ledger is reconciled to the purchases ledger.
- Chart of accounts in place.
Tests of control
Assertion: Cut-off
Control objectives
m
co
a.
Purchase transactions are recorded in the correct accounting period.
ny
ke
ea
Controls
om
.s
- All goods received reports forwarded to accounts payable department daily.
w
w
w
- Procedures in place that require recording of purchases as soon as possible after
goods/services received.
Tests of control
Inventory controls are designed to ensure safe custody. Such controls include restriction of access,
documentation and authorisation of movements, regular Independent Inventory counting and
reviews of inventory condition.
The inventory system can be very important in an audit because of the high value of inventory or the
complexity of its audit. It is closely connected with the sales and purchases systems covered in the
previous sections.
There are three possible approaches to the audit of inventory and the approach chosen depends on
the control in system in place over inventory.
a) If the entity has a perpetual inventory system in place where inventory is counted
continuously throughout the year, and therefore a year-end count is not undertaken, a
controls-based approach can be taken if control risk has been assessed as low.
b) If an inventory count is to be undertaken near the year-end and adjusted by perpetual
inventory records for the year-end value, this approach also requires control risk to be
assessed as low.
c) If inventory quantities will be determined by an inventory count at the year-end date, a
substantive approach is taken and no reliance is placed on controls.
m
Most of the controls testing relating to inventory has been covered in the purchase and sales testing
co
a.
outlined in sections 1 and 2. Auditors will primarily be concerned at this stage with ensuring that the
ny
ke
business keeps track of inventory. To confirm this, tests must be undertaken on how inventory
ea
om
movements are recorded and how inventory is secured. Auditors will carry out extensive tests on the
.s
valuation of inventory'at the substantive testing stage
w
w
w
Assertion: Occurrence and existence
Control objectives
Controls
Assertion: Completeness
Control objectives
- All purchases and sales of inventory have been recorded in the accounting system.\
Controls
- Procedures in place to include inventory held at third parties and exclude inventory held on
consignment for third parties.
- Reconciliations of accounting records with physical inventory.
m
co
Tests of control
a.
ny
ke
- Review entity's procedures relating to consignment inventory.
ea
om
- Review reconciliations performed and whether reviewed by independent person. Assertive:
.s
w
Rights and obligations
w
w
Control objectives
Controls
Procedures in place to include inventory held at third parties and exclude inventory held on
consignment for third parties.
Tests of control
Control objectives
Controls
Tests of control
m
co
- Discuss with inventory managers how this is done.
a.
ny
- Observe the procedure being performed.
ke
ea
om
.s
w
w
Assertive: Cut off
w
Control objectives
All purchases and sales of inventory are recorded in the correct accounting period.
Controls
- All dispatch documents processed daily to record the dispatch of finished goods.
- All goods inwards reports processed daily to record the receipt of inventory.
- Reconciliations of inventory records with general ledger. Tests of control
- Inspect documentation to confirm daily processing. Inspect documentation to confirm daily
processing.
- Review reconciliations performed.
- Assertive: Presentation and disclosure assertions Control objectives
Tests of control
Controls over cash receipts and payments should prevent fraud or theft.
The following table sets out the control objectives, controls and possible tests of controls over cash
payments.
m
co
Assertion: Occurrence
a.
ny
ke
Control Objective
ea
om
- Only valid cash payments are made.
.s
w
w
w
Controls
- Segregation of duties
- Supplier statements independently reviewed and reconciled to trade payable records.
- Monthly bank reconciliations prepared and reviewed.
- Only authorised staff can make electronic cash payments and issue cheques
- Electronic cash payments and cheques prepared only after all source documents have been
independently approved.
Tests of control
Control objective
Control
- Segregation of duties
- Supplier statements
- Independently reviewed and reconciled to trade payable records.
- Monthly bank reconciliations prepared and reviewed.
- Review of cash payments by manager before release.
- Daily cash payments reconciled to posting to payable accounts.
- Use of prenumbered cheques.
Test of control
m
co
- Inspect sample of listings for evidence of senior review.
a.
ny
- Review a sample of reconciliations for evidence that they have been done. Examine evidence
ke
ea
of use of prenumbered cheques.
om
.s
w
The following table sets out the control objectives, controls and possible tests of control over cash
w
w
Assertion: Accuracy, classification and valuation
Control objectives
Controls
- Reconciliation of daily payments report to electronic cash payment transfers and cheques
issued.
- Supplier statements reconciled to payable accounts regularly.
- .Monthly bank reconciliations of bank statements to ledger account. ,
- Supplier statements reconciled to payable accounts regularly.
- Agreement of monthly cash payments journal to general ledger posting
- Payable accounts reconciled to general ledger control account.
- Review reconciliation.
- Review reconciliations for a sample of accounts.
- Review bank reconciliation for evidence it was done and independently reviewed.
- Review reconciliations for a sample of accounts.
- Review postings from journal to general ledger.
Assertion: Cut-off
Control objectives
Controls
Reconciliation of electronic funds transfers and cheques issued with postings to cash payments
journal and payable accounts
Tests of control
m
Assertion: Presentation and disclosure assertions
co
a.
ny
Control objectives
ke
ea
- Cash payments are charged to the correct accounts.
om
.s
w
w
Controls
w
- Chart of accounts
- Independent approval and review of general ledger account assignment.
Tests of control
The following are control objectives, controls and possible tests of controls over cash receipts.
Assertion: Occurrence
Control objectives
- Segregation of duties
- Use of electronic cash receipts transfer not received or deposited
- Monthly bank reconciliations performed and independently reviewed.
- Use of cash registers or point-of-sale devices.
- Periodic inspections of cash sales procedures.
- Restrictive endorsement of cheques immediately on receipt.
- Mail opened by two staff members.
- Immediate preparation of cash book or list of mail receipts
- Independent check of agreement of cash/cheques to be deposited at bank with register totals
and receipts listing.
- Independent check of agreement of bank deposit slip with daily cash summary.
Test of control
m
procedures.
co
a.
- Inquire of managers about results of inspections.
ny
ke
- Observe mail opening, including endorsement of cheques.
ea
- Observe mail opening procedures.
om
.s
- Observe preparation of cash receipts' records.
w
w
- Review documentation for evidence of independent check.
w
Assertion: Completeness
Control objectives
Controls
- Segregation of duties
- Use of electronic cash receipts transfer not received or deposited.
- Monthly bank reconciliations performed and independently reviewed.
- Daily cash receipts listing reconciled with posting to customer accounts.
- Customer statements prepared and sent out on a regular basis.
Control objectives
- Cash receipts posted to correct receivables accounts and to the general ledger.
Control
m
- Daily remittance report
co
a.
- Review reconciliations reconciled to control listing of remittance advices.
ny
- Monthly bank statement performed and reviewed independently
ke
ea
- Daily remittance report reconciled, daily with postings to cash, receipts journal and customer
om
.s
accounts.
w
w
- Monthly customer statements sent out.
w
- Monthly cash receipts journal agreed to general ledger posting
- Receivables ledger reconciled to control account.
Tests of controls
- Review reconciliations for evidence they were performed and independently reviewed.
- Review reconciliations.
Control objectives
Control
Tests of control
Control objective
Tests of control
m
co
- Trace cash receipts from listing to cash receipts journal for proper classification.
a.
ny
ke
ea
om
.s
w
w
w
The term "error" refers to an unintentional misstatement in financial statements, including the
omission of an amount or a disclosure, such as:
a) a mistake in gathering or processing data from which financial statements are prepared;
b) an incorrect accounting estimate arising from oversight or misinterpretation of facts; and
c) a mistake in the application of accounting principles relating to measurement, recognition,
classification, presentation, or disclosure.
The term "fraud" refers to an intentional act by one or more individuals among
management, those charged with governance, employees, or third parties, involving the use of
m
co
deception to obtain an unjust or illegal advantage. Although fraud is a broad legal concept,
a.
ny
the auditors are concerned with fraudulent acts that cause a material misstatement in the
ke
ea
financial statements. Misstatement of the financial statements may not be the objective of
om
.s
some frauds. Auditors do not . make legal determinations of whether fraud has actually
w
w
occurred. Fraud involving one or more members of management or those charged with
w
governance is referred to as "management fraud"; fraud involving only employees of the
entity is referred to as "employee fraud". In either case, there may be collusion with third
parties outside the entity.
Two types of intentional misstatements are relevant to the auditors' consideration of fraud -
misstatements resulting from fraudulent financial reporting and misstatements resulting from
misappropriation of assets.
Fraud involves motivation to commit fraud and a perceived opportunity to do so. Individuals
might be motivated to misappropriate assets, for example, because the individuals are living
beyond their means. Fraudulent financial reporting may be committed because management
is under pressure, from sources outside or inside the entity, to achieve an expected (and
perhaps unrealistic) earnings target - particularly since the consequences to management of
failing to meet financial goals can be significant. A perceived opportunity for fraudulent
financial reporting or misappropriation of assets may exist when an individual believes
internal control could be circumvented, for example, because the individual is in a position of
trust or has knowledge of specific weaknesses in the internal control system.
m
co
a.
ny
The distinguishing factor between fraud and error is whether the underlying action that results
ke
ea
in the misstatement in the financial statements is intentional or unintentional. Unlike error,
om
fraud is intentional and usually involves deliberate concealment of the facts. While the
.s
w
w
auditors may be able to identify potential opportunities for fraud to be perpetrated, it is
w
difficult, if not impossible, for the auditors to determine intent, particularly in matters
involving management judgement, such as accounting estimates and the appropriate
application of accounting principles.
The key distinguishing factor between fraud and error is whether the underlying action that results in
a misstatement of the financial statements is intentional or unintentional. The term ‘fraud’ is a broad
legal concept, but the auditor is concerned with fraud that causes a material misstatement in the
financial statements. ISA 240 defines fraud as: ‘An intentional act by one or more individuals
among management, those charged with governance, employees, or third parties, involving the use
of deception to obtain an unjust or illegal advantage.’ ISA 240
The similarity between fraud and errors is that of them are mistakes, causing misleading
information and reflecting incorrectly fact.
Summary of differences
m
carelessness in working...
co
a.
causing mistakes.
ny
ke
Sophistication As fraud is intentional As errors are non-intentional
ea
behavior, it is more behavior, they are as not
om
.s
sophisticated than errors. sophisticated as fraud and it is
w
w
When making fraud, people are easy to detect errors
w
often well-prepared and have
careful calculation, thus it is
difficult to detect fraud than
errors.
Essence Fraud is always considered as Depends on scale and essence
essential mistakes. of errors.
i. Errors of commission. These are errors that do not show in the trial balance because it still
balances. This is where the correct amount for a transaction is recorded but in the wrong
person’s account e.g. for debtors the correct class of accounts may be used but the wrong
personal entries entered.
ii. Errors of omissions. This is where transactions are completely omitted from books of
accounts.
iii. Errors of principle. This is where an item is entered in the wrong class of account e.g. a fixed
asset is debited to the expense account.
iv. Compensating errors. This is where errors cancel each other out. The errors occur usually on
opposite sides of the accounts i.e. on credit and debits sides with equal amounts and are
totally independent from each other.
v. Errors of original entry. These occur when the original figure is incorrect and the double entry
system is still observed.
vi. Complete reversal entries. These occurs where correct accounts are used but each items
shown on wrong side of the account e.g. crediting sales in debtors account and debiting sales
account.
m
co
a.
ny
TYPES OF FRAUD INCLUDE
ke
ea
om
• Manipulating, forgery, alteration or falsification of accounting records or supporting
.s
w
w
documents from which financial statements are prepared
w
• Misappropriation of company assets e.g. using a company vehicle for private undertakings,
stealing physical assets and embezzling receipts.
• Misapplication of accounting policies e.g. classifying a capital expenditure and revenue
expenditure.
• Inappropriate adjusting assumptions and changing judgments used to estimate account
balances. E.g. the management may insist on providing a 5% provision for bad and doubtful
debts even where past debt collection history shows that the actual default rate is about 15%.
• Suppression or omission of effects of a transaction on accounting record e.g. placing a
genuine debtor well known bad debts in the balance sheet thus misrepresenting the financial
position of the company.
Fraudulent financial reporting may be committed because management is under pressure from
outside or inside the entity to report unrealistic profit levels. A perceived opportunity for fraudulent
financial reporting or misappropriation of company assets may exist when an individual believes
The distinction between fraud and error is of little importance so far as audit procedure are
concerned. This is because the audit procedure used to detect errors is the same used to detect fraud.
The only difference may arise where the auditor may be required by law to disclose certain illegal
acts to the regulatory authority.
The primary responsibility for the detection and prevention of fraud and error rests with the
management of the company. This responsibility is fulfilled through the implementation and
continuous operation of adequate system of internal controls. Such system reduces but does not
eliminate the possibility of fraud and error. The auditor on his part seeks reasonable assurance that
fraud and error which may be material to the financial statements has not occurred or if it has
occurred, the effect is properly reflected in the financial statements. At this point, the auditor should
plan his work so that he has reasonable expectation of detecting material misstatements in the
financial information resulting from fraud and error. It is important to emphasis that the auditor
cannot be held responsible for failing to detect errors and frauds. However, he is expected to carry
m
co
out his work in a manner that he is in a position to detect material errors and frauds. Failure to detect
a.
ny
such material errors implies that the financial statements are materially misstated.
ke
ea
om
Expectations gap
.s
w
w
w
This is the gap that exists between external auditor’s understanding of their role and duty and the
expectations of various users of the financial statements and the general public regarding the process
and the outcome of the external audit. I.e. the expectation by users of financial statements that
auditor should detect and prevent error and fraud as a duty, while actually it is not his duty but of the
directors.
Most users of financial statements believe that the auditor has prepared the statements and should
therefore be in a position to explain the performance results of the company. Some other users of the
financial statements do not understand the audit opinion issue.
It has also been suggested that the role of the auditor should be broadened especially in areas of
fraud. ISA 240(fraud and error), requires that the auditor should report to the users of the financial
statements if there is material misstatements as a result of fraud and any other irregularities.
There should be attempts to improve the knowledge and understanding of auditor‟s role and
responsibility through public education.
In addition to weaknesses in the accounting and internal control system, events which also increase
risk of fraud and error are:
• Questions regarding the integrity and competence of management. Where management is not
m
co
honest and could misappropriate company assets, the risk of fraud and error increases.
a.
ny
• Unusual pressure within the company e.g. pressure on organization to attain a certain level or
ke
ea
profitability. This could tempt the managers to manipulate the financial statement so as to
om
achieve the set profit level.
.s
w
w
• Unusual transactions. Such could be carried out with intention of manipulating the financial
w
performance of the company e.g. a very large purchase of stock at the year end to increase
level of closing stock and subsequently increase profits.
If circumstances indicate possible existence of fraud and error, the auditor should consider the
potential effect of financial statements. If the effect is material, the auditor should perform additional
procedures to dispel the suspicion. Where fraud or error is confirmed, the auditor should satisfy
himself that the effect of fraud or error is properly reflected in the financial statements or the error
corrected. The auditor should communicate his findings to management on timely basis if:
• He believes fraud may exist even if the potential effect would be immaterial.
• Fraud or error is actually found to exist.
An audit is subject to the avoidable risk that some material misstatements will not be detected, even
though the audit is properly planned and performed in accordance with ISAs. The risk of not
detecting misstatements resulting from fraud is higher than the risk of not detecting material
misstatements resulting from errors. This is because fraud involves acts designed to conceal it such
as forgery and deliberate failure to record transactions. When the audit reveals evidence to the
contrary, the auditor is entitled to accept representations from management as truthful and
documents as genuine. However, the auditor should plan and perform his work with professional
skepticism, recognizing that conditions or events may be found that indicate that fraud or error may
exist. Existence of a strong internal control system reduces the probability of misstatements in the
financial reporting occurring due to fraud or error but there is always a risk that the system may fail
to operate as designed.
The following procedures could be applied as general leads to where fraud or error may have
occurred.
• Comparison of the company’s current balance sheet with those of previous years.
• Calculation of profitability, leverage, activity and performance ratios for the current and
previous years.
• Using search inquiry to pose questions to management and accounting staff.
m
co
• Auditing in depth to establish the audit trail. This facilitates checking a transactions recording
a.
ny
process from initial to final stage.
ke
ea
• Using surprise checks and visits.
om
• Comparing budgeted and actual results of the company and investigating any variances noted.
.s
w
w
w
Errors and frauds in specific areas in business
This is the method by which the deficiencies of cash are concealed for sometime.
When cash is received from some debtor, it is not recorded in the cash books and is misappropriate.
Later on, when cash is received from any other debtor, his account is not credited but the account of
the first debtor is credited and cash is debited, again later on, when cash is received from their
debtor, his account is not credited but that of the second debtor in credited and cash is debited.
This process goes or the fraud is discovered. This method of fraud is known as short banking or
delayed accounting of money received or lapping. This is method by which the past defalcations are
covered up by the present receipt. If remittances are received by means of cheques, then cheques
will have to be split up. This proves is known as splitting cheques. Because by encashing the
cheques, less amount is credited to the debtor and rest amount is misappropriated.
We can detect such frauds with the help of auditors. The auditor should find out what is the internal
check system regarding cash. If there is any weak point, he must probe into the matter. The cashier
Implications
• Understated sales, wrong management accounts, loss of assets of the company and accounts
without true and fair view.
• Bad debts
• Misappropriation of cash, exposure to theft and loss of interest due to delayed banking.
• Unreliable records and disputes between the company and customers.
m
co
(b) Purchases and Creditor.
a.
ny
ke
ea
om
Potential errors
.s
w
• Liabilities being set up for goods not received or not authorized
w
w
• Liabilities being incurred but not recorded.
• Making payments without proper documents and authorization.
• Misallocation of funds to the wrong general ledger accounts
• Goods being returned without being recorded.
Implications
• Loss of company resources because of paying for goods never received
• Understanding of liabilities hence disputes with suppliers.
• Paying for services and goods not received
• Overstatement of expenses and creditors.
• Misstatement of various expense accounts hence unreliable records.
• Overstatement of purchases
Potential errors
• Dummy workers in the payroll or fraudulent double payment of workers, payment for work
not done and unclaimed wages being misappropriated.
• Occurrence of payroll errors.
• Improper deductions being made or being misappropriated
• Inflation of the payroll in other ways.
Implications
• Overvaluation of stocks because using wrong labour costs.
• Overstatement of stocks
• Misstatement of various expense accounts
• Unreliable records.
How is internal control system helps prevent and detect fraud and error
• Supervision. This serves to prevent fraud or error by boosting the awareness of senior
employees who will refrain from committing fraud and error by virtue of constant review of
operations.
m
co
• Physical controls. These limit access to the assets of the company thus preventing them from
a.
ny
damage, misuse or theft.
ke
ea
• Segregation of duties. This boosts automatic checks, accountability and supervision at all
om
stages of processing transactions, minimizing chances of error and fraud.
.s
w
w
• Arithmetic and accounting controls. Proper recording of transactions according to the
w
principles of ISAs will prevent errors and frauds such an manipulation of accounts.
• Personnel. Engaging qualified, competent and efficient personnel will reduce chances of
errors. The company’s staff should be motivated and properly remunerated to prevent
temptations of fraud.
• Routine and automatic checks. These minimize fraud by boosting awareness that work will be
continuously checked, accountability will be increased and importance of being honest will
be emphasized.
AUDIT EVIDENCE
Audit evidence refers to the information obtained by the auditor in arriving at the conclusions on
which audit opinion on the financial statements is based. Audit evidence comprises of source
documents and accounting records underlying the financial statements. The accounting records
generally include:
m
co
Other information the auditor can use as audit evidence are:
a.
ny
ke
ea
Minutes of meetings
om
Confirmations form third parties
.s
w
w
Analysis reports
w
Comparable data about competitors.
Control annuals.
Information obtained by auditor from audit procedure such as observation and enquiries.
The sources and amount of evidence needed to achieve the required level of assurance is determined
by the auditor’s judgment. The auditor’s judgment will be influenced by the materiality of item
being examined, the relevance and reliability of evidence available from each source and cost
involved in obtaining it. Audit evidence is obtained through an appropriate mix of tests of controls
and substantive procedures where internal control system is considered weak; evidence may be
obtained entirely from substantive procedures.
Substantive tests are procedures carried out to test the accuracy and validity of accounting records.
They are of two types i.e. analytical review procedure and test of detail.
The evidence must be both competent and sufficient. Competence means that the evidence must be
believeable or wothy of trust. The seven characteristics of competent evidence include:
Sufficiency of evidence refers to the quantity of evidence, In part, sufficiency relates to the sample
size that the auditor selects, but the individual items selected for the sample may have a bearing as
well.
m
co
TYPES OF AUDIT EVIDENCE
a.
ny
ke
In deciding which procedures to use, the auditor may choose from seven different types of evidence:
ea
om
.s
1. Physical examination
w
w
w
This is the inspection or count by the auditor of a tangible asset.
Most often associated with inventory and cash, but it is also applicable to the verification of
securities, notes receivable and tangible fixed assets.
2. Confirmation
This is the receipt of a direct written response from a third party verifying the accuracy of
information that was requested by the auditor.
The request is made to the client, and the client asks the third party to respond directly to the
auditor.
3. Documentation
This is the auditor's inspection of the client's documents and records to substantiate the
information that is, or should be, included in the F/S.
4. Analytical procedures
Uses comparisons and relationships to assess whether account balances or other data appear
reasonable compared to the auditor's expectations.
An auditor may compare the gross margin in the current year with the preceding years.
This is obtaining of written or oral information from the client in response to questions from
the auditor.
This type of evidence is usually not conclusive because it is not from an independent source.
Must obtain additional evidence through other procedures.
6. Recalculation
m
co
It involves rechecking a sample of calculations made by the client.
a.
ny
ke
Rechecking client calculations consists of testing the client's arithmetical accuracy and
ea
om
includes such procedures as extending sales invoices and inventory, adding journals and
.s
subsidiary records, and checking the calculation of the depreciation expense and prepaid
w
w
w
expenses.
7. Reperformance
This is the auditor's independent tests of client accounting procedures or controls that were
originally done as part of the entity's accounting and internal control system.
8. Observation
Is the use of the senses to assess client activities. Observation is rarely sufficient by itself
because of the risk of an auditor changing their behavior because of the auditor's presence.
The auditor may rely on sufficient appropriate evidence obtained by substantive testing to form his
opinion. Alternatively he may be able to obtain assurance from presence of a reliable internal
contrast system and therefore reduce the extent of substantive testing the auditor obtains evidence in
performing compliance and substantive procedures using the following methods.
a) Inspection.
This consists of examining records, documents or tangible assets. The reliability of the evidence
obtained from inspection depends on nature, source and effectiveness of the internal control system.
Inspection of tangible assets provides evidence with the respect to the existence but not to their
value and ownership.
b) Observation
This involves looking at procedures being performed by others e.g. stock counting by client
personnel.
m
co
a.
ny
Inquiry consists of seeking information from knowledgeable persons inside and outside the
ke
ea
company. It ranges from formal written inquires addressed to the third parties to oral inquiries
om
addressed to persons within the entity. The information may be new to the auditor or may
.s
w
w
corroborate evidence from other sources. Confirmation is the response to inquiry to corroborate
w
information contained in financial statements e.g. debtors circularization.
This involves checking the arithmetic accuracy of source documents and accounting records or
performing independent computations e.g. re-computing amount of provision for depreciation and
comparing this against that computed by client.
e) Analytical procedures.
This is the analysis of relationships such as between items of financial data to identify consistency
and predicted patterns or significant fluctuations, unexpected relationships and results of
investigations thereof.
Analytical procedures
m
co
a.
To determine the amount of difference from expectation that can be accepted without
ny
ke
investigation
ea
Comparison of company’s account balances or ratios with the expected.
om
.s
Investigate and evaluate significant ratio differences from the expectation
w
w
w
1. Developing an expectation.
A variety of types of information are available to the auditor to develop an expectation for analytical
procedures including;
a) Trend analysis. This includes review of changes in an account balance over time e.g. review
of clients sales for the past six years may reveal a growth rate of 5%. This information could
assist auditor in developing an expectation of sales for the current year.
b) Ratio analysis. This involves comparison of relationships between two or more financial
statement account balances or comparisons of an account balance to non financial data e.g.
revenue per sale order. The typical financial ratios are liquidity, profitability, leverage and
activity ratios.
Because ratio analysis involves examination relationships between two or more variables and may
involve industrial data, it is often a richer analysis than trend analysis. There are two basic
approaches to ratio analysis;
m
co
a.
ny
Horizontal analysis. This involves review of client’s ratios and trends over time
ke
ea
Cross sectional analysis. This involves comparisons of ratios of similar firms at a given point
om
in time.
.s
w
w
w
2. The amount of acceptable difference.
The amount of acceptable difference between the expectation and the financial statements balance
that can be accepted without investigation is determined primarily by the amount that is considered
to be a material misstatement However; this amount must be consistent with the degree of assurance
from the procedure. When trend or ratio analysis is used, the auditor typically uses professional
judgment to specify an absolute amount of difference or percentage difference that will result into
investigation.
3. Comparison of the account balance or ratio with the expected balance or ratio.
Once the auditor has determined the expectation and amount of acceptable difference, he makes the
actual comparison to determine where significant difference lies.
The auditor must investigate any significant differences and his expectation and the client’s financial
statements balance or ratio to determine whether they represent misstatements. This involves
reconsidering the methods and factors used in developing the expectation. Inquiry to management
can be useful in this regard. Management explanations however must be ordinary be supported with
other audit evidence. If the explanations are not tallying with other audit evidence, the editor will
often be required to expand his tests of related financial amounts to determine whether or not they
are materially misstated.
ISAs require the application of analytical procedures at the planning and overall review stages of the
audit. The auditor may also decide to use them during the audit on substantive tests to provide
evidence as to the reasonableness of specific account balances. Analytical procedures performed in
planning the audit are used to determine the nature, timing and extent of audit procedures that will
be used to obtain evidence about specific accounts. They are also used in understanding the client’s
business at the planning stage.
m
co
Analytical procedures must be used as part of the overall review stage of an audit to assist the
a.
ny
auditor in assessing the adequacy of the evidence gathered and the validity of conclusions reached.
ke
ea
At the final review stage of an audit, the analytical procedures generally include reviewing the
om
financial statements and re-computing ratios if necessary to identify any unusual or unexpected
.s
w
w
balance or that have not been previously identified and explained.
w
Where the auditors are not required to use analytical procedure as substantive tests, they are usually
most efficient tests of certain assertions .e.g. performing analytical procedures is the most efficient
way to evaluate competence of various revenue and expense accounts.
Auditors must consider cost and likely effectiveness of analytical procedures in determining how
much they may be used for a particular audit A primary measure of the effectiveness of analytical
procedures is its precision. Precision depends on a number of factors including the predictability of
the relationship, the techniques used to develop the expectation and the reliability of the underlying
data used. Monthly data is more precise than yearly data.
a) Oral representations.
Throughout an audit the auditors ask many questions to the officials and employees of Client
Company. Oral inquires are made on an endless range of topics from the location of records and
document, reasons for unusual account procedures and probability of collecting overdue accounts
receivable. In making inquires, the auditor should consider the knowledge, objectivity, experience,
responsibility and qualifications of individuals being questioned and use carefully structured
questions to address relevant issues. Client replies should be carefully evaluated as appropriate and
followed up with additional questions.
Generally, oral client representations are not sufficient themselves but they may be useful in
disclosing situations that require investigation or in corroborating other forms of evidence e.g. after
making careful analysis of all accounts receivable, the auditor normally discusses with the credit
manager, the prospects of collecting specific accounts.
b) Written representations.
The auditor must also obtain written representations from the client in accordance with provisions of
m
co
ISA 580. At conclusion of the audit, the auditor obtains from the client a written representation
a.
ny
letter. This letter summarizes the most important oral representations made by management during
ke
ea
the audit. Many specific items are included in this representation letter e.g. management represents
om
that all liabilities known to exist are reflected the financial statements. The representations generally
.s
w
w
fall into the following broad categories;
w
All accounting records, financial data and minutes of director’s meetings have been made
available to the auditor.
The financial statements are complete and were prepared in conformity with generally
accepted accounting principles.
Management believes that adjusting entries brought to the attention by the auditor and not
recorded are not material individually or collectively.
All items requiring disclosures such as contingencies, illegal acts and related parties
transactions have been properly disclosed.
ISA 580 requires the auditor to obtain representations letter on every engagement and provide
suggestions as to its form, content and guidance on how it is to be used as audit evidence and actions
to be taken if client refuses to provide representations. These letters are dated as of the date of the
auditor’s report ordinarily the last day of field work and are usually signed by both the client chief
executive officer and the chief accountant. A client representations letter should never be used as a
www.someakenya.com Contact: 0707 737 890 Page 115
substitute for performing other audit procedures. The financial statements already constitute written
representations by the client hence representation letter does little more than assert that the original
representations were correct.
To remind the client’s directors of their primary responsibilities for the financial statements.
Documents in the audit working papers, client responses to the significant questions asked by
the auditor during the engagement.
At times a representation letter may be the only evidence available in respect to management
future intentions e.g. whether a maturing debt is classified as a current or long term liability
will depend on whether management has both the ability and intent to refinance the debt.
Management may be unwilling to sign letters of representation or pass minutes required by the
auditor. If management declines, the auditor should inform the management that he will himself
prepare a statement in writing setting out his understanding of any representations that they have
been made during the course of the audit and send this statements to management with a request for
confirmation that the auditor’s understanding of the representations is correct.
If management disagrees with the auditor’s statement of representations, discussions should be held
m
co
to clarify the matters in doubt and if necessary a revised statement prepared and agreed. Should
a.
ny
management fail to reply, the auditor should follow up the matter to ensure the position as set out in
ke
ea
his statement is correct
om
.s
w
w
In rare circumstances, the auditor may be completely unable to obtain written representations which
w
he requires e.g. because of the refusal by management to cooperate or because management declines
to give proper representations required on the ground of its own uncertainty regarding that particular
issue. In such circumstances, the auditor may have to conclude that he has not received all
information and explanations required and consequently may need to consider qualification his audit
report an ground of limitation in scope of the audit.
The objective of the auditor, when using audit sampling, is to provide a reasonable basis for the
auditor to draw conclusions about the population from which the sample is selected.
Definitions
For purposes of the ISAs, the following terms have the meanings attributed below:
a) Audit sampling (sampling) – The application of audit procedures to less than 100% of items
within a population of audit relevance such that all sampling units have a chance of selection in
order to provide the auditor with a reasonable basis on which to draw conclusions about the
entire population.
b) Population – The entire set of data from which a sample is selected and about which the
auditor wishes to draw conclusions.
c) Sampling risk – The risk that the auditor’s conclusion based on a sample may be different
from the conclusion if the entire population were subjected to the same audit procedure.
Sampling risk can lead to two types of erroneous conclusions:
i. In the case of a test of controls, that controls are more effective than they actually are, or
m
in the case of a test of details, that a material misstatement does not exist when in fact it
co
does. The auditor is primarily concerned with this type of erroneous conclusion because
a.
ny
it affects audit effectiveness and is more likely to lead to an inappropriate audit opinion.
ke
ea
ii. In the case of a test of controls, that controls are less effective than they actually are, or in
om
the case of a test of details, that a material misstatement ISA 500, “Audit Evidence.”
.s
w
exists when in fact it does not. This type of erroneous conclusion affects audit efficiency
w
w
as it would usually lead to additional work to establish that initial conclusions were
incorrect.
d) Non-sampling risk – The risk that the auditor reaches an erroneous conclusion for any reason
not related to sampling risk.
A sampling approach that does not have characteristics (i) and (ii) is considered non-statistical
sampling
www.someakenya.com Contact: 0707 737 890 Page 117
h) Stratification – The process of dividing a population into sub-populations, each of which is a
group of sampling units which have similar characteristics (often monetary value).
i) Tolerable misstatement – A monetary amount set by the auditor in respect of which the
auditor seeks to obtain an appropriate level of assurance that the monetary amount set by the
auditor is not exceeded by the actual misstatement in the population.
j) Tolerable rate of deviation – A rate of deviation from prescribed internal control procedures
set by the auditor in respect of which the auditor seeks to obtain an appropriate level of
assurance that the rate of deviation set by the auditor is not exceeded by the actual rate of
deviation in the population.
i. A complete check for all transactions and balances a business is no longer possible owing to
the numerous numbers of transactions.
ii. Time factor. Examining all the transactions will take a lot of time. The cost of doing this will
be prohibitive because audit fees are largely based on amount of time spent on assignment.
Also a complete check will take so long that the accounts will be ancient history before users
m
co
saw them.
a.
ny
iii. The objective of an audit is to express an opinion as to whether the financial statements show
ke
ea
a true and a fair view. It is possible for the auditor to obtain the assurance without examining
om
all transactions. The use of sampling with properly set out objectives and properly
.s
w
constructed tests allows more valid conclusions to be reached than when many transactions as
w
w
possible are tested. This is because detailed testing is done on a sample.
iv. A complete check would bore the audit staff so much that their work would become
ineffective and errors would remain unidentified.
i. When population is small, statistical sampling will create an unacceptable margin of error. If
the population is not sufficiently large, then statistical methods are invalid. Instances where
transactions or balances are small in number but material in relation to financial statements
e.g. directors fees should never be sampled and any transactions involving a large capital
expenditures.
ii. Any situation where the auditor is put on high alert a result of earlier tests or information is
received indicating material fraud in a certain accounting areas.
iii. For statutory disclosure items such as director‟s salaries, a full audit check is desirable
because materiality consideration does not apply in this case.
When planning how to carry out sampling, the auditor considers the following:
i. Objectives of tests and combinations of audit procedures which are likely to achieve the
objectives e.g. objective to verify compliance of the debtors balances.
ii. The population and sampling units should be appropriate to the objectives of sampling e.g. if
auditors objective is to test overstatement of debtors, an appropriate population would be a
list of total debtors.
iii. Definition of errors is substantive testing and deviation in compliance testing. Before
performing testing on a chosen sample, the auditor should define clearly test results and
conditions that will be considered errors or deviations by reference to audit objective. For
m
co
substantive testing, the auditor should project errors found in the sample to population and
a.
ny
consider the effect of projected errors on a particular test objective.
ke
ea
om
b) Determination of sample size.
.s
w
w
w
The auditor needs to determine the appropriate size of the sample on which audit procedures will be
applied. Sample size is determined by;
i. The tolerable error. The larger the tolerable error, the smaller the sample size required for
a given test.
ii. Auditor’s assessment of the inherent risk. The higher the assessment of inherent risk, the
larger the sample size is required. Higher inherent risk implies that there is a greater risk
of an account balance being misstated and this may be reduced by testing a larger sample.
iii. Auditor’s assessment of control risk. A higher control risk implies that little reliance can
be placed on effectiveness of operations of internal controls and the sample size needs to
be increased.
iv. Auditor’s required confidence level. The greater the degree of confidence level the auditor
requires, the larger the sample size needs to be so that the results of the sample are in fact
representative of the actual amount of error in the population.
The sample selected should be a true representative of the population so that the auditor can draw
conclusions about the entire population. All sampling units should have an equal chance of being
selected. Common sampling methods are;
i. Random sampling. This is done by use of random number tables or use computers to select
sampling units
ii. Systematic selection. In this type of sampling, units in the population are divided by the
sample size to give sampling intervals e.g. if the population to be sample has 600 items and
sample size is 50, the sampling interval will be 12. One of the first 12 items will be selected
as the starting point and thereafter, every twelfth item will be selected i.e. if the first item
selected is third item, every 15th, 27 th, 39 th and so on items will be picked. However, the
auditor needs to determine that sampling units within the population are not structured in a
way that sampling intervals corresponds to a particular pattern in the population.
iii. Haphazard selection. The auditor selects a sample without following structured techniques.
The auditor should avoid conscious bias and predictability in selecting items in attempt to
ensure that all items in the population have a chance of being selected. This technique is not
suitable for statistical sampling.
m
co
iv. Block selection. This involves selecting a group of continuous items within the population
a.
ny
e.g. all sales transactions for August. Block sampling cannot be ordinarily used in audit
ke
ea
sampling because most populations are structured such that items in a sequence can be
om
expected to have similar characteristics therefore the sample selected may not be
.s
w
w
representative of the population.
w
d) Testing.
After selecting the sample items the auditor should carry out the predetermined test on each item.
i. The auditor should estimate the expected error or deviation rate in the whole population
by projecting the results of the sample to the population. This is then compared with the tolerable
error.
ii. The auditor should assess the risk of an incorrect conclusion. In general, expected error is
rarely a precise measure of the actual error in the population. Actual error may be greater or smaller
a) Judgmental sampling
This is also called non-statistical sampling. It involves using experience and knowledge of client’s
business and circumstances to select and taste a sample without using any mathematical of or
statistical tools. The auditor does not rely on probability theory and uses judgment in making
sampling decisions.
m
co
on constructing sample and computing mathematical implications of results obtained is spent
a.
ny
on auditing sample units.
ke
ea
om
Disadvantages of judgmental sampling
.s
w
w
w
i. Unscientific. The approach does not form a strong basis of defense. It is difficult to justify
why the auditor selected some items and left out others.
ii. Wasteful as large simples need to be selected. This is because in effort to reduce the
sampling risk, the auditor attempts to select as many items as possible as opposed to
statistical sampling where sample size is determined using probability theory.
iii. Samples may not be representative of the population and thus results cannot be projected
to the population.
iv. There is danger of personal bias in selecting samples.
b) Statistical sampling.
i. It is scientific and defensible. The auditor can justify the items selected because these are
selected randomly.
ii. Elimination of personal bias. The sample selected is unbiased which increases reliability
of audit evidence.
iii. Small samples are selected which improve the efficiency of the exercise. This is because
probability theory helps determine a precise sample size.
m
co
populations and therefore cannot be applied for small populations.
a.
ny
v. It is expensive because extensive staff training is required and the use of information
ke
ea
technology.
om
.s
w
w
Factors considered before adopting statistical sampling
w
i. The number of clients to whom a technique as appropriate. This is because the set up and
training costs are high.
ii. Whether large population exists. Statistics is the science of large numbers. Where
organizations are small with few transactions, a statistical approach is inappropriate.
iii. Adequate controls must exist where they are no controls it is impossible to use statistical
techniques because of increased statistical errors
iv. The population being tested must be homogenous.
v. Sampling units must be separately identifiable and therefore sequential numbering is
essential.
vi. The expectation of the error must be low i.e. the internal control system of organization
must be reliable.
vii. The risk factors. The level of risk allowable and the degree of risk attached to an item
being tested must be considered.
Sampling methods
This method seeks the estimate the total value of some population e.g. total value of debtors, stock
or loose tools. The procedure is to extrapolate estimate or form an opinion using the facts that are
m
co
valid for one situation (sample) supposing that they will be valid in the new situation. This estimate
a.
ny
can be compared with the book value and if any difference is within the materiality limits pre-
ke
ea
established, the auditor has evidence for the book value of the item.
om
.s
w
w
2. Estimation sampling for attributes
w
This method seeks to estimate the proportion of a population having particular characteristic e.g.
overdue debts or damaged inventory.
3. Acceptance sampling
This method seeks to discover the error rate in a population to determine a maximum error rate.
Its uses include;
i. Whether a control can be relied upon. If non compliance is greater than the acceptable
rate, the control will not be relied upon and other audit tests will have to be applied.
ii. Used to test whether stock calculation can be relied upon. If the error rate is greater than
some acceptable proportion, the auditor will have to request the client to redo the
calculations.
This method extends acceptance sampling to an acceptance level of zero. E.g. a system with controls
exists in an investment trust company to ensure that all bonus issues are recorded. Even if one bonus
has not been recorded, the auditor will be unable to accept the controls and will have to seek other
evidence. This method requires a large sample. A form of discovery sampling is monetary unit
sampling.
Monetary unit sampling is appropriate for use with large variance population e.g. debtors or stock
where individual units have widely different sizes or values. This method is suited to a population
where errors are not expected and it implicitly takes into account the auditor‟s concept of
materiality.
i. Determine the sample size taking into account the size of the population and the minimum
acceptable error rate.
m
co
ii. List the items of population e.g. list of debtors could be as
a.
ny
ke
ea
Debtor Amount (Sh) Cumulative
om
amount
.s
w
w
w
TMK& Co. 500 500
: :
240,000
Total 240,000
iii. Assume that the total numbers of debtors is 1500. If sample size chosen is 100 items, then
a random start of say Shs 1000 can be chosen and every Shs 2100th item thereafter i.e.
using systematic sampling with random start. The idea is that the population of debtors is
i. Does not cope easily with errors of understatement. A debtors balance which is
understated will have a smaller chance of being selected than if it was correctly valued
hence there is a reduced chance of selecting that balance and discovering the error.
ii. It can be difficult to select samples where a computer cannot be used e.g. where the
accounting system of an organization is manual. Manual selection will involve adding
items cumulatively through the entire population which is very tiring.
iii. It is not possible to extend a sample if the error rate turns out to be higher than the
expected error. In such cases an entirely new sample must be selected and evaluated.
iv. Monetary unit sampling is useful especially in testing for overstatements where significant
m
co
understatements are not expected i.e. when dealing with debtors, fixed assets and stock it
a.
ny
is clearly not suitable for testing creditors where understatement is the primary
ke
ea
characteristic to be tested.
om
.s
w
w
w
AUDIT WORKING PAPERS
ISA 230, Audit Documentation (Revised) (1) contains the set of standards that deal with working
papers. These standards (2) are as follows:
The auditor should prepare, on a timely basis, audit documentation that provides:
1. a sufficient appropriate record of the basis for the auditor’s report, and
2. evidence that the audit was performed in accordance with ISAs and applicable legal and
regulatory requirements.
The auditor should prepare the audit documentation so as to enable an experienced auditor, having
no previous connection with the audit, to understand:
1. the nature, timing, and extent of the audit procedures performed to comply with ISAs and
applicable legal and regulatory requirements
2. the results of the audit procedures and the audit evidence obtained, and
3. significant matters arising during the audit and the conclusions reached.
The auditor should document discussions of significant matters with management and others on a
timely basis.
If the auditor has identified information that contradicts or is inconsistent with the auditor’s final
conclusion regarding a significant matter, the auditor should document how the auditor addressed
the contradictions or inconsistency in forming the final conclusion.
Where, in exceptional circumstances, the auditor judges it necessary to depart from a basic principle
or an essential procedure that is relevant in the circumstances of the audit, the auditor should
document how the alternative audit procedures performed achieve the objective of the audit, and,
unless otherwise clear, the reasons for the departure.
In documenting the nature, timing, and extent of audit procedures performed, the auditor should
record:
1. who performed the audit work and the date such work was completed, and
2. who reviewed the audit work and the date and extent of such review (3).
m
co
a.
ny
The auditor should complete the assembly of the final audit file on a timely basis after the date of the
ke
ea
auditor’s report.
om
.s
w
w
After the assembly of the final audit file has been completed, the auditor should not delete or discard
w
audit documentation before the end of its retention period.
When the auditor finds it necessary to modify existing audit documentation or add new audit
documentation after the assembly of the final file has been completed, the auditor should, regardless
of the nature of the modifications or additions, document:
1. when and for whom they were made, and (where applicable) reviewed
2. the specific reasons for making them, and
3. their effect, if any, on the auditor’s conclusions.
When exceptional circumstances arise after the date of the auditor’s report that require the auditor to
perform new or additional audit procedures, or that lead the auditor to reach new conclusions, the
auditor should document:
1. the circumstances encountered
2. the new or additional audit procedures performed, audit evidence obtained, and conclusions
reached, and
These standards guide the auditor to produce audit documentation that is of an acceptable standard.
Understanding and applying the standards will protect the auditor from unwelcome and unnecessary
litigation. ISA 230 (Revised) is more comprehensive than its predecessor and is likely to prove very
useful.
m
co
necessary either because it will serve an essential or useful purpose in support of the auditor’s
a.
ny
report, or because it will provide information needed for tax or other client-related
ke
ea
statutory/regulatory purposes
om
not practicable for the client staff to prepare the working paper, or for the auditor to make
.s
w
w
copies of papers that the client staff (including internal auditors) have prepared as part of their
w
normal regular duties.
Content
Each audit working paper must be headed with the following information:
The name of the client
The period covered by the audit
The subject matter
The file reference (4)
The initials (signature) of the member of staff who prepared the working paper, and the date
on which it was prepared
In the case of audit papers prepared by client staff, the date the working papers were received,
and the initials of the audit team member who carried out the audit work
The initials of the member of staff who reviewed the working papers and the date on which
the review was carried out
When arranging for working papers to be prepared, the auditor should take care to ensure that the
working papers will give all the information required. All such working papers should normally be
clearly identified as having been prepared by the client. The member of audit staff directly
responsible for an audit area in which working papers prepared by client staff are included should
sign those papers – this will show that they have been checked and that they can be reviewed by the
manager and the partner, and by subsequent reviewers. The signature of the audit team member
indicates that the working paper (prepared by client staff) has been ‘audited’.
m
co
230 by displaying the following characteristics:
a.
ny
It should state a clear audit objective, usually in terms of an audit assertion (for example, ‘to
ke
ea
ensure the completeness of trade creditors’).
om
It should fully state the year/period end (eg 31 October 2006), so that the working paper is not
.s
w
w
confused with documentation belonging to a different year/period.
w
It should state the full extent of the test (ie how many items were tested and how this number
was determined). This will enable the preparer, and any subsequent reviewers, to determine
the sufficiency of the audit evidence provided by the working paper.
Where there is necessary reference to another working paper, the full reference of that other
working paper must be given. A statement that details of testing can be found on ‘another
working paper’ is insufficient.
The working paper should clearly and objectively state the results of the test, without bias,
and based on the facts documented.
The conclusions reached should be consistent with the results of the test and should be able to
withstand independent scrutiny.
The working paper should be clearly referenced so that it can be filed appropriately and found
easily when required at a later date.
It should be signed by the person who prepares it so that queries can be directed to the
appropriate person.
The reviewer of audit working papers should ensure that every paper has these characteristics. If any
relevant characteristic is judged absent, then this should result in an audit review point (ie a
comment by the reviewer directing the original preparer to rectify the fault on the working paper).
AUDIT TESTS
The auditor is not entitled to place any reliance on internal controls based solely on his preliminary
evaluation. He should carry out compliance tests to obtain reasonable assurance that the controls on
which he wishes to rely were functioning both properly and throughout the period
m
co
extent of substantive testing. Substantive testing consists of tests that are designed to
a.
ny
substantiate the completeness, accuracy and validity of information.
ke
ea
4. Contained in the accounting records and financial statements. They consist of:
om
a. Detailed analytical review which is designed to help locate material mis-statements in
.s
w
w
the accounts by comparing transactions and balances with related items both for the
w
same period and for previous periods.
b. Tests of details which consists of transaction testing and balance testing and are
designed to substantiate individual items in the accounts and so gain assurance either
about the validity of similar transactions or about the details that underlie the various
accounts balances. Test.: of I details consist of transaction testing which is achieved by
vouching whereby vouching is defined as proving the authenticity of a recorded
transaction, the checking of casts and cross casts, checking of postings and
reconciliations. Balance testing is achieved by direct confirmation and the physical
inspection; all these give the necessary confidence for the auditor to express an
opinion on the accounts.
Compliance tests are most often used by tax auditors to determine if controls which ensure the
accuracy of records are in place and working correctly. These tests can be performed directly on the
control feature itself or indirectly on the outcome of the control.
An example of a direct test would be a test to determine that invoices are pre-numbered, used in
sequence and accounted for by those issuing the invoices. Such a test would be helpful in assuring
the auditor that all invoices issued in a period are used or voided.
However, tax auditors do make judgments about the level of risk of incorrect records and the risk of
misapplication of the tax law. These are the types of judgments that can be backed up by compliance
tests.
The decision to test controls or the accuracy of records is based on auditor judgement and the
m
co
circumstances of the audit. The decision should be documented. Compliance testing may help to
a.
ny
limit the scope of the audit to areas of higher risk or point out problems with records that may have
ke
ea
otherwise appeared reliable.
om
.s
w
w
The main reason for performing compliance tests is to reduce the amount of substantive tests that
w
need to be performed. Therefore, the decision of whether to perform compliance tests should weigh
the possible compliance tests against the possible substantive tests that could be performed to
determine which test will be most efficient and effective.
For instance, if an auditor decides that he can either test the taxpayer’s summary records or use them
to perform the audit, or, rely on comparing reports to bank statements, then he or she should
determine which method will be more efficient.
If a compliance test of the summary records is performed and the records prove to be unreliable,
then the auditor may still have to rely on bank statements. However, it may be that using the
summary records will be much more efficient than using bank statements. Therefore, testing those
records is worth the time needed and the risk that the test results will be negative. Before relying on
the summary records the auditor should perform a test of transactions to determine the records are
reliable.
Substantive Tests are procedures designed to test for dollar misstatements that directly affect the
correctness of financial statement balances; Substantive tests of transactions are used to determine
whether all six transaction related audit objectives have been satisfied for each class of transactions
ANALYTICAL TESTS
Comparisons of recorded amounts to expectations developed by the auditor; must be done during
planning and completing the audit; two most important purposes of analytical procedures in the
audit of account balances are to indicate possible misstatements and provide substantive evidence.
m
co
a. Calculating the gross margin in the completing and planning phases
a.
ny
b. Predicting the ending balance and comparing the recorded balance to the prediction
ke
ea
om
.s
w
w
w
RISKBASED AUDIT
Audit risk means the risk that the auditor may give an inappropriate audit opinion i.e. the auditor
may report that the financial statements show a true and fair view while in reality they are materially
misstated.
RISK-BASED AUDIT
A risk-based audit approach is designed to be used throughout the audit to efficiently and effectively
focus the nature, timing and extent of audit procedures to those areas that have the most potential for
causing material misstatement(s) in the financial report. ASA 315 Identifying and Assessing the
Risks of Material Misstatement through Understanding the Entity and its Environment and ASA 330
The Auditor’s Responses to Assessed Risks are auditing standards that specifically set out the
riskbased audit approach, with other auditing standards containing specific risk-related principles
and procedures appropriate to their subject matter.
The risk-based approach requires the auditor to first understand the entity and its environment in
order to identify risks that may result in material misstatement of the financial report. Next, the
m
co
auditor performs an assessment of those risks at both the financial report and assertion levels. The
a.
assessment involves considering a number of factors such as the nature of the risks, relevant internal
ny
ke
controls and the required level of audit evidence.
ea
om
.s
The result of the assessment effectively categorises the audit into a) areas of significant risk of
w
w
material misstatement that require specific responses and b) areas of normal risk that can be
w
addressed by standard audit work programs. Having assessed risks, the auditor then designs
appropriate audit responses to those risks in order to obtain sufficient appropriate audit evidence on
which to conclude. Risk assessment continues throughout the audit and the audit plan and
procedures are amended where a reassessment is necessary. So let’s work through these key steps in
more detail.
In order to identify risks that are relevant to the audit of the financial report, the auditor needs to
obtain an appropriate understanding of the entity and the environment (including internal control) in
which it operates. An experienced auditor’s professional skill and judgement is exercised in focusing
on what specific information should be obtained through this process. Using that experience, the
auditor reduces the potential for unnecessary information or information overload, by obtaining only
information directly related to the financial report audit process – saving critical time and resources.
Understanding the entity includes understanding and documenting its nature, industry, ownership
structure, regulatory environment, competitors, structure, key financial reporting processes and its
internal control environment. Information is obtained through enquiry of relevant persons,
www.someakenya.com Contact: 0707 737 890 Page 132
observation and inspection of processes and documentation, and performing analytical procedures
on key financial and non-financial information.
Understanding the entity’s internal control framework is often seen as problematic for auditors,
particularly in knowing what controls to focus on, and what type of information, and how much
information, to obtain on the controls. Auditors need to understand those controls (individually or in
combination) that are considered likely to be relevant to the audit (for example controls related to
financial reporting) – not all the controls the entity employs in managing its business.
The control framework assists auditors to focus on obtaining an understanding of relevant controls
by dividing the entity’s internal controls into five components:
Control environment: the control culture of the entity and its impact
Entity’s own risk assessment process: how the entity identifies, assesses and responds to its
own business risks
Information systems relevant to the financial reporting: those systems related to the capture of
significant transactions, events, conditions or accounting estimates, the procedures related to
nonstandard journal entries, reconciliations of sub-ledgers to the general ledger, the data entry
of transactions, and reporting in the financial report
Control activities relevant to audit: those policies and procedures that help ensure that
management directives are carried out (ie control activities designed to prevent/detect
misstatements). Examples of control activities include those relating to authorisation,
performance reviews, information processing, physical controls and segregation of duties
m
co
Monitoring of control activities: those activities the entity uses to monitor control activities
a.
ny
over financial reporting, as well as how it takes action to address any identified deficiencies.
ke
ea
Understanding internal control in this way enables the auditor to identify what relevant controls (if
om
.s
any) are in place to test, whether the absence of controls creates risk, how or when to combine
w
w
controls testing with substantive testing, how to test the operating effectiveness of controls and the
w
extent of reliance that can be placed on internal controls (thereby reducing the extent of substantive
testing).
The auditor’s understanding of the entity’s financial reporting environment enables the auditor to
identify those risks that potentially affect the overall financial report or individual transactions,
account balances and disclosures within it (at the assertion level). Considerable professional
judgement and skill are required to not only identify such risks but also to relate how they
potentially impact the recognition, measurement, presentation and disclosure in the financial report
or the valuation, allocation, occurrence, completeness, accuracy, cut-off, classification, existence, or
rights and obligations at the assertion level. The nature of the risk will also determine how the
auditor designs the audit work program (for example, through a combination of controls testing and
substantive testing or substantive testing only).
The initial risk assessment is performed at the audit planning stage, with it being reassessed and
revised if new risks are identified during the audit. The auditor exercises professional judgement in
Risk classification is either normal or greater than normal (significant risk). Normal risk is a risk that
has a possibility of occurring, whereas significant risk is risk that is likely to occur. Where no
significant risk(s) has been identified, a normal level of risk exists. The auditor may identify
circumstances that lead the auditor to believe the risk has a probability (likelihood) of occurring.
Any such circumstances are particular to each entity and may be identified through the auditor’s
prior experience with the entity, the knowledge that inexperienced entity staff are working in a
complex area or the auditor’s knowledge of known difficulties in obtaining or verifying particular
information required for the audit. Significant risks, by their very nature, require the auditor to
design specific/tailored audit procedures to address them – those included in a standard audit work
program are usually not appropriate.
The risk assessment determines the nature, timing and extent of audit procedures to respond to
identified risk appropriately – the general rule of thumb being the greater the level of risk, the more
persuasive the audit evidence required to reduce its potential to an acceptable level. It is therefore
critical to properly assess risks so that audit time and effort is spent efficiently and effectively in
testing significant risks.
m
co
Responding to risk requires the auditor “to obtain sufficient appropriate audit evidence regarding the
a.
assessed risks of material misstatement, through designing and implementing appropriate responses
ny
ke
to those risks” (ASA 330, paragraph 3). The auditor needs to relate (and document) each identified
ea
risk directly to the assertion level and the overall financial report impact, with the response planned
om
.s
to gain sufficient appropriate audit evidence on which to base the auditor’s opinion.
w
w
w
The experienced auditor designs responses to assessed risks based on the following:
The overall effect the identified risk may have on the financial report (for example,
overstatement or understatement of certain material account balances)
The effect that the identified risk has at the assertion level for each class of transactions,
account balance or disclosure
The expected test results in terms of whether they will meet the test objectives.
Setting the test objectives (what assertions are to be tested and why)
Identifying whether the use of experts/ specialists is required
Identifying when to address the risk (interim and/or year-end)
Determining, where applicable, whether previous audit evidence can be used (including how
it can be updated for the current audit)
Identifying whether there are relevant controls to test
In designing audit work program steps to respond to normal risk, it is important to remember that
controls testing need only be performed when the auditor’s substantive work depends on, or
assumes, the operating effectiveness of that control or the auditor believes that substantive testing
alone doesn’t provide sufficient appropriate audit evidence (for example, with transactions that are
highly automated, with little or no manual intervention). The auditor’s substantive testing involves
the test of details and/or substantive analytical procedures.
In areas of significant risks, the auditor must include substantive procedures to specifically respond
to those risks. These can include both test of details and substantive analytical procedures. Finally, a
reminder that irrespective of the risk assessment, all material classes of transactions, account
balances and disclosures require a level of substantive testing to be performed.
Once audit procedures have been performed to address assessed risks, the auditor needs to evaluate
the evidence obtained to determine whether the initial risk assessment at the assertion level remains
appropriate and whether there is reasonable assurance that a material misstatement does not exist.
m
co
Evidence must be persuasive for each material financial report assertion, otherwise further audit
a.
procedures must be performed to obtain such evidence. If such evidence is unable to be obtained, a
ny
ke
qualified or disclaimer of opinion in the auditor’s report is required. When sufficient appropriate
ea
evidence has been obtained, the auditor is able to conclude on the overall risk of material
om
.s
misstatement to the financial report as a whole.
w
w
w
Getting risk right = Efficiency and effectiveness
A properly timed and performed risk assessment and response process by the experienced auditor
provides the foundation for the entire audit – it focuses the auditor’s attention on identifying,
assessing and responding to those risks that have the potential to materially affect the financial
report. The risk-based audit approach provides the auditor with an approach to conduct the audit as
efficiently and effectively as possible, benefiting both the audit team and the entity.
b) Control risk
This is the risk that a material misstatement could occur in an account balance or clan of transactions
which will not be prevented or detected in a timely manner by the entity’s accounting and internal
control system.
c) Detection risk
This is the risk that the auditor’s tests of balances and transactions will not detect a material
misstatement that exists in an accounts balance or class of transactions. This implies that detection
risk is the only component of audit risk under the auditor’s control.
This audit uses a model called audit risk model. If inherent risk and control risk are assessed to be
m
co
high, then to remain within an overall acceptable audit risk, the level of acceptable detection risk
a.
ny
must be low meaning that the level of tests of balances and transactions must be relatively high. If
ke
ea
inherent and control risks are assessed to be low, then the level of acceptable detection risk may be
om
higher leading to relatively lower level of tests of balances and transactions. Therefore the
.s
w
w
assessment of inherent and control risk is an essential part in deciding the overall approach to an
w
audit.
For the audit model, audit risk equals inherent risk multiplied by the control risk and detection risk.
Helps eliminate over or under auditing because the nature, extent and timing of audit
procedures performed is determined by the risk assessment carried out.
The results appear more rational and defensible than if the model was not used. i.e. incase the
auditor is called upon to support his decisions in a court of law, he can justify the level of
reliance on the internal control system and the amount of substantive tests carried out
Helps allow work to be delegated to junior members of audit staff who will be able to carry
on without having to rely too much on their own judgment.
•The increased use of computer in business has made the calculations of audit risk easier
leading to more efficient and effective audit.
www.someakenya.com Contact: 0707 737 890 Page 136
Disadvantages
The model gives an impression of accuracy which is unrealistic as in practice its difficult to
put a quantitative value on inherent risk.
For the model to be useful, the number of items being tested need to be sufficiently large to
allow for valid statistical conclusions to be made. This rule out the use of the model in many
small audits.
The model has a danger of adapting an overly mechanistic approach and that the auditor may
lose his „feel‟ for the audit assignment.
It requires proper knowledge of the burden to be able to assess the audit risk.
A wrong assessment of inherent and control risk will lead to over or under auditing
m
co
a.
ny
ke
ea
om
.s
w
w
w
COMPUTERISED AUDITING
BENEFITS
1. Speed — data entry onto the computer with its formatted screens and built-in databases of
customers and supplier details and stock records can be carried out far more quickly than any
manual processing.
2. Automatic document production — fast and accurate invoices, credit notes, purchase
orders, printing ,statements and payroll documents are all done automatically.
3. Accuracy — there is less room for errors as only one accounting entry is needed for each
transaction rather than two (or three) for a manual system.
4. Up-to-date information — the accounting records are automatically updated and so account
balances (e.g. customer accounts) will always be up-to-date.
5. Availability of information — the data is instantly available and can be made available to
m
different users in different locations at the same time.
co
a.
6. Management information — reports can be produced which will help management monitor
ny
ke
and control the business, for example the aged debtors analysis will show which customer
ea
om
accounts are overdue, trial balance, trading and profit and loss account and balance sheet.
.s
w
7. GSTNAT return — the automatic creation of figures for the regular GST/VAT returns.
w
w
8. Legibility — the onscreen and printed data should always be legible and so will avoid errors
caused by pOlo figures.
9. Efficiency — better use is made of resources and time; cash flow should improve through
better debt collection and inventory control.
10. Staff motivation — the system will require staff to be trained to use new skills, which can
make them feel more motivated. Further to this with many 'off-the-shelf packages like
MYOB the training can be outsourced and thus making a particular staff member less critical
of business operations.
11. Cost savings — computerized accounting programs reduce staff time doing accounts and
reduce audit expenses as records are neat, up-to-date and accurate.
12. Reduce frustration — management can be on top of their accounts and thus reduce stress
levels associated with what is not known.
13. The ability to deal in multiple currencies easily — many computerized accounting
packages now allow a business to trade in multiple currencies with ease. Problems associated
with exchange rate changes are minimized.
1. Power failure, computer viruses and hackers are the inherent problems of using computerized
systems;
2. Once data been input into the system, automatically the output are obtained hence the data
being input needs to be validated for accuracy and completeness, we should not forget
concept of GIGO (Garbage In(Input) Garbage out ( Output) and
3. Accounting system not properly set up to meet the requirement of the business due to badly
programmed or inappropriate software or hardware or personnel problems can caused more
havoc and
4. Danger of computer fraud if proper level of control and security whether internal and external
are not properly been instituted.
m
co
Input data into the computer.
a.
ny
Process data.
ke
Store data in machine readable form.
ea
om
Convert data into desired output form.
.s
w
w
w
For these procedures to be undertaken, a mixture of hardware and software is needed. The hardware
will consist of;
i. Input devices. These include keyboards, optical readers, and bar code scanners.
ii. Processing devices. These are the computers themselves. i.e. CPU
iii. Storages devices include hard disk, diskettes and magnetic tapes.
iv. Output devices. These include the visual display unit (VDU) and printers.
Programs are the instructions telling the computer how each type of transaction is to be processed.
These instructions include routines of checking and controlling data, matching data with master files
and performing mathematical operations on data. E.g. for sales transactions, matching routines will
enable the computer to identify the right sales price from the sales master file and the right customer
from debtors master file. Mathematical routines will include calculating the total debtor’s amount
and updating customer’s balance in the debtors‟ master file.
An operating system will provide details of further processing runs within the system. So, for
example, in sales these will include updating the general ledger, processing cash receipts and credit
notes to the debtor’s file, printing out monthly statements and printing out analysis of due accounts
for credit control purposes.
In a batch processing system, the operating system may consist of a set of instructions provided to
the operator but increasingly the operating system is part of the computer software such that with
real time system, the computer identifies source of an incoming signal and automatically processes
that transaction using the appropriate programs and the right file.
Computer files.
These are equivalent of books and records in a manual system and are described as either transaction
m
co
files or master files.
a.
ny
ke
a) Transaction files.
ea
om
These are equivalent of journal such as sales journal, the purchases journal or the cash book. They
.s
w
w
contain details of individual transactions, but unlike books, a transaction file is not a cumulative
w
record. A separate file is set up for each batch. Thus in real time systems, a transaction file is not
necessary, but good systems will always create a transaction file for control purposes to provide a
security back up, incase of errors or computer malfunctions during processing data to master file.
b) Master files.
These contain what is referred as standing data. They may be the equivalent of ledgers but may also
contain semi permanent data needed to process transactions. E.g. a debtor‟s master file the
equivalent of debtor’s ledger but will also include data that in a manual system may be kept
separately such as invoicing address, discount terms and credit limits, even non accounting data as
cumulative sales to specific customers.
When master files are updated by processing them against a transaction file, the entire contents of
the file are usually re-written in a separate location so that after processing, the two files can be
compared and the difference agreed to the total of the transaction file. Any errors in updating the
master file will thus be detected and the process repeated. In practice, the old copy of the master file
A special class of transactions includes those of amending standing data held in master files such as
sales price or wage rate. These transactions require special consideration because an error in such
data held in a master file will cause errors in all transactions processed against the master file. E.g.
an item priced erroneously in sales price list will mean all sales will be charged to customers at the
wrong price.
Traditional batch processing has the advantage that the data can be subjected to checks for validity,
accuracy and completeness before it is processed. But for organizations that need information on
strict time scale, this type of processing is unacceptable. This has led to the development of on-line
and real time systems and the number is growing particularly in airline offices, banks and other
financial institutions. The auditor‟s duties do not change but his audit techniques must change.
m
The key features of these systems are that they are based on the use of a remote terminal which is
co
a.
just a VDU and a keyboard. These terminals will be scattered within the user department and have
ny
ke
access to the central computer store. The problem for the auditor arises from the fact that master files
ea
held in the central computer store may be read and updated by the remote terminals without an
om
.s
adequate audit trail. Necessary precautions have to be made therefore to ensure that these terminals
w
w
are used in a controlled way by authorized personnel only. The security techniques include;
w
• Hardware constraints e.g. necessitating the use of a key of magnetic strip badge or card to
engage a terminal or placing the terminal in allocation to which access is carefully restricted
and which is constantly monitored by closed circuit television surveillance systems.
• The allocation of identification numbers to authorized terminal operators. With or without the
use of passwords, these are checked by the main frame computer against stored records of
authorized numbers or passwords.
• Using operator characteristics such as voice, fingerprints and hand geometry (finger length
ratios) as a means of identification by the mainframe computer.
• Restricting the access to particular programs or master files in the mainframe computer to
designated terminals.
• In top security systems, the authority to allocate authorities such as determination of
passwords and nominating selected terminals should be restricted to senior personnel other
than intended users.
What differentiate on-line system from real time system is that the on-line system has a buffer store
where input data is held by the central processor before accessing the master files. This enables input
from the remote terminals to be checked by a special scanning program before processing
commences.
With real systems however, action at the terminal causes an immediate response in the central
processor where the terminal is on-line. Security against unauthorized access and input is even more
important in real time systems because the effect of the input is that it instantaneously updates the
file held in the central processor and any edit checks on the input are likely to be under the control of
the terminal operators themselves. In view of these control problems, most real time systems
incorporate additional controls over the scrutiny of the master file.
In planning the audit, the auditor should consider how the presence of computerized information
systems may affect client’s accounting and internal control system and the conduct of the audit.
This is because computerized information systems have unique features compared to manual
m
systems and require inbuilt adequate controls to ensure that the accounting system can be relied
co
a.
upon for complete and accurate accounting records. These features include;
ny
ke
ea
• Consistency unlike manual systems. Computerized information systems will process
om
transactions consistently. This implies that if the system is properly programmed, the all
.s
w
transactions will be processed consistently and accurately. On the other hand, if there are any
w
w
programming errors, the transactions will be consistently processed inaccurately.
• Concentration of functions and controls. In a computerized information system, few people
are involved in processing of financial information. This may compromise segregation of
duties such that persons involved in writing of programs may also be involved in processing
transactions. This increases risk of manipulation of operating programs and data. Programs ad
data are held together increasing the potential for unauthorized access and alteration.
• Computerized information systems are designed to limit paperwork.. This result in less
visible evidence to support transactions processed which ultimately leads to loss of the audit
trail.
• Ease of access of data and computer programs. Where there are no proper controls over
access to computers at remote terminals, there is increased danger of unauthorized access and
alteration of data and programs.
• Use of programmed controls. In a computerized environment, controls are programmed
together with data processing instructions e.g. protection of data against unauthorized access
may be by way of using passwords and user profiles that grant different levels of access to the
Applications of auditing procedures using the computer as an audit tool (also known as CAATs).
m
In the most general terms, CAATTs can refer to any computer program utilized to improve the audit
co
a.
process. Generally, however, it is used to refer to any data extraction and analysis software. This
ny
ke
would include programs such as spreadsheets (e.g. Excel), databases (e.g. Access), statistical
ea
analysis (e.g. SAS), business intelligence (e.g. Crystal Reports and Business Objects), etc.
om
.s
w
w
There are, however, companies that have developed dedicated specialized data analytic software
w
specifically for auditors.
Computer-assisted audit techniques (CAATs) are the applications of auditing procedures using the
Computer as an audit tool.
CAAT are the use of computers for audit work. The two most commonly used CAATs are audit
software and test data.
The Overall objectives and scope of an audit do not change when an audit is conducted in a
computerised environment. However, the application of auditing procedures may require auditors to
consider techniques that use the computer as an audit tool. These uses of the computer for audit
work are known as computer-assisted audit techniques (CAATs).
Circumstances when the use of CAATS when performing audit procedures would be necessary
CAATs may be used in performing various auditing procedures, including the following.
- Auditors can test programme controls as well as general internal controls associated with
computers.
- Auditors can test a greater number of items more quickly and accurately than would be the
case otherwise.
- Auditors can test transactions rather than paper records of transactions that could be incorrect.
- CAATs are cost-effective in the long-term if the client does not change its systems.
- Results from CAATs can be compared with results from traditional testing - if the results
correlate, overall confidence is increased.
m
co
The major steps to be undertaken by the auditors in the application of a CAAT are as follows.
a.
ny
ke
- Set the objective of the CAAT application
ea
om
- Determine the content and accessibility of the entity's files
.s
w
- Define the transaction types to be tested
w
w
- Define the procedures to be performed on the data
- Define the output requirements
- Identify the audit and computer personnel who may participate in the design and application
of the CAAT
- Refine the estimates of costs and benefits
- Ensure that the use of the CAAT is properly controlled and documented
- Arrange the administrative activities, including the necessary skills and computer facilities!
- Execute the CAAT application
- Evaluate the results
There are two particularly common types of CAAT, audit software and test data.
This means examining evidence for all items in the financial statements without getting immersed in
the details of the computerized information system. The benefits of this approach are that it saves
time and its justification is that computers are 100% accurate in processing transactions and
therefore material processing errors simply do not occur.
The draw back of this approach is that once an application is programmed to process an item
incorrectly, then it processes exactly as programmed indefinitely. However, major frauds and error
or system failures should be picked up in the assets and liabilities verification e.g. if processing of
sales is incorrect, verification of debtors can uncover the error. Also an analysis of gross profit
margins will help discover any errors in sales. This approach is suitable for small businesses but
largely unsuitable for large scale entities.
When it is possible to relate on a one to one basis, the original input to the final output or to put it
another way, where the audit trail is always preserved than the presence of the computer has
minimal effect on the auditor's work, and in that case it is possible to ignore what goes on in the
computer and concentrate audit tests on the completeness, accuracy, validity on the input and the
output, without paying any due concern to how that output has been processed. Where there is super
abundance of documentation and the output is as detailed and complete as in any manual system and
where the tr41.1 from beginning to end is complete so that all documents can be identified and
m
co
vouched and totally cross referenced, then the execution of normal audit tests on records which are
a.
ny
computer produced but which are nevertheless as complete as above then this type of auditing is
ke
called auditing around the machine. In this case, the machine is viewed as simply an instrument
ea
om
through which conventional records are produced. This approach is much criticised because:
.s
w
w
i. It indicates a lack of knowledge on the part of the auditor;
w
ii. It is extremely risky to audit and give an opinion on records that have been produced
by a system that the auditor does not understand fully, and;
iii. A computer has immense advantages for the auditor and it is inefficient to carry out an
audit in this manner.
However, problems arise when it is discovered that management can use the computer more
efficiently in running the business. This is usually done by the production of exception reports rather
than the full records. For example, the management is interested in a list of delinquent debtors,
therefore producing the whole list of debtors means the list has to be analyzed again to identify
delinquent debtors and act upon them. This is inefficient and time consuming as the printer is the
slowest piece of equipment in any computerised system. From the auditor's view, exception reports
which provide him with the very material he requires for his verification work raises a serious
problem because he cannot simple assume that the programs which produce the exception reports
are:
i. Doing so accurately;
www.someakenya.com Contact: 0707 737 890 Page 145
ii. Printing all the exception which exists;
iii. Are authorised programs as opposed to dummy programs specially created for a fraudulent
purpose or out of date programs accidentally taken from the library and;
iv. That they contain programs control parameters which do in fact meet the company's
genuine internal control requirements.
So although it may be reasonable for management to have faith in their systems and programs, such
faith on the part of the auditor would be completely misplaced and may reflect very adversely on his
duty of care. This is the first situation on the loss of audit trail.
The other situation where loss of audit trail is noted where the computer generates, totals, analyses
and balances without printing out details. It therefore becomes necessary for the auditor to find a
way to audit through the computer rather than around it. But before we go on to that, the loss of
audit train can be overcome as follows:
a) We can have special print outs for auditors, remember the need to be consulted at the design
stage.
b) Inclusive audit facility: This means putting in the programs special audit instructions that
enable the computer to carry out some audit tests and produce print outs specially for the
auditor.
c) Clerical recreation: Given unlimited time and man power, maintain the possibility to recreate
m
co
manually the audit trail. This would obviously be a very tedious exercise.
a.
ny
d) Total testing and comparison: It is possible to compare results with other data, budgets,
ke
previous periods and industry averages.
ea
om
e) Alternative tests: We can perform stock takes, debtors' circularisation and examination of the
.s
w
condition of fixed assets.
w
w
f) We can use test packs to verify program performance.
There are two basic techniques available to the auditor for auditing through the computer. These are
use of test data and use of computer audit programs which are also called CAATs (computer assisted
audit techniques).
i) Test data
These are designed to test the performance of client‟s programs. What it involves is for the auditor
either using dummy data or live data for processing to manually work out the expected result using
the logic of the program. This is then run on the computer using the program and the results are
compared. A satisfactory outcome gives the auditor a degree of assurance that if that program is
i. If the data is included with normal, separate test data totals cannot be obtained. This can
sometimes be resolved by use of dummy branches or separate codes to report the programs
effects on the test data.
ii. Side effects can occur. It has been known for an auditor’s dummy product to be included in a
catalogue.
iii. Client’s files and totals are corrupted although this may be immaterial.
iv. If the auditor is testing procedures such as debt follow up, then the testing has to be over
fairly a long time. This can be difficult to organize.
m
co
iv. The time span problem is still difficult but more capable of resolution than live testing.
a.
ny
ke
Computer programs or audit software
ea
om
These consist of computer programs used by the auditor to read magnetic files and to extract
.s
w
w
specified information from the files. They are also used to carry out audit work on the contents of
w
the files. These programs are sometimes called enquiry or interrogation programs. They can be
written by an audit firm or they can be bought from software houses. They have the advantage that
they can be used to train unskilled staff.
Selection of representations or randomly chosen transactions or items for audit tests, e.g. item
number 36 and every 140th item thereafter. Scrutiny of files and selection of exceptional items for
examination e.g. all wages payments over Kshs.120, or all stock lines worth more thanKshs.1,000 in
total. Comparison of two files and printing out differences e.g. payrolls at two selected dates.
Preparation of exception reports e.g. overdue debts. Stratification of data e.g. stock lines or debtors;
with a view to examination only of material items. Carrying out detail tests and calculations.
Verifying data such as stock or fixed assets at the interim stage and the comparing of the examined
file with the year-end file so that only changed items need be examined at the final audit (with a
small sample of the other unchanged items). Comparison of files at succeeding year ends e.g. to
identify changes in the composition of stock
www.someakenya.com Contact: 0707 737 890 Page 147
Advantages
Disadvantages
m
co
There can be no doubt that standard computer audit program packages will be in general use in the
a.
ny
near future. Use of audit software raises the visibility of the auditor in the eyes of the company. It
ke
ea
makes the audit more credible. Deficiencies in the system are often discovered and can be reported
om
to Management. This also makes the audit more credible. Packages are not however usually
.s
w
available for small machines
w
Differences between Auditing around the computer and auditing through the computer w
To mitigate the risks occasioned by the features of a computerized information system, the
m
management should design internal controls over the system. These controls are mainly classified
co
into general controls and application controls.
a.
ny
ke
ea
om
.s
1. GENERAL CONTROLS.
w
w
w
These relate to the environment within which the computer based systems are developed,
maintained and operated aimed at providing reasonable assurance that the overall objectives of
internal controls are achieved e.g. completeness, accuracy and validity of financial information.
The objective of the general controls is to ensure the proper development and implementation of
applications and the integrity of program files and information. These controls could either be
manual or programmed and are classified into;
These relate to controls that must be exercised by the client when developing new systems or
modifying existing systems. The controls that can be exercised during systems development can be
discussed in the following groupings.
www.someakenya.com Contact: 0707 737 890 Page 149
Appropriate review testing and approval of new systems.
The organization should set up a steering committee composed of senior management and high level
representatives of system users who should the development and implementation of the new system.
Management should approve specifications of the new system after the steering committee has
assessed the user needs. Before the new system is commissioned for use, appropriate testing should
be carried out to ensure that both the hardware and the application programs are operating
effectively. The testing will provide assurance that the new system is reliable.
The information technology manager, user department and the appropriate management level should
give appropriate approval of new system before being placed under operation and after reviewing
completeness of system documentation and results of its testing.
m
co
a.
ny
ke
ea
Controls over program changes
om
.s
w
Testing and documentation of program changes
w
w
- Complete testing procedures
- Documentation standards
- Approval of changes by computer users and management
- Training of staff using programs
Program changes refer to modifications made to existing programs. Changes in the computer system
should be subject to strict controls e.g. a written request for an application program changes should
be met by user department and authorized by designated manager or committee. Once changes have
been made, appropriate testing should be carried out to ensure that the modified system is reliable.
The system documentation should then be amended to reflect the changes and appropriate approval
obtained for the modified system to start running.
- Segregation of duties
- Full records of program changes
- Password protection of programs so that access is limited to computer operations staff.
Restricted access to central computer by locked doors, keypads
- Maintenance of programs logs
- Virus checks on software: use of anti-virus software and policy prohibiting use of non-
authorised programs or files
- Back-up copies of programs being taken and stored in other locations
- Control copies of programs being preserved and regularly compared with actual programs
- Stricter controls over certain programs (utility programs) by use of read-only memory
System documentation
This involves putting together information that supports and explains computer applications. The
documentation provides details of capability of the system and how it is operated.
System documentation is important in conducting user training and also enables the management to
effectively review the system by considering whether appropriate controls have been put in place
during system development.
m
co
a.
ny
ke
Parallel running
ea
om
Before switching to the new system, the whole system should be tested by running it alongside the
.s
w
w
old system for a specified period. This is important because it provides user with the opportunity to
w
familiarize themselves with the new system before it is fully implemented and ensures that the new
system is reliable and data is correctly carried forward from the old to the new system.
B. Access controls
The success of computerized information systems is largely dependent on the accuracy, validity and
credibility of the data processed by the system. Access controls to computer hardware, software and
data files is therefore vital.
Access controls provide assurance that only authorized individuals use the system and that the usage
is for authorized purposes only.
Access may be restricted to specified persons, files, functions or computer devices. This can be
achieved using both physical and programmed controls. Examples of access controls include;
This would record name of user, data accessed or entered, time of log in and mode of access.
When transmitting data over communication lines, it should be encrypted to make it difficult
m
for persons with access to communication lines from being able to modify the contents.
co
a.
ny
There should be automatic log off i.e. the disconnection of active data terminal to prevent
ke
viewing of sensitive data on unattended terminals.
ea
om
.s
Controls to ensure continuity of operation
w
w
w
- Storing extra copies of programs and data files off-site
- Protection of equipment against fire and other hazards
- Back-up power sources
- Disaster recovery procedures e.g. availability of back-up computer facilities.
- maintenance agreements and insurance
- The auditors will wish to test some or all of the above general IT controls, having considered
how they affect the computer applications significant to the audit.
The organization should have a reconstruction or disaster recovery plan that will allow it to
regenerate impor6ant programs and data files incase of disasters or accidental destructions.
The recovery plan should create back up or duplicate copies of important data files and programs
which should be stored off site.
Undertaking protection measures against natural disasters such as setting up computer rooms
in areas protected from floods and fitted with smoke or fire detectors.
There should be standby equipment to revert to incase of computer breakdown.
There should be adequate virus detection. Procedures for dealing with virus infection are.
- Establishing a formal security policy which requires only clean and certified copies of
software are installed and checking data introduced from external sources for viruses.
- The company can also install antivirus software.
- Clean back up should be maintained and there should be adequate segregation of duties
such that people with powers and knowledge in making amendments to the application
programs should not have the responsibility for initiation and processing transactions and
even making amendments to existing data.
m
co
a.
ny
2. APPLICATION CONTROLS
ke
ea
om
The objective of application controls which may be manual or programmed is to ensure
.s
w
completeness and accuracy of accounting records and the validity of transactions processed.
w
w
Application controls are therefore important in providing assurance that all transaction are recorded
on timely basis and that only valid transactions are captured by the system. Application controls are
divided into;
1. Input controls.
2. Processing controls.
3. Output controls
4. Controls over master files and standby data
However, some of the controls management implement would cut across the four categories
mentioned above. E.g. some edit checks could provide comfort over the completeness and accuracy
of the input data by the way the data is processed and output information obtained and also provide
protection over standby data.
Most errors in data processed by computerized information systems can be traced to errors made
when the data was being input into the system. Controls over input fulfill the following objectives.
- Completeness of input. This ensures that all transactions that took place have been
processed.
- Accuracy. This ensures that the recorded transactions have been captured accurately.
- Validity. This ensures that only valid or genuine transactions appropriately authorized have
been recorded. It also ensures credibility and reliability of recorded transactions.
To achieve the above objectives the most common types of input controls that management can
implement are called edit controls and examples include:
- Field checks. These controls check that all data fields required to process the transactions
have been filled with correct information. The controls also ensure accuracy of processed data
and its completeness because transactions cannot be properly processed if necessary data is
missing.
- Valid character checks. These check that data fields are filled with data of the correct type.
E.g. that amounts column is filled with numerical variables. This also ensures correctness of
input data.
m
- Reasonableness or limit checks. These verify that data falls within predetermined
co
a.
reasonable limits. E.g. if the authorized discount is 10%, the system would seek to verify that
ny
ke
no customer is awarded discounts beyond this limit without approved authorization. These
ea
controls ensure accuracy and validity of the input data.
om
.s
- Master file checks. These verify that the codes used in processing transactions match with
w
w
those from master files. E.g. that customer identification code keyed in matches with what is
w
on sales master file. These controls ensure that data is processed against correct master file.
- Document count. This agrees number of input records if what is expected as per batch
control. This control ensures that all transactions are processed.
- Sign checks. These ensure that data has been keyed in with correct arithmetic sign. E.g. a
positive sign for debit entry and a negative sign for credit entry. The objective is to check
validity and accuracy of the processed data.
- Zero balance checks. These verify that for every transaction process, debit entries equal
credit entries and any mismatches found are reported through an exception report. This
control ensures accuracy of input data.
Generation of exception reports to capture transactions that have been rejected for failing various
control checks.
There may be need for manual controls to for instance, a check to reveal that all purchase orders
have been appropriately authorized before a transaction is submitted for processing.
Processing controls
These controls seek to ensure that transactions are processed by the right programs and against the
correct master files. They also seek to ensure that data is not lost, duplicated or altered during
processing and that errors are identified ad corrected.
Some of the controls in input could help in meeting the above objectives of processing controls. In
addition to those, processing controls include;
Physical file identification procedures. This is in form of labels which are physically attached to files
or diskettes to ensure right files are used during processing of transactions.
Sequence tests over pre-numbered documents. This ensures that all transactions are being processed.
Comparing the contents in files before and after processing a transaction to ensure that the expected
m
processing results have been achieved.
co
a.
ny
Zero balance checks that add up debits and credits of the transactions posted to ensure that the result
ke
ea
is zero as an indication that double entry has been completed.
om
.s
w
An audit trail should be created through use of input and output control logs and maintenance of
w
w
transaction listing. This trail will facilitate an attempt to trace a transaction as a way of verifying that
it has been correctly processed.
Output controls.
Matching and agreeing output information to the input data e.g. for input data related to
journal processed to create an additional provision for bad and doubtful debts, one may want
to compare or match the balance appearing in the ledger after the transaction is processed as a
way of verifying that output matches the input.
Standing data refers to the data that is required during processing of the transactions but which does
not vary or change with every transaction. E.g. customer details such as name and address do not
change with every transaction although they are required in processing every transaction with the
customer.
Controls over master files and standing data are aimed at ensuring completeness, accuracy and
credibility of the information maintained. These controls include;
Restrictive access to standing data and ensuring that only few individuals have the user rights
within the system to make adjustments to the standing data.
Before any changes are made to the standing data, appropriate authorization should be
obtained. E.g. before any changes are made on selling prices in the master file, appropriate
authorization should be obtained from the responsible officials.
m
Once amendments have been made on standing data, a print out should be obtained from the
co
a.
system such that an independent person can verify that the correct amendments have been
ny
ke
made.
ea
om
Where necessary, the organization should print out all the standing data and an independent
.s
w
check be carried out to verify that this data is accurate and complete.
w
w
An exception report should be generated on a regular basis providing details of any
unauthorized amendments made on standing data.
The auditor tests the internal controls when he wishes to place reliance on the controls to determine
whether the accounting records are reliable.
A computerized information system may differ from a manual system by having both manual and
programmed controls. The manual controls are tested in exactly the same way as in a manual
system. The programmed controlled in the following ways:
By examination of exception reports and rejection reports. But there is no assurance that the
items on the exception reports were the only exceptions or that they actually met the
Substantive testing of computer records is possible and necessary. The extent depends on the degree
of reliance the auditor has placed on the internal controls. Substantive testing includes two basic
approaches both of which would be used.
Review of exception reports. The auditor attempts to confirm these with other data. e.g.
comparison of an outstanding dispatch note listing with the actual dispatch notes.
Totaling. Relevant totals for example for debtors and creditors can be manually verified.
Re-performance. The auditor may re-perform a sample of computer generated calculations.
E.g. for depreciation and interest expense.
Reconciliations. These will include reconciliations for computer listings with creditor’s
statements, bank statements, actual stock and personnel records.
Comparison with other evidence such as results of debtor’s circularization, attendance at
m
stock take and physical inspection of fixed asset.
co
a.
ny
Computer audit programs sometimes generalized audit software. These programs are also called
ke
ea
inquiry or interrogation programs. Computer audit programs are computer programs used by the
om
.s
auditor to;
w
w
w
Read magnetic files and to extract specified information from the files.
To carry out audit work on the contents of the files.
In the selection of representative or randomly chosen transactions or items for audit tests.
The scrutiny of files and selection of exceptional items for testing. E.g. On wages payments
over Shs.1000 or all stock items worth more than Shs.100,000 in total.
Comparison of two files and printing out the difference. E.g. payrolls at two selected dates.
Preparing exception reports. E.g. overdue debts.
Stratification of data such as stock items or debtors with a view to examine only the material
items.
Carrying out detailed tests and calculations.
Verifying data such as stock or fixed assets at the interim stage and then comparing the
examined file with the end file so that only changed items need to be examined at the final
audit.
www.someakenya.com Contact: 0707 737 890 Page 157
The Control file
When auditing computerized information systems, it will be found that much reliance is placed
within the system upon standard forms and documentation in general, as well as upon strict
adherence to procedures laid down. This is no surprise, of course, since the ultimate constraining
factor in the system is the computers own capability and all users are competitors for its time. It is
therefore important that an audit control file be built as part of working papers and the auditor must
that he is on the distribution list for notifications of all new procedures, documents and system
changes in general.
Copies of all the forms which source documents might take and details of the checks that
have been carried out to ensure their accuracy.
Details of physical controls over source documents as well as of the nature of any control
totals of numbers, quantities or values including the names of persons keeping these controls.
Full description of how the source documents are to be converted into input media and the
checking of control procedures.
A detailed account of the clerical, procedural and systems development controls contained in
the system. E.g. separation of programs from operators and separation of controls over assets
from records relating to the assets.
m
co
The arrangements for retaining source documents and input media for suitable periods.
a.
ny
ke
ea
om
.s
This is of great importance as they may be required for reconstructing stored files in event of error or
w
w
mishap.
w
A detailed flow diagram of what takes place during each routine processing run.
Details of all tapes and discs in use including their layout, labeling, storage and retention
arrangements.
Copies of all the forms which output documents might take and details of their sorting and
checking.
The auditor’s comments on the effectiveness of the controls.
AUDIT SOFTWARE
Audit software consists of computer programs used by the auditors, as part of their auditing
procedures, to process data of audit significance from the entity's accounting system. It may consist
of generalised audit software or custom audit software, Audit software is used for substantive
procedures.
Custom Audit software is written by auditors for specific tasks when generalised audit software
cannot be used
The following provides some examples of the use of audit software in the course of an audit.
m
statements
co
a.
ny
ke
ea
om
TEST DATA
.s
w
w
Test data techniques are used in conducting audit procedures by entering data (eg a sample of
w
transactions) into an entity's computer system, and comparing the results obtained with pre-
determined results. Test data is used for tests of controls.
Examples include:
a) Test data used to test specific controls in computer programs such as on-line password and
data access controls.
b) Test transactions selected from previously processed transactions or created by the auditors to
test specific processing characteristics of an entity's computer system. Such transactions are
generally processed separately from the entity's normal processing, Test data can for example
be Used to check the controls that prevent the processing of invalid data by entering data with
say a ;non-existent customer code or worth an unreasonable amount, or a transaction which
may if processed break customer credit limits.
c) Test transactions used in an integrated test facility. This is where a 'dummy' unit (e.g. a
department or employee) is established, and to which test transactions are posted during the
normal processing cycle.
www.someakenya.com Contact: 0707 737 890 Page 159
A significant problem with test data is that any resulting corruption of data files has to be corrected.
This is difficult with modern real-time systems, which often have built-in (and highly desirable)
controls to ensure that data entered cannot be easily removed without leaving a mark.
Other problems with test data are that it only tests the operation of the system at a single point of
time, and auditors are only testing controls in the programs being run and controls which they know
about. The problems involved mean that test data is being used less as a CAAT.
m
co
a.
ny
ke
ea
om
.s
w
w
w
AUDIT REPORT
INTRODUCTION
An audit report is a written opinion of an auditor regarding an entity's financial statements. The
report is written in a standard format, as mandated by international standard reporting
An audit report may also be described as an an appraisal of A business’s complete financial status.
Completed by an independent accounting professional, this document covers a company’s assets and
liabilities, and presents the auditor’s educated assessment of the firm’s financial position and future.
Audit reports are required by law if a company is publicly traded or in an industry regulated by the
Securities and Exchange Commission. Companies seeking funding, as well as those looking to
improve internal controls, also find this information valuable. There are four types of audit report
Companies Act stipulates the statements that should be expressly stated in the auditor’s report.
These are;
1. Whether they have obtained all the information and explanations which to the best of their
m
co
knowledge and belief were necessary for the purposes of their audit.
a.
ny
2. Whether in their opinion, proper books of account have been kept by the company, so far as
ke
ea
appears from their examination of those books, and proper returns adequate for the purposes
om
.s
of their audit have been received from branches not visited by them.
w
w
3.
w
- Whether the company's balance sheet and (unless it is framed as a consolidated profit and
loss account) profit and loss account dealt with by the report are in agreement with the
books of account and returns.
- Whether, in their opinion and to the best of their information and according to the
explanations given to them, the said accounts give the information required by this Act in
the manner so required and give a true and fair view—
(a) in the case of the balance sheet, of the state of the company's affairs as at the end of
its financial year; and
(b) in the case of the profit and loss account, of the profit or loss for its financial year;
or, as the case may be, give a true and fair view thereof subject to the non-disclosure
of any matters (to be indicated in the report) which by virtue of Part III of the Sixth
Schedule are not required to be disclosed.
4. In the case of a company which is a holding company and which submits group accounts
whether, in their opinion, the group accounts have been properly prepared in accordance with
the provisions of this Act so as to give a true and fair view of the state of affairs and profit or
When financial statements are finalised, they usually must contain an evaluation – an auditor's report
- from a licensed accountant or auditor. This report provides an overview of the evaluation of the
validity and reliability of a company or organization’s financial statements.
The main purpose of an auditor's report is to document reasonable assurance that a company’s
financial statements are free from error.
An audit of a company’s financial statements should result in a report wherein the accountant or
auditor is free to share their opinion about the validity and reliability of a company’s financial
statements.
In this report, the auditor should provide an accurate picture of the company and their financial
statements. The auditor should also state whether they are externally or internally connected to the
m
company.
co
a.
ny
Within the report, the auditor can share any reservations about the condition of the company’s
ke
ea
finances or relevant additional information. Reservations could arise if the auditor disagrees with
om
something found in the financial statements, e.g. if the auditor disagrees with management about the
.s
w
valuation of an asset because they believe that this has a more significant impact on the financial
w
w
statements.
In the report there are rules concerning what an auditor's report should include and the order in
which various items should be reported.
Auditor's reports must adhere to accepted standards established by governing bodies. The governing
bodies help to assure external users that the auditor's opinion on the fairness of financial statements
is based on a commonly accepted framework.
ii) Address
The auditor's report shall be addressed as required by the circumstances of the engagement. The
report is usually addressed to the company, its stockholders or the board of directors. For practical
reasons, it limits the users of auditor's report.
m
co
a.
ny
Thirdly, the introductory paragraph states that the statements are the responsibility of management
ke
ea
and that the auditor's responsibility is to express an opinion on the statements based on the audit.
om
.s
w
w
The introductory paragraph in the auditor's report shall:
w
- Identify the entity whose financial statements have been audited;
- State that the financial statements have been audited;
- Identify the title of each statement that comprises the financial statements;
- Refer to the summary of significant accounting policies and other explanatory information;
and
- Specify the date or period covered by each financial statement comprising the financial
statements.
iv) Scope paragraph
This paragraph is a factual statement about what the auditor did in the audit. This paragraph states
how the audit was planned and performed in accordance with 1SAs and states that the audit is
designed to obtain reasonable assurance whether the financial statements are free of material
misstatements.
m
co
jurisdictions, the appropriate reference may be to those charged with governance.
a.
ny
- The auditor's report shall include a section with the heading "Management's [or other
ke
ea
appropriate term] Responsibility for the Financial Statements."
om
- The auditor's report shall describe management's responsibility for the preparation of the
.s
w
w
financial statements. The description shall include an explanation that management is
w
responsible for the preparation of the financial statements in accordance with the applicable
financial reporting framework, and for such internal control as it determines is necessary to
enable the preparation of financial statements that are free from material misstatement,
whether due to fraud or error.
- Where the financial statements are prepared in accordance with a fair presentation
framework, the explanation of management's responsibility for the financial statements in the
auditor's report shall refer to "the preparation and fair presentation of these financial
statements" or "the preparation of financial statements that give a true and fair view," as
appropriate in the circumstances.
m
co
presentation of the financial statements.
a.
ny
- Where the financial statements are prepared in accordance with a fair presentation
ke
ea
framework, the description of the audit in the auditor's report shall refer to "the entity's
om
preparation and fair presentation of the financial statements" or "the entity's preparation of
.s
w
w
financial statements that give a true and fair view," as appropriate in the circumstances.
w
- The auditor's report shall state whether the auditor believes that the audit evidence the auditor
has obtained is sufficient and appropriate to provide a basis for the auditor's opinion.
x) Auditor's Opinion
Wording of the auditor's opinion prescribed by law or regulation
ISA 210 explains that, in some cases, law or regulation of the relevant jurisdiction prescribes the
wording of the auditor's report (which in particular includes the auditor's opinion) in terms that are
significantly different from the requirements of ISAs. In these circumstances, ISA 210 requires the
auditor to evaluate:
(a) Whether users might misunderstand the assurance obtained from the audit of the financial
statements and, if so,
(b) Whether additional explanation in the auditor's report can mitigate possible
misunderstanding.
If the auditor concludes that additional explanation in the auditor's report cannot mitigate possible
misunderstanding, ISA 210 requires the auditor not to accept the audit engagement, unless required
"Present fairly, in all material respects" or "give a true and fair view"
- Whether the phrase "present fairly, in all material respects," or the phrase "give a true and fair
view" is used in any particular jurisdiction is determined by the law or regulation governing
the audit of financial statements in that jurisdiction, or by generally accepted practice in that
jurisdiction. Where law or regulation requires the use of different wording, this does not
affect the requirement for the auditor to evaluate the fair presentation of financial statements
prepared in accordance with a fair presentation framework.
m
co
Description of the applicable financial reporting framework and how it may affect the
a.
ny
auditor's opinion
ke
ea
- The identification of the applicable financial reporting framework in the auditor's opinion is
om
intended to advise users of the auditor's report, of the context in which the auditor's opinion is
.s
w
w
expressed. The applicable financial reporting framework is identified in such terms as: "... in
w
accordance with International Financial Reporting Standards" or "... in accordance with
accounting principles generally accepted in Jurisdiction X ...
- When the applicable financial reporting framework encompasses financial reporting
standards and legal or regulatory requirements, the framework is identified in such terms as
"... in accordance with International Financial Reporting Standards and the requirements of
Jurisdiction X Corporations Act." ISA 210 deals with circumstances where there are conflicts
between the financial reporting standards and the legislative or regulatory requirements.
- The financial statements may be prepared in accordance with two financial reporting
frameworks, which are therefore both applicable financial reporting frameworks.
Accordingly, each framework is considered separately when forming the auditor's opinion on
the financial statements, and the auditor's opinion refers to both frameworks as follows:
a) If the financial statements comply with each of the frameworks individually, two
opinions ate expressed: that is, that the financial statements are prepared in accordance
with one of the applicable financial reporting frameworks (for example, the national
framewOrk) and an opinion that the financial statements are prepared in accordance
m
co
disclosure.
a.
ny
ke
ea
Other Reporting Responsibilities
om
- In some jurisdictions, the auditor may have additional responsibilities to report on other
.s
w
w
matters that are supplementary to the auditor's responsibility under the ISAs to report on the
w
financial statements. For example, the auditor may be asked to report certain matters if they
come to the auditor's attention during the course of the audit of the financial statements.
Alternatively, the auditor may be asked to perform and report on additional specified
procedures, or to express an opinion on specific matters, such as the adequacy of accounting
books and records. Auditing standards in the specific jurisdiction often provide guidance on
the auditor's responsibilities with respect to specific additional reporting responsibilities in
that jurisdiction.
- In some cases, the relevant law or regulation may require or permit the auditor to report on
these other responsibilities within the auditor's report on the financial statements. In other
cases, the auditor may be required or permitted to report on them in a separate report.
- These other reporting responsibilities are addressed in a separate section of the auditor's
report in order to clearly distinguish them from the auditor's responsibility under the ISAs to
report on the financial statements.
m
co
i) The auditor's address.
a.
ny
ke
ea
Auditor's Report for Audits Conducted in Accordance with Both Auditing Standards of a
om
Specific Jurisdiction and International Standards on Auditing
.s
w
w
- An auditor may be required to conduct an audit in accordance with the auditing standards of a
w
specific jurisdiction (the "national auditing standards"), but may additionally have complied
with the ISAs in the conduct of the audit. If this is the case, the auditor's report may refer to
International Standards on Auditing in addition to the national auditing standards, but the
auditor shall do so only if:.
a) There is no conflict between the requirements in the national auditing standards and those
in ISAs that would lead the auditor (i) to form a different opinion, or (ii) not to include an
Emphasis of Matter paragraph that, in the particular circumstances, is required by ISAs;
and
b) The auditor's report includes, at a minimum, each of the elements set out in above when
the auditor uses the layout or wording specified by the national auditing standards.
Reference to law or regulation shall be read as reference to the national auditing
standards. The auditor's report shall thereby identify such national auditing standards.
TYPES OF REPORTS
The auditor's opinion is normally based on whether the financial statements give a true and fair view
(or are presented fairly, in all material respects) in accordance with the applicable financial reporting
framework and comply with statutory requirements.
The financial reporting framework is determined by IFRS's, with due regard to local legislation. To
advise the reader of the context in which the auditor's opinion is expressed, the auditor's opinion
indicates the framework upon which the financial statements are based. This designation helps the
user to better understand which financial reporting framework was used in preparing the financial
statements.
The following are the various types of audit opinions that the auditor can issue:
a) Unqualified opinion.
b) Disclaimer opinion
m
co
c) Qualified opinion
a.
d) Adverse opinion
ny
ke
ea
om
.s
Unqualified opinion
w
w
w
This is issued when the auditor is satisfied in all material aspects that enable him express the
required opinion on financial statements without any reservation. This is sometimes called a clean
opinion. It is expressed when the auditor concludes that the financial statements give a true and fair
view in accordance with the relevant financial reporting standards.
There are occasions when the auditor has no reservation as to the financial statements but where they
exists unusual events, conditions or accounting policies and he feels that unless the reader may not
reach a proper understanding of the financial position and results. In such circumstances, the auditor
should express an unqualified opinion including an extra paragraph called „emphasis of the matter
paragraph‟ to draw attention of the reader to the unusual matter.
The addition of such an emphasis of matter paragraph does not lead to a qualification of the audit
opinion but is intended to enable the reader obtain a better understanding. To avoid this being
i. Unusual condition would include destruction of assets after balance sheet date but the
company remains a going concern.
ii. The company being insolvent on the face of its own balance sheet but the auditor has letters
of support which he is satisfied can be fulfilled by the other party thus he will accept
appropriateness of the going concern assumption. Unusual events could also include changes
in the legislation that could have a material impact on the entity’s business operations
subsequent to the balance sheet date. Unusual accounting policies that may lead to emphasis
of matter paragraph would involve those matters not covered by any accounting standard.
iii. Inherent uncertainties that may call for emphasis of matter paragraph would include
contingencies at the balance sheet date which have not been resolved at the date of signing
the auditor’s report.
iv. Negotiations for financing which have not been financed by date of signing of the auditor’s
report.
m
co
a.
ny
Here is the illustrative unqualified report from ISA 700
ke
ea
om
.s
Auditor’s Report
w
w
w
(APPROPRIATE ADDRESSEE)
We have audited the accompanying balance sheet of the ABC Company as of December 31,
20x1, and the related statements of income, and cash flows for the year then ended. These
financial statements are the responsibility of the Company’s management. Our responsibility is to
express an opinion on these financial statements based on our audit.
We conducted our audit in accordance with International Standards on Auditing (or refer to
relevant national standards or practices). Those standards require that we plan and perform the
audit to obtain reasonable assurance about whether the financial statements are free of material
misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. An audit also includes assessing the account principles
used in significant estimates made by the management, as well as evaluating the overall financial
m
statement presentation. We believe that our audit provides a reasonable basis for our opinion.
co
a.
ny
ke
In our opinion, the financial statements give a true and view of (or „present fairly, in all material
ea
respects,‟) the financial position of the Company as of December 31, 20x1 and of results of its
om
.s
operations and its cash flows for the year then ended in accordance with … (and comply with
w
w
….)
w
AUDITOR
Date
Address‟
Footnotes:
1. Reference may be by page numbers
2. Indicate IASs or relevant national standards
3. Refer to relevant statues or law
This is expressed when auditor concludes that unqualified opinion cannot be expressed but that the
effect of any disagreement with management or limitation in scope is not so material and pervasive
as to require an adverse opinion or disclaimed opinion. A qualified opinion implies that all aspects
of the financial statements are okay expect for the effects of the matters which the qualifications
relate.
c) Disclaimer of opinion.
This is issued when the possible effect of a limitation in scope or uncertainty is so material or
pervasive that the auditor has not been able to obtain sufficient appropriate audit evidence, as a
result he is unable to express an opinion on financial statements. A disclaimer of opinion implies
that the auditor is unable to form an opinion because sufficient audit evidence could not be obtained.
d) Adverse opinion.
This is expressed when the effects of a disagreement is so material and pervasive to the financial
statements that the auditor concludes that a qualification of the report is not adequate to disclose the
misleading and incomplete nature of the financial statements. The auditor states that due to the
m
co
nature of the disagreement in his opinion, the financial statements do not show true and fair view.
a.
ny
ke
ea
om
Limitation of scope
.s
w
w
w
If for any reason the auditor is unable to receive all the information and explanations he deems
necessary for the purposes of his audit, then there is a limitation in scope of his work. It means that
the auditor to conclude his work objectively. This could arise due to the following reasons;
If the possible effect of limitation in scope of an audit is material but not fundamental to the
financial statements, the auditor issues a qualified opinion. (Except for opinion.)
If the possible effect of limitation in scope of an audit is of fundamental importance that the auditor
is unable to express an opinion on the financial statements, the auditor issues a disclaimer of opinion
as mentioned above.
When there is a limitation in scope of auditor’s work that requires the expression of a qualified
opinion or a disclaimer of opinion, the auditor should describe the nature of the limitation in his
report and indicate the possible adjustments to the financial statements that might have been
determined to be necessary, had the limitation not existed.
m
co
„We have audited … (remaining words are the same as illustrated in the introductory
a.
ny
paragraph of the unqualified above).
ke
ea
om
Except as discussed in the following paragraph, we conducted our audit in accordance
.s
w
w
with….(remaining words are the same as illustrated in the scope paragraph of the
w
unqualified report above).
We did not observe the counting of the physical inventories as of December 31, 20x1,
since that date was prior to the time we were initially engaged as auditors’ fir the
company. Owing to the nature of the company’s records, we were unable to satisfy
ourselves as to inventory quantities by other audit procedures.
In our opinion, except for the effects of such adjustments, if any, as might have been
determined to be necessary had we been able to satisfy ourselves as to physical
inventory quantities, the financial statements give a true and (remaining words are the
same as illustrated in the opinion paragraph of the unqualified report above).‟
December 31 20x1 and the related statements of income, and cash flows for the year then
ended. These financial statements are the responsibility of the Company’s management.
(The paragraph discussing the scope of the audit would either be omitted or amended
according to the circumstances.)
We were not able to observe all physical inventories and confirm accounts receivable due
to limitations placed on the scope of our work by the company.
Because of the significance of the matters discussed in the preceding paragraph we do not
express an opinion on the financial statements.
m
co
a.
ny
Inherent uncertainties
ke
ea
om
Inherent uncertainties result from circumstances in which it is impossible for the auditor to reach any
.s
w
w
objective conclusion as to the outcome of a situation due to the circumstances themselves rather than
w
a limitation of scope of the audit. Such uncertainties are only resolved through the passage of time
e.g. to wait for the outcome of a litigation. However, time is a great constraint and financial
statements must be prepared within the required time. The auditor should form an opinion on the
adequacy of the accounting treatment of such uncertainties. This will involve consideration of:
The appropriateness of any accounting policies adopted by the management in treating the
effect of such uncertainties.
The reasonableness of the estimates included in the financial statements.
The adequacy of disclosure of the uncertainties.
Some inherent uncertainties are fundamental. These are uncertainties where the degree of
uncertainty and its potential impact on the view given by the financial statements may very great.
In determining whether an uncertainty is fundamental, the auditor considers the following:
The risk of the estimate included in the balance sheet being subject to change.
The range of possible outcomes.
Disagreement
Under disagreement, the auditor is able to conclude objectively that he has received all the
information and explanations he considers necessary for the purpose of the audit. But his conclusion
is at variance with the position adopted by the management or the view given by the financial
statements. Circumstances giving rise to disagreements include;
m
Whether the auditor agrees with the accounting treatment or disclosure of a matter in the financial
co
a.
statements and in the auditor’s opinion, the effect of that disagreement is material to the financial
ny
ke
statements, the auditor should;
ea
Include in his report a description of all the factors giving rise to the disagreement.
om
.s
The implications of such factors on the financial statements.
w
w
w
A quantification of the effect on the financial statements.
„We have audited ….(remaining words are the same as illustrated in the introductory
paragraph of the unqualified report above.)
We conducted our audit in accordance with … (remaining words are the same as
illustrated in the scope paragraph of the unqualified report above).
Accounting Standards. The provision for the year ended December 31, 20x1 should be
based on the straight line method of depreciation using annual rates of 5% for the
building and 20% for the equipment. Accordingly the non current assets should be
reduced by the accumulated depreciation of xxx and the loss for the year and
accumulated deficit should be increased by xxx and xxx respectively.
m
co
a.
ny
In our opinion, except for the effect on the financial statements of the matter referred to
ke
ea
in the preceding paragraph, the financial statements give a true and …. (Remaining
om
words are the same as illustrated in the opinion paragraph of the unqualified report
.s
w
w
above).
We conducted our audit in accordance with…. (Remaining words are the same as
illustrated in the scope paragraph of the unqualified report above.
In our opinion, except for the omission of the information included in the preceding
paragraph, the financial statements give a true and … (remaining words are the same as
illustrated in the opinion paragraph of the unqualified report above).
We have audited … (remaining words are the same as illustrated in the introductory
paragraph of the unqualified report above).
We conducted our audit in accordance with.. (Remaining words are the same as illustrated
in the scope paragraph of the unqualified report above.
m
co
In our opinion, because of the effects of the matters discussed in the preceding
a.
ny
paragraph(s), the financial statements do not give a true and fair of (or do not „present
ke
ea
fairly‟) the financial position of the company as at December 31, 20x1, and of result of its
om
operations and its cash flows for the year then ended in accordance with (insert relevant
.s
w
w
IASs or national standards) ..
w
And do not comply with …… (Insert relevant statutes or law).
When the auditor concludes that the effect of the matter giving rise to disagreement is so
fundamental that the financial statements are misleading, the auditor should issue an adverse
opinion.
If the nature of the disagreement is material but not fundamental, the auditor should issue a qualified
opinion indicating that all other aspects of the financial statements are okay except for the matter
giving rise to the disagreement.
The auditor may not include qualifying remarks in his audit report unless the matter is material.
Material but not pervasive means that the reservation the auditor has is material in the context of a
segment of the financial statements but not to the financial statements taken as a whole.
A matter becomes material and pervasive when it is material in the context of the financial
statements taken as a whole. A limitation of scope becomes pervasive when it makes the financial
statements misleading for decision making purposes or of little value for decision making purposes.
A disagreement becomes pervasive when it makes the financial statements taken as a whole to be
totally misleading.
Qualification matrix
m
Disagreement Qualified opinion (except Adverse opinion
co
a.
for opinion)
ny
ke
ea
om
.s
Going Concern (ISA 570)
w
w
w
The going concern concept is a fundamental concept of IAS 1 (disclosure of accounting policies)
which governs the preparation and presentation of financial statements. This concept states that the
transactions and the financial statements have to be recognized and prepared in such a way that the
entity shall continue with operations for the foreseeable future period and shall not cease to be in
existence, stop or curtail is present production either currently or in the near future.
The auditor when reporting on the financial statements is categorically concerned of the going
concern concept because;
It affects true and fair view of the financial statements
It facilitates qualification of audit reports.
It confirms compliance of financial statements with the generally accepted accounting
principles and policies.
The auditor’s main interest will be that all material matters affecting the financial statements
have been disclosed.
The auditor should consider the risk that the going concern assumption may no longer be
appropriate. Indications of the risk that the continuance as a going concern may be questionable
could come from the financial statements or from other sources. Examples of such indications are as
follows:
a. Financial indicators.
Changes of the financial position of the company drastically within a short period of time
especially from bad to worse.
Financial difficulties affecting the company’s production process and sales.
Changes of credit policies especially from credit to cash on delivery.
Difficulties in paying salaries and wages of employees.
Increased financial borrowing.
m
co
a.
b. Non financial indicators.
ny
ke
High staff turnover in key accounting and managerial officials and finance personnel
ea
especially without replacement.
om
.s
Unfriendly environment between management and management and employees
w
w
w
Unusual pressure within the entity for no apparent reason.
Circumstances of labour disputes e.g. strikes by employees leading to demonstrations ad
protests.
Where the entity relies heavily on a customer for sale of its products or for marketing its
output.
Pending legal proceedings against the entity that may, if successful, result in judgements that
could not be met.
Non compliance with capital and other statutory requirements.
The significance of such indications can often be mitigated by other factors. For example, the effect
of an entity being unable to make its normal debt repayments may be counterbalanced y
management’s plans to maintain adequate cash flows by alternative means, such as by disposal of
assets, rescheduling of loan repayments, or obtaining additional capital. Similarly, the loss of a
principal supplier may be mitigated by the availability of a suitable alternative source of supply.
PROFESSIONAL ETHICS
Professional ethics are professionally accepted standards of personal and business behaviour, values
and guiding principles. Codes of professional ethics are often established by professional
organizations to help guide members in performing their job functions according to sound and
consistent ethical principles.
The purpose of assurance engagements is to increase the confidence of end users of information by
reducing their level of risk. It therefore follows that the user needs to trust the professional who is
providing the assurance. In order to be trusted the auditor needs to be independent of their clients
and be sufficiently competent and diligent to complete their assignments satisfactorily.
The last thirty years has witnessed a number of high profile corporate scandals that have had far
reaching implications for companies, economies and accountancy firms.
m
co
To improve the image of the profession and to restore trust between users of accountancy services
a.
ny
and the practitioners, it is vital that accountants operate (and are perceived to operate) according to
ke
an accepted code of ethics.
ea
om
.s
Whilst it is expected that practitioners apply the spirit of the code to every day practice the
w
w
framework and principles would be of little use if they could not be enforced.
w
Business organizations often develop several different policies, rules and guidelines for governing
their operations. While home-based or sole proprietorship businesses usually require fewer policies,
larger organizations use these guidelines to manage employee behavior. A code of ethics is a
common organizational policy used in business organizations. The code of ethics policy usually sets
the minimum standards for business owners, managers and employees to follow when completing
various business functions.
Facts
In a small business, a code of ethics is usually based on the business owner’s personal morals
or values. As the business grows and expands, the ethical values can be implemented into the
business' organizational mission or values statement. This statement helps provide companies
with a compass to guide the organization through the business environment. Companies often
refer to the mission or values statement when guidance is needed regarding questionable
situations.
A code of ethics can help companies improve business relationships. Ethical values are often
designed to provide guidance when working with other companies and the general public.
These values dictate how businesses handle contract negotiations, customer questions and
feedback or negative business situations.
m
Allowing an unethical manager free rein in a business capacity can create difficult business
co
situations that overextend the company’s resources.
a.
ny
ke
Considerations
ea
om
.s
w
Companies often use refresher seminars to continually educate and inform employees about the
w
w
importance of ethical behavior. The seminars may also provide information regarding new
business policies or past violations of the company’s code of ethics. This information ensures
that employees have a clear understanding about the importance of ethics and why they should
adhere to the company’s policy. Companies can use an employee or third-party agency to
conduct these refresher seminars or meetings.
The Code of Ethics is a statement of principles and expectations governing behaviour of individuals
and organisations in the conduct of internal auditing.
Summary
Rule Principle
Integrity The integrity of internal auditors establishes trust and thus
provides the basis for reliance on their judgement.
Objectivity Internal auditors exhibit the highest level of professional
objectivity in gathering, evaluating, and communicating
information about the activity or process being examined. Internal
auditors make a balanced assessment of all the relevant
circumstances and are not unduly influenced by their own interests
or by others in forming judgements.
Confidentiality Internal auditors respect the value and ownership of information
they receive and do not disclose information without appropriate
authority unless there is a legal or professional obligation to do so.
Competency Internal auditors apply the knowledge, skills and experience
needed in the performance of internal auditing services
m
co
a.
ny
ke
The Code of Ethics
ea
om
This is the full text of the Institute's Code of Ethics.
.s
w
w
w
The purpose of the Code is to promote an ethical culture in the profession of internal auditing.
A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is
on the trust placed in its objective assurance about risk management, control, and governance.
The Institute's Code of Ethics provides principles and rules of conduct under four headings:
Integrity
Objectivity
Confidentiality
Competency
The Rules of Conduct describe behaviour norms expected of internal auditors. These rules are an
aid to interpreting the Principles into practical applications and are intended to guide the ethical
conduct of internal auditors. Below they are set out together with the principle they interpret.
This Code of Ethics applies to both individuals and entities that provide internal auditing services.
For Institute members, breaches of the Code of Ethics will be evaluated and administered according
to The Institute's Disciplinary Procedures. The fact that a particular conduct is not mentioned in the
Rules of Conduct does not prevent it from being unacceptable or discreditable, and therefore, the
member liable to disciplinary action.
1. Integrity Principle
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their
judgement.
m
co
a.
Rules of Conduct
ny
ke
ea
Internal auditors:
om
.s
Shall perform their work with honesty, diligence and responsibility.
w
w
w
Shall observe the law and make disclosures expected by the law and the profession.
Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable
to the profession of internal auditing or to the organisation.
Shall respect and contribute to the legitimate and ethical objectives of the organisation.
2. Objectivity Principle
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being examined. Internal auditors make a
balanced assessment of all the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgements.
Internal auditors:
Shall not participate in any activity or relationship that may impair or be presumed to impair
their unbiased assessment. This participation includes those activities or relationships that
may be in conflict with the interests of the organisation.
Shall not accept anything that may impair or be presumed to impair their professional
judgement.
Shall disclose all material facts known to them that, if not disclosed, may distort the reporting
of activities under review.
3. Confidentiality Principle
Principle Internal auditors respect the value and ownership of information they receive and do not
disclose information without appropriate authority unless there is a legal or professional obligation
to do so.
Rules of Conduct
Internal auditors:
m
co
a.
Shall be prudent in the use and protection of information acquired in the course of their
ny
ke
duties.
ea
om
Shall not use information for any personal gain or in any manner that would be contrary to
.s
w
the law or detrimental to the legitimate and ethical objectives of the organisation.
w
w
4. Competency Principle
Internal auditors apply the knowledge, skills and experience needed in the performance of internal
auditing services.
Rules of Conduct
Internal auditors:
Shall engage only in those services for which they have the necessary knowledge, skills and
experience.
Shall perform internal auditing services in accordance with the International Standards for the
Professional Practice of Internal Auditing.
Shall continually improve their proficiency and the effectiveness and quality of their services.
Threats to objectivity/independence
The following are all examples of behaviour that could threaten the practitioner's objectivity or
independence from their clients:
This occurs when an auditor has a beneficial interest in a client's performance. Examples include:
When the auditor or a member of their family owns shares in a client. They would directly
benefit from increases in client profits and would be reluctant to raise any concerns that could
adversely affect the performance of the client.
When a firm is dependent upon one client for a significant proportion of their total fee
income. The firm may not raise issues with the client for fear of losing them.
The acceptance of gifts and hospitality. This could be perceived as bribery to keep quiet about
issues in the financial statements
This occurs when an auditor has to review work that they previously performed. For example: if the
external auditor prepared the financial statements and then audited them.
m
co
a.
There is a risk that the auditor would not identify any shortcomings in their own work for fear of
ny
ke
penalty (either financial or reputational).
ea
om
.s
Advocacy threat
w
w
w
This can occur when the auditor is asked to promote or represent their client in some way. In this
situation the auditor would have to be biased in favour of the client and therefore cannot be
objective. This could happen if the client asked the auditor to promote their shares for a stock
exchange listing or if the client asked the auditor to represent them in court.
Familiarity threat
This occurs when the auditor is too sympathetic or trusting of the client because of a close
relationship with them. This may be because a close friend or relative of the auditor works in a key
role for the client. The auditor may trust their friend or relative to not make mistakes and therefore
not review their work as thoroughly as they should and as a result allow material errors to go
undetected in the financial statements. This can also arise after a long association with a client.
Intimidation threat
Clients may try to harass or bully auditors into giving preferential audit reports. They may use the
fee as leverage. The auditor should not give in to such pressure and, in the circumstances, may
choose to resign from such a client.
www.someakenya.com Contact: 0707 737 890 Page 185
Confidentiality
External auditors are in a unique position of having a legal right of access to all information about
their clients. The client must be able to trust the auditor not to disclose anything about their business
to anyone as it could be detrimental to their operations.
As a basic rule, members of an audit team should not disclose any information to those outside of
the audit team, whether or not they work for the same firm. There is little point using different teams
for different work assignments if staff from different teams are disclosing information to each other!
Information should only be disclosed under certain circumstances. In some circumstances the
auditor must disclose the information and in others the auditor may chose to disclose the
information, as follows:
m
co
a.
ny
ke
ea
om
.s
Public interest
w
w
w
Whether or not it is in the public interest is difficult to prove and the auditor must proceed
with caution if thinking of disclosing information for this reason. Such examples could
include fraud, environmental pollution, or simply companies acting against the public good.
Legal advice should be sought beforehand to avoid the risk of being sued. Matters to consider before
disclosing information in the public interest are whether that matter is likely to be repeated and how
serious the effects of the client's actions are.
Conflicts of interest
Any advice given should be in the best interests of the client. However, where clients' interests
conflict (for example, clients in the same line of business), the firm's work should be arranged to
avoid the interests of one being adversely affected by those of another.
once a conflict is noted, you should advise both clients of the situation
reassure the client that adequate safeguards will be implemented, e.g. separate engagement
leaders for each, separate teams, to prevent the transfer of client information between teams
and a second partner review
suggest they seek additional independent advice
if adequate safeguards can't be implemented, the auditor should resign.
m
co
a.
ny
ke
ea
om
.s
w
w
w