User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 236 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Page 0
Twinning Arrangement to develop Capacity Building for ICPAR
Certified Public Accountant Examination
Stage: Advanced Level 1 A1.2
Subject Title: Audit Practice and Assurance
Study Manual
Page 1
© CPA Ireland
All rights reserved.
The text of this publication, or any part thereof, may not be reproduced or transmitted in any
form or by any means, electronic or mechanical, including photocopying, recording, storage
in an information retrieval system, or otherwise, without prior permission of the publisher.
Whilst every effort has been made to ensure that the contents of this book are accurate, no
responsibility for loss occasioned to any person acting or refraining from action as a result of
any material in this publication can be accepted by the publisher or authors. In addition to
this, the authors and publishers accept no legal responsibility or liability for any errors or
omissions in relation to the contents of this book.
First Edition 2012
This study manual has been fully revised and updated
in accordance with the current syllabus.
It has been developed in consultation with experienced lecturers.
Page 2
Page 3
Introduction to the Course
Assurance and the Audit Function
Need for Regulation
The Audit Function
Small Entities
Methodology of an Audit
Sample Questions
Professional Conduct
Fundamental principles and guidance
Areas of Controversy
Sample Questions
Professional Appointments
Agreeing the Terms
Books and Documents
Change in Auditors
Sample Questions
Professional Responsibility and Liability
Professional Liability
Professional Indemnity Insurance
Sample Questions
Practice Management & Regulatory Environment
Risks to which firms are exposed
Quality Control
What are the Current Trends?
Corporate Governance
Law and Regulation
Sample Questions
Page 4
Audit Planning and Strategy
Audit Planning
The Risk Approach
Systems and Controls
Cycles and Transactions
Balance Sheet Approach
Directional Testing
Analytical Procedures
Sample Questions
Audit Evidence
Audit Evidence Introduction
Related Parties
Management Representations
Using the Work of Others
Sample Questions
Audit Evaluation and Review
Review Procedures
Opening Balances
Other Information
Subsequent Events
Going Concern
Compliance with International Financial Reporting Standards
Sample Questions
Audit Reports
Forming and Audit Opinion
The Problem of Communication
Electronic Reporting
Special Purpose Reports
Reporting to Management
Sample Questions
Page 5
Audit of Financial Statements
Construction Contracts
Sample Questions
Audit Related and Assurance Services
Audit Related Services
Assurance Engagements
Risk Assessments
Performance Management
Systems Reliability
Electronic Commerce
Forensic Audits
Sample Questions
Internal Audit and Outsourcing
Internal Audit
Impact of Outsourcing on an Audit
Sample Questions
Prospective Financial Information
Reporting on Prospective Financial Information
Accepting an Engagement
Expressing an Opinion
Sample Question
Social and Environmental Audits
Implications for the Company
Implications for the Management
Measuring Social and Environmental Performance
Implications for the Statutory Audit
Implications of Assurance Services
Sample Question
Page 6
Group Audits
Group Accounting and the Holding Company Auditors
Principal Auditors and Other Auditors
The Consolidation Process
Joint Audits
Auditing Foreign Subsidiaries
Recent Developments
Sample Question
Solution 1.1
Solution 1.2
Solution 2.1
Solution 2.2
Solution 2.3
Solution 3.1
Solution 3.2
Solution 3.3
Solution 4.1
Solution 4.2
Solution 4.3
Solution 5.1
Solution 5.2
Solution 5.3
Solution 5.4
Solution 6.1
Solution 6.2
Solution 7.1
Solution 7.2
Solution 8.1
Solution 8.2
Solution 8.3
Solution 9.1
Solution 9.2
Solution 9.3
Solution 9.4
Solution 10.1
Solution 10.2
Solution 11.1
Solution 11.2
Solution 12.1
Solution 13.1
Solution 14.1
Solution 15.1
Page 7
Stage: Advanced Level 1
Subject Title: A1.2 Audit Practice & Assurance Services
The aim of this subject is to ensure that students can demonstrate the knowledge, skills and
competencies necessary to carry out the audit of an entity and undertake assurance
engagements, having due regard to the Institute’s and profession’s ethical standards in a
changing and complex business environment.
Audit Practice and Assurance Services as an Integral Part of the Syllabus
In carrying out the audit of an entity’s financial statements it is essential to fully understand
the application of the relevant International Standards in Auditing (ISAs), International
Accounting Standards (IASs) and International Financial Reporting Standards (IFRSs). Many
issues that face auditors frequently arise from the accounting treatment of certain financial
transactions in the financial statements of the entity.
The study of the subject Auditing at Advanced 1 Stage is an essential foundation for the study
of Audit Practice and Assurance Services at Advanced 2 Stage. Financial Accounting and
Information Systems (at Foundation 2 Stage) and Financial reporting and Company Law (at
Advanced 1 Stage) are also essential prerequisites for the study of Audit Practice and
Assurance Services.
Learning Outcomes
Upon successful completion of this subject students should be able to:
Explain, interpret and apply the legal, regulatory and ethical framework to the
role of the auditor.
Identify audit risks, and describe the procedures undertaken at the planning stage
to meet the objectives of the audit.
Design, evaluate and report on internal control and financial reporting systems
and identify and communicate control risks, applying these skills to practical
situations in both manual and computerised environments.
Describe the application of Computer Assisted Auditing Techniques.
Design, plan and apply audit testing techniques and procedures in the practical
application of International Standards on Auditing (ISAs), International Standards
on Quality Control (ISQCs) and other technical pronouncements to auditing and
assurance situations.
Page 8
Evaluate the role of internal audit, including a comparison with the role of the
external auditor.
Draw conclusions, having applied appropriate professional skill, scepticism and
Report to shareholders, management and other relevant parties in the course of
providing audit and assurance services.
Plan and perform the necessary work and report on other assurance engagements
in the context of agreed terms of reference and the legal, regulatory and ethical
Undertake audit and assurance engagements with reference to the best practices
and developments in Corporate Governance and their application to clients
Evaluate, explain and discuss issues and developments relating to auditing,
including audit expectations and developments in the regulation of audits.
Demonstrate an ability to work within a professional and ethical framework.
Page 9
1. Legal and Regulatory Environment
An in-depth knowledge of the Companies Acts / Orders and other company
law legislation affecting the auditor.
Responsibilities imposed on auditors of Rwandan Stock Exchange listed
companies and legal responsibilities to shareholders.
An in-depth knowledge of standards and other technical pronouncements
issued by the IASB and IAASB.
A detailed appreciation of case law decisions and their implications for the
auditing process.
An in-depth knowledge of other legal liabilities affecting auditors and
accountants in providing audit and assurance services.
2. Ethics
Application of the ICPAR Code of Ethics.
The fundamental principles of professional ethics.
Threats and safeguards.
Responsibilities to clients and colleagues.
Other responsibilities and practices including:
Changes in professional appointments.
Use of lien in fee disputes.
Advertising and publicity.
Use of professional designations.
Conflicts of interests.
Code of confidentiality.
Professional liability and indemnity.
Misconduct and negligence.
3. Internal Controls and Financial Systems
The definition of the control environment and control procedures.
Effective internal controls.
The limitations on the effectiveness of internal controls.
Ascertaining and understanding internal control systems: narrative notes,
flowcharts, checklists, internal control questionnaires, walk through tests.
Evaluations and assessment of accounting systems and internal control
systems and its subsequent impact on audit work.
Reliance on internal controls and internal audit.
The principles and control procedures in a computer environment including
system analysis and design considerations.
The use of Computer Assisted Audit Techniques.
Page 10
4. Risk Assessment & Audit Process
New engagements.
The strategic design and planning of an audit and knowledge of the client’s
The review of financial statements to include analysis and critical assessment.
Quality control and recording of the audit.
The evaluation and testing of control procedures and audit evidence.
The design and carrying out of tests of substance on specific audit areas.
Consideration of materiality, audit risk, reliance on other specialists, events
after the reporting period, contingencies, related parties.
Use of experts.
Characteristics of fraud and the responsibility of auditors for detecting
material misstatement due to fraud.
5. Reporting
Reporting on Audited Financial Statements.
Key concepts: opinion, true and fair view, materiality, statutory requirements.
Basic elements of the Auditor’s Report.
Modified Reports, differentiating between
Matters that do not affect the auditor’s opinion, and
Matters that do affect the auditor’s opinion.
Circumstances giving rise to Modified Reports.
Limitations on Scope.
Disagreements with management.
Auditor’s responsibility before and after the date of the Auditor’s Report.
Auditor’s responsibility for other information in documents (e.g. Annual
Report) containing audited financial statements.
6. Special Audits and Other Assurance Engagements
Relevant audit planning, execution (including internal control implications),
reporting and professional practice considerations concerning:
Group audits, small business audits (including small business exemption), not-for-
profit audits, first time audits.
Prospectuses and other offering documents (investment circulars): historical year-
end financial statements, interim financial statements, and future oriented
Other types of historical financial assurance engagements: financial statements
review engagement (Accountant’s Report), financial statements compilation
engagements (Compilation Report), audit or review of specific financial
information (e.g. sales figures for retail park leases), compliance with agreements
(e.g. loan covenants), agreed upon procedures.
Assurance on internal controls in service organisations.
Other types of audits: value for money/operational, social and environmental,
health and safety, whistleblowing, forensic (fraud identification, analysis and
Page 11
7. Corporate Governance
Best Practice
Audit Committees – structures, roles, benefits and drawbacks.
Roles and effectiveness of Non-Executive Directors.
Anti-Money Laundering Procedures.
8. Current Issues
The current issues and developments relating to auditing, including audit
expectations and developments in the regulation of audits.
Page 12
Page 13
Study Unit 1
Assurance and the Audit Function
Need for Regulation
The Audit Function
Small Entities
Methodology of an Audit
Sample Questions
Page 14
There has been a huge growth in information that is available today in all aspects of business.
The use of the internet has made access easy and more and more information is been required
in all areas, not just financial.
This growth in information has led to a need for assurance as to the quality and reliability of
that information so that users can make informed decisions based on the information that is
available to them.
Audit and assurance services play a vital role in maintaining confidence and therefore
stability in the world economy. The markets need confidence and in order to get this
confidence they seek to reduce their exposure to risk. To reduce risk they need assurance
in the market.
The International Standards on Auditing (ISA) glossary of terms gives a definition of an
assurance engagement as “one in which a practitioner expresses a conclusion designed to
enhance the degree of confidence of the intended users other than the responsible party about
the outcome of the evaluation or measurement of a subject matter against criteria.”
In practice, this could be an auditor expressing an opinion to the shareholders of a company
on a set of financial statements prepared by management as to whether they have been
prepared in a true and fair manner in accordance with accounting standards and relevant
company law.
Any assurance engagement must have the following five elements:
A three party relationship such as the Auditor reporting to a shareholder about the
actions of management.
Some subject matter such as a set of financial statements.
Suitable criteria such as the accounting standards and/or law.
Sufficient appropriate evidence, in a form that is sufficient, reliable and relevant.
A written report in an appropriate form.
Levels of Assurance
Various levels of assurance may be given but this depends very much on (1) the individual
engagement, (2) the criteria applied and (3) the subject matter. The glossary of terms refers
to two types:
Reasonable level of assurance subject matter materially conforms to criteria i.e.
accounts give a true and fair view having regard to the accounting standards and law.
Limited level of assurance no reason to believe that subject matter does not
conform to criteria. Essentially, a negative form of expression.
Page 15
Absolute assurance can never be given. There are inherent limitations of an audit that affect
the auditor’s ability to detect material misstatements in a set of financial statements.
The Limitations of an audit
Every item is not checked. In fact, only test checks are carried out by auditors. It
would be impractical to examine all items within a class of transactions or account
balance. Hence, it is not really possible to give absolute assurance.
Auditors depend on representations from management and staff. Collusion can
mitigate some good controls such as division of duties. There is always the
possibility of collusion or misrepresentation for fraudulent purposes.
Evidence gathered is persuasive rather than conclusive. It often indicates what is
probable rather than what is certain.
Auditing is not purely an objective exercise. Judgements have to be made in a
number of areas. The view in financial statements is itself based on a combination of
fact and judgement.
The timing of an audit.
An unqualified audit opinion is not a guarantee of a company’s future viability, the
effectiveness and efficiency of management, nor that fraud has not occurred in the
So are there any benefits of an audit? Yes, there are.
The shareholders of a company are given an independent opinion as to the true and
fair view of the accounts that have been prepared by management.
The use made by third parties such as suppliers and banks of the accounts adds
confidence in the performance of a company.
Auditors themselves can use the knowledge accumulated during the course of the
audit to provide additional services to the company such as the provision of
consultancy services or a management letter showing weaknesses in the business and
recommendations to alleviate such weaknesses in the future.
While not responsible for detecting fraud, the very fact that an audit is carried out and
may uncover evidence of fraud, can help to mitigate against such risks.
Types of engagements
The type of assurance engagement will depend very much on the subject matter, whether it be
a set of accounts or an internal control system.
In order that an assurance engagement can be carried out, the subject matter must be:
Capable of consistent evaluation and measurement and
Capable of being subject to procedures and evidence gathering.
Page 16
Types of assurance engagements include
Audits and reviews (different levels of assurance)
Reports on systems and controls as part of corporate governance framework
Reports for lenders and other investors
Reports on prospective financial information
Risk assessments
Business performance measurement
Social and environmental issues and
Value for money studies
Implications of assurance services
Members of professions will need to have a good broad skills base to deal with the
various types of engagements and not just the standard audit.
More types of engagements increase the potential liability of accountants. Clear
identification of what is extended liability is vital.
There is the potential for increasing the expectations gap. Auditorsview versus the
public’s view. The auditor is not responsible for preparation of accounts or the
detection of fraud.
Where there is reduced confidence in the markets and this leads to business failure, this in
turn leads to instability. As a result there is increased demand for regulation.
There has been regulation in the markets since the introduction of the concept of limited
liability. The requirement for audited financial statements is a way to protect the owners of a
business from unscrupulous management and also prevent the abuse of the limited liability
What is an audit?
An audit is an exercise, of which the objective is, to enable an independent auditor to express
an opinion on whether a set of financial statements is prepared in a true and fair manner in
accordance with an identified financial reporting framework.
The same objective applies to the audit of financial or other information prepared in
accordance with appropriate criteria.
Page 17
Overview of Syllabus and audit
ISA (International standards on auditing) 200: Objective and general principles
governing an audit of financial statements sets out what audits are all about.
The auditor should comply with the code of ethics for professional accountants issued
by the International Federation of Accountants (IFAC), ethical standards and the ethical
pronouncements issued by the auditor’s relevant professional body.
The auditor should conduct an audit in accordance with International Standards of
Auditing and should plan and perform an audit with an attitude of professional
ISA 200 also makes a very important point in that while the auditor is responsible for
forming and expressing an opinion on the financial statements, the responsibility for
preparing and presenting those financial statements lies with the management.
Furthermore, the auditor does not have any responsibility with regard to the prevention
and detection of fraud. Again, that lies with the management. These points often form
the basis for the expectation gap mentioned above.
Types of audits
Statutory audits as required by companies’ legislation.
Non-statutory audits preferred by interested parties rather than been required by law.
For example, charities, societies, public interest companies etc.
Small entity audits.
Legal &
Assessment &
Audit process
controls &
Governance &
current issues
Page 18
Elements of a small entity would include:
Small number of individuals re ownership and management.
Basic record keeping.
Limited internal controls with huge potential for management override of such
There are arguments for and against small company audits. Each of the stakeholders,
shareholders, management, employees, banks, suppliers and revenue commissioners has their
pros and cons.
Reassurance given by audited accounts for shareholders not involved in management.
On the contrary, where shareholders are part of management, the whole audit exercise
may not appear to be value for money.
Audited accounts provide a good indication of a fair valuation for shares particularly
unquoted shares.
An audit provides management with an independent check on the accuracy of their
financial statements. Also, some auditors do provide decent management letters.
In reality, a more focused systems review or similar consultancy report would be of
more benefit to management.
Employees can gain comfort from audited accounts as to their job security and for
wage negotiations. In reality, I don’t think this actually happens.
Bank managers often rely on audited accounts when reviewing security in the event of
granting a loan.
More importantly though, a bank manager may want to see a good credit history in a
company’s transactions with the bank.
Suppliers can gain assurance from audited accounts when giving credit to customers.
On the contrary, the accounts might be out of date and the customer could be
experiencing difficulties. Might be more appropriate to get relevant credit references.
Rwandan Revenue Authority can rely on audited accounts to back up tax returns.
In reality, revenue authorities generally accept sets of accounts prepared by
independent accountants.
Small company audits and potential problems
Small companies create difficulties for auditors in that the auditor has to direct more of
his work in the verification of items by physical inspection and the vouching of third
party evidence, as he would otherwise probably do with larger company audits. The
general principles applied in an audit are the same for large and small companies. But
the specific testing may vary considerably.
Due to the nature of small companies as noted above, problems can arise with the
reliability of internal control systems. In fact Control Risk is considered high. (ISA
200 defines control risk)
Page 19
Lack of controls coupled with the risk of management override may lead to
difficulties such as the incompleteness of income or the recording of inappropriate
expenditure. In a larger company the system of internal control and a suitable staff
structure would provide a check against a persons work. In smaller companies, some
internal controls will be useful as a management check on staff, but will provide no
checking mechanism on management itself. Where there are limitations in the
effectiveness of internal controls, it has little value to the auditor in helping him form
an opinion on a set of financial statements. As a result he will need to increase his
substantive testing. Examples would be physically verifying additional assets
purchased throughout the year and obtaining third party confirmation from a bank as to
the small companies’ bank balances at the year-end.
Another problem associated with small company audits is that the lack of an
appropriate internal control system coupled with the auditor’s inability to design or
carry out procedures to obtain sufficient, reliable and relevant evidence as to the
completeness and accuracy of the accounting records can create a limitation on the
scope of the auditor’s work. This can affect the type of audit report that is issued. For
example, you can have a qualified audit report where the scope limitation does not
prevent the auditor from expressing an opinion, or you can have a report where the
scope limitation is so significant that the auditor is unable to express an opinion.
Determine the scope and the audit approach.
Legislation and the auditing standards lay down the scope for statutory audits. An
auditor should prepare a plan for his audit.
Ascertain the system and controls.
Discuss the accounting system and the flow of documents with all the relevant
personnel in the company. Document all your notes. Some auditors do flow charts,
narrative notes and/or internal control questionnaires.
Get to know the client’s business.
Confirm that you have recorded the system accurately by carrying out walkthrough
Assess the system and internal controls.
Evaluate the system as it is to weigh up its reliability and draw up a plan to test its
effectiveness. At this stage you could draw up a letter to management recommending
any improvements you consider from your findings. In addition, what you have
learned here may influence the type of further audit testing you may carry out later on.
Test the system and internal controls.
Above, you evaluated the controls that are in place. You need also to test if they were
effective. Compliance tests will cover many more transactions than the walkthrough
tests. You need to carry out a representative sample through the accounting period.
If you can establish that the controls are indeed effective, you can reduce the amount
of detailed testing later on. However, if the controls turn out to be ineffective, then
more substantive tests will need to be carried out.
Page 20
Test the financial statements.
This section covers the substantive testing which has been described earlier. You are
effectively trying to stand over the figures in the financial statements. Substantive
tests are audit procedures performed to detect material misstatements. Remember, if
you think that any error you might find in a class of transactions will not be
significant, then there is no point carrying out the substantive test.
Review the financial statements.
After all the testing has been done and the evidence gathered, you should review the
accounts as to their overall reliability making a critical analysis of the content and
Express an opinion.
You need to evaluate all the evidence you have gathered and express an opinion on a
set of accounts by way of a written audit report.
You may in addition, write a management letter which can set out improvements you
recommend or to place on record specific points in connection with the audit.
Question 1.1
What are the limitations of an audit?
Question 1.2
You have been preparing accounts for Mr J. Butera for the last number of years which he
submits to the Revenue Authorities. His current turnover is RWF1million. Mr. Butera is
considering forming a company and has asked for your advice on a number of issues.
1. Are there any advantages to having a company audit.
2. Would the audit carried out on his company be similar to that of say Bank of Kigali
3. Is there anything other than an audit that would give him a degree of assurance.
Page 21
Study Unit 2
Professional Conduct
Fundamental principles and guidance
Areas of Controversy
Sample Questions
Page 22
ISA 200 sets out the general principles of an audit. The auditor should comply with the code
of ethics for professional accountants issued by the International Federation of Accountants.
Accountants require ethics because people rely on them for their expertise in specific areas.
Both the International Federation of Accountants (IFAC) and the Institute of Certified Public
Accountants of Rwanda (ICPAR) have issued a code of ethics of which the fundamental
principles of both associations are very similar.
The ICPAR ethical framework states principles and encourages the auditor to make their own
judgements. On the other hand the ethics as laid down by the IFAC provides more guidance
by way of examples of potential issues and safeguards to mitigate against those threats.
The ICPAR code of ethics lays out the fundamental principles as follows:
Integrity. A member should be straightforward and honest in all professional and
business relationships.
Objectivity. A member should not allow bias, conflict of interest or undue influence
of others to override professional or business judgements.
Professional competence and due care. A member has a continuing duty to
maintain professional knowledge and skill at the level required to ensure that a client
or employer receives competent professional service.
Confidentiality. A member should respect the confidentiality of information
acquired as a result of professional and business relationships and should not disclose
any such information to third parties without proper and specific authority unless
there is a legal or professional right or duty to disclose. Any information acquired
should not be used for the personal advantage of the member or third parties.
Professional behaviour. A member should comply with relevant laws and
regulations and should avoid any action that discredits the profession.
The circumstances in which members operate may give rise to specific threats to compliance
with the fundamental principles. However, it is impossible to define every situation that
creates such threats and to specify the appropriate mitigating action. In addition, the nature
of engagements and work assignments may differ.
The ICPAR conceptual framework requires each member to identify, evaluate and address
threats to compliance, rather than merely complying with a set of specific rules such as those
laid down by the IFAC.
If the threats are significant, then you need to identify and apply safeguards to eliminate the
risk or to reduce it to an acceptable manner. If no appropriate safeguards are available,
then you need to eliminate the activities causing the threat or decline the engagement or
discontinue it as the case may be.
Page 23
Advantages of a framework over a system of rules
A framework forces you to consider the threats for every given situation and to act
A framework prevents you from interpreting technical issues.
Rules don’t always cover all situations.
Rules need to be constantly amended to live in a rapidly changing environment.
An auditor needs to be and seen to be independent. He must have independence of mind
and independence in appearance.
Independence is a state of mind that permits the provision of an opinion without being
affected by influences that compromise professional judgement, allows an individual to act
with integrity and exercise objectivity and professional judgement.
An auditor needs to avoid facts and circumstances that are so significant that a reasonable and
informed third party would reasonably conclude an auditor’s integrity, objectivity or
professional scepticism had been compromised.
Public confidence in the operation of capital markets and in the conduct of public interest
entities depends upon the credibility of the opinions and reports issued by auditors.
What are the threats to independence?
ES 1 Integrity, objectivity and independence sets out the principal types of threats.
Self interest:
A financial interest in a client, undue dependence on fees, close business relationship,
concern over losing a client, potential employment with client or loans from client.
Self review:
Reporting on the operation of financial systems after you were involved in their
design and preparing the accounts now under audit.
Management threat:
Making judgements and taking decisions which are the responsibility of management.
Acting as a legal advocate for client in litigation or promoting shares in the company.
Having close personal relationships developed with client personnel through long
association or a family relationship. Auditor may not be sufficiently questioning the
client’s point of view. Acceptance of gifts of significant value.
Threat of replacement due to disagreement.
Page 24
Review the Institute of Certified Public Accountants of Rwanda code of ethics together with
the IFAC code of ethics with regard to areas such as financial interests, loans and guarantees,
close business relationships, family and personal relationships, employments connections
with the client, long association with client personnel, provision of non-assurance services,
fees, gifts and hospitality and actual or threatened litigation.
Safeguards to independence
Safeguards that may eliminate or reduce threats to an acceptable level fall into two general
Safeguards created by the profession, legislation or regulation and
Safeguards in the work environment whether within the auditor’s own systems and
procedures or within the client company.
The first category includes:
Educational, training and experience requirements for entry into the profession.
Continuing professional development requirements.
Corporate governance regulations.
Professional standards.
Professional or regulatory monitoring and disciplinary procedures.
External review by a legally empowered third party of the reports, returns,
communications or information produced by a member.
The second category includes:
Firm wide safeguards
Such as firms stressing the importance of compliance with the fundamental principles.
The expectation that members will act in the public interest.
Documented policies and procedures to implement and monitor quality control of
Documented policies regarding identification of threats, their evaluation and
application of safeguards.
Documented independence policies.
Policies and procedures to enable identification of interests and relationships between
auditor and client.
Monitoring the fee income received.
Timely communication of a firm’s policies and procedures to all staff and appropriate
training thereof.
Implementing a quality control system and appointing a member of senior
Advising all staff of the clients from whom they must be independent.
A suitable disciplinary mechanism to promote compliance with policies.
Page 25
Engagement specific safeguards
Involving an additional professional accountant to review the work done.
Consulting independent third parties.
Disclosing the nature of services provided and extent of fees charged to those charged
with client governance.
Rotating senior audit team personnel.
Safeguards within client systems and procedures
Persons other than management ratify auditor appointment.
Client has competent employees with experience to make decisions.
The client has a corporate governance structure that provides appropriate oversight
and communications regarding the firm’s service.
Specific safeguards in relation to independence are mentioned in the ICPAR and IFAC
guidance and cover such areas are financial interest, loans, close business relationships, fees
and litigation.
International standard on quality control sets out the standards and provides guidance
regarding a firm’s responsibilities for its system of quality control for audits.
The firm should establish a system of quality control designed to provide it with
reasonable assurance that the firm and its personnel comply with professional
standards and regulatory and legal requirements.
The firm’s system of quality control should include policies and procedures
addressing elements such as leadership responsibilities, ethical requirements,
acceptance of engagements, human resources, engagement performance and
The quality control policies and procedures should be documented and communicated
to the firm’s personnel.
There is a duty of confidence to the client but there are several exceptions noted.
The principle is twofold. One, you should refrain from disclosing any information acquired
without proper authority to do so unless there exists a legal or professional right or duty to
Secondly, you should refrain from using any information acquired for your own personal
advantage or that of a third party.
A member should maintain confidentiality even in a social environment and even needs to
comply with the principle even after the end of the professional relationship. The member
can only use prior experience.
Page 26
Exceptions when member may be required to disclose:
Disclosure permitted by law and authorised by client.
Disclosure by law e.g. production of documents during course of legal proceedings or
disclosure to appropriate public authorities of infringements of law that have come to
Money Laundering
Theft and Fraud Offences Duty to report where books of account are not been kept.
Professional duty or right to disclose when not prohibited by law, such as to comply
with quality assurance reviews, to respond to an inquiry by an institute, to protect the
professional interests of a member in legal proceedings or to comply with technical
standards and ethical requirements.
Having decided that there should be some disclosure, the auditor must consider-
Whether the interests of any parties could be harmed by such disclosure and whether
the auditor will incur legal liability as a result of the disclosure.
Whether all relevant facts are known and substantiated.
The type of communication that is expected and to whom it should be addressed.
Under ISA 250 consideration of laws and regulations in an audit of financial statements,
if auditors become aware of a suspected or actual occurrence of non-compliance with law and
regulation which give rise to a statutory right or duty to report, they should report it to the
proper authority immediately.
In all cases of disclosure where there is a duty of confidentiality, you should seek legal
Multiple services
Many audit firms are moving away from their traditional roles and are offering a
wider variety of work to their clients. Audit is sometimes even seen as a loss leader
in gaining other lucrative work.
Having more legislation in this area, could restrict clients in whom they could choose
to give them business and any synergies found in the auditor also providing additional
services would be lost.
Note, in the USA, SEC guidance suggests that an auditor is not independent in
relation to a listed company if they provide certain non-audit services, such as
bookkeeping, internal audit, management or human resources functions.
Specialist services
Services such as valuation of intangible assets, property or unquoted investments
where carried by a firm who are also a company’s auditors can lead to a self review
threat. A firm should not therefore audit a client’s accounts which include specialist
work carried out by themselves.
Page 27
Second opinions
Second opinions are acceptable but not if the current auditors are pressurised to accept
the second opinion. In order to avoid this, there should be constant communication
between the two auditors.
The second firm has a duty to seek permission from the client to approach the current
auditors. Without such communication, the second opinion may be formed
negligently, as the second opinion may not be based on the same set of facts or is
based on inadequate evidence.
Conflicts of interest
Conflicts of interest can arise when a firm has two or more audit clients, and the
clients are in direct competition with each other e.g. major banks.
An audit firm can argue that different audit teams are involved and this can maintain
independence and confidentiality. However, clients may not perceive it this way and
could well move the audit to another firm.
Takeovers also need special consideration. You could be the auditor to both
companies in a takeover. In these cases, the auditor should not be the principal
advisors to either and should not issue any assessment reports on either party other
than the actual audit reports.
Insider dealing
Auditors can be seen as insiders as they often have access to very sensitive
information. Auditors should see the duty not to deal as an insider as an extension of
their duty of confidentiality to their clients. Again, it is not just in relation to third
parties but also to their own personal gain.
Question 2.1
You are a partner in an audit firm. A number of issues have emerged in relation to some of
your clients. You are asked to document your considerations on each of the issues, noting the
threat arising, the significance of that threat and any factors you have taken into account, and,
if relevant, any safeguards you could apply to eliminate or mitigate against that threat.
1. JNS Ltd
2. John is the most junior member of your audit team of eight. He has just invested in a
personal pension plan that invests in all listed companies.
3. White LTD
4. You are the partner leading up a high powered team carrying out due diligence work
on Black LTD, a company, your client, White LTD, is considering taking over. Paul,
your deputy has mentioned that he met the daughter of the MD of Black LTD during
the initial phases of the work and is going to ask her out.
Page 28
5. Take it Easy LTD
6. You have been associated with this audit for ten years, four as audit engagement
partner. You are just back from a six week cruise with the MD on his yacht.
Question 2.2
Here is an example of a press report which appeared in recent years which dealt with issues
of objectivity and independence within a firm of multinational firm of accountants.
“..a partner in the firm was told by the regulatory body that he must resign because he was in
breach of the body’s independence rules, as his brother in law was the financial controller of
an audit client. He was told that the alternative was that he could move his home and place of
work at least 400 miles from the offices of the client, even though he was not the reporting
partner. This made his job untenable. The regulatory body was seen as taking its rules to
absurd lengths by the accounting firm. Shortly after this comment, the multinational firm
announced proposals to split the firm into three areas between audit, tax and business
advisory services; management consultancy; and investment advisory.”
Discuss the above events and the impact they may have on the public perception of integrity,
objectivity and independence.
Question 2.5
Where auditors are perceived not to be independent is a real cause for concern. Where
auditors provide non audit services to their clients, their objectivity may well be impaired by
undue dependence on those clients. In addition, further concerns may arise in the situation
where audit clients hire staff who were previously employed by their auditors. In this case
the objectivity of future audits may be at risk.
1. Describe the problems that may arise if an audit client hires, as finance director, a
former audit partner.
2. Are there any advantages to a client of their auditor becoming an executive in their
3. How does current ethical guidance attempt to deal with these potential problems
surrounding an auditor becoming an executive and what additional safeguards if any
may help the situation?
Page 29
Study Unit 3
Professional Appointments
Agreeing the Terms
Books and Documents
Change in Auditors
Sample Questions
Page 30
ISA 200 sets out the ethical principles governing the auditor’s professional responsibilities.
One of them is professional behaviour. A member is expected to comply with relevant laws
and regulations and should avoid any action that discredits the profession.
Now, auditors are like anyone else in business and in business it is necessary to advertise.
But this advertising should be aimed at informing the public in an objective manner and
should be in good taste.
The Institute of Certified Public Accountants of Rwanda have stated they will use the IFAC
code of ethics as their basis and thus imply that in promoting themselves and their work,
members should be honest and truthful and should not make any exaggerated claims for
the services they are able to offer, the qualifications they possess or the experience they have
gained. In addition, they should not make any disparaging references or unsubstantiated
comparisons to the work of others.
Use of logos
Persons can only use the designated letters of a profession after their name such as in
advertisements when they are members of the said profession.
A firm must have a practicing/auditing certificate to describe themselves as registered
If reference is made in promotional material to fees, the basis on which the fees are
calculated should be stated. The greatest care should be taken to ensure that any reference
does not mislead as to the precise range of services and time commitment that the reference is
intended to cover.
The danger of giving a misleading impression is great when there are constraints in respect of
space limits for advertisements. It is for this reason that it is generally inappropriate to
advertise fees. It is probably better to advertise free consultations to discuss fee issues.
Client companies can change auditors. In this regard a firm may be approached to submit a
tender for an audit. When approached to tender, an audit firm must consider whether they
want to do the work and they must have regard for the ethical considerations, such as
independence and professional competence. In addition, they need to consider fees and some
other practical issues.
A member may quote whatever fee is deemed to be appropriate. The fact that one may
quote a lower fee than another auditor is not in itself unethical. However, it does raise the
Page 31
risk of a threat to the principles of professional competence and due care in that the fee
quoted may be so low as to make it appear to be difficult to perform the audit to the expected
Therefore, it is wise to set out the basis of the calculation of the fee. The following factors
should be considered when setting out a fee:
What does the job involve. Is it audit and/or tax or is there some other complicated
work involved.
Which staff will need to be involved, numbers and quality. How long will they be
required. Is the nature of the business complex.
What charge out rates are to be applied.
The practice of undercutting fees has been called lowballing and can be seen in action
generally where large audits are concerned. We have seen that having a lower fee may
seem to have a negative impact on an auditor’s perceived independence but there are other
factors to be considered:
Auditors operate in a market like any other business where supply and demand very
often dictate the price.
Fees may be lower due to reasons such as better internal audit functions and
simplified group structures within client companies.
Auditing firms have increased productivity, whether through the use of more
sophisticated IT or experience gained through understanding the client’s business.
Practical issues
It is important that the auditor also considers a number of other issues:
Can the audit assignment be fitted in to the audit firms current work plan.
Is their suitable audit staff available.
Will any specialist skills be required. What are the future plans for the company.
Is there any training required for current staff and what will be the cost of that
What work does the client actually want. Audit and/or tax.
Is this the first time the company has been audited.
Whether the client is seeking to change its auditors and if so what is the reason behind
Submitting an audit proposal
There is no set format. In fact, the client may dictate the format whether it be a written
submission or a presentation to the board of directors.
Whatever the form of the tender submission, the following matters should be included in the
The audit fee and the basis for its calculation
An assessment of the needs of the client
Page 32
How the firm means to meet the needs of the client
Any assumptions made to support the proposal
The audit approach to be adopted by the firm
A brief outline of the firm
Details and background of the key audit staff on the proposed engagement.
Evaluating the tender
Different clients will have different ways of evaluating a tender. Some of the more general
points are listed below. It is important to bear these in mind when preparing a proposal:
Fee. This can be the most vital point. Some clients go straight to this figure and don’t
even bother with the rest of the document.
Professionalism. Auditors are expected to be professional. Remember, the audit team
and the tender documents are often the first factors on which a prospective client forms
an impression.
Proposed audit approach. Clients are always looking for the least amount of
disruption to their already busy schedules, so the shortest number of days on-site may
be the key to winning a tender.
Personal service. Fostering relationships is vital. Client should always feel he is
getting value for money.
You have submitted a tender. You have been successful and the client has offered you the
audit. Before you accept and commence the audit you should carry out a number of
procedures in order to comply with the provisions in ISQC1 quality control (section 26 to
Before accepting the assignment
Make sure there are no ethical issues which would prevent you from accepting this
Make sure that you are professionally qualified to carry out the work requested and
that your firm has the resources available in terms of staff, expertise and time.
Check out references for the directors of the client firm especially if they are unknown
to the audit firm.
Consult previous auditors as a matter of professional courtesy and establish from them
whether there is anything that you ought to know about this vacancy.
After accepting the assignment
Make sure the resignation of the previous auditors has been properly carried out and
that the new appointment is valid. A resolution by shareholders of the company is
Submit a letter of engagement to the directors of the client company and ensure it is
accepted and signed before any audit work is carried out.
Page 33
ISQC1 states that a firm should establish policies and procedures for the acceptance and
continuance of client relationships and specific engagements, designed to provide it with
reasonable assurance that it will only undertake or continue relationships and engagements
where it:
Has considered the integrity of the client and does not have any information that would
lead it to conclude that the client lacks integrity,
Is competent to perform the engagement and has the capabilities, time and resources to
do so and
Can comply with the ethical requirements.
The firm should obtain such information as it considers necessary in the circumstances before
accepting an engagement with a new client, when deciding whether to continue an existing
engagement and when considering acceptance of a new engagement with an existing client.
Where issues have been identified and the firm decides to accept or continue the relationship
or a specific engagement, it should document how the issues were resolved.
In short, a firm must:
Obtain relevant information
Identify relevant issues
Resolve issues that are identified, and document that resolution.
Integrity of client
Matters to be considered:
Identity and business reputation of owners, key management and those charged with
Nature of the client’s operations and its business practices.
Attitude of the owners, key management and those charged with governance towards
matters such as aggressive interpretation of accounting standards and the internal
control environment.
Client’s attitude to fees.
Indications of inappropriate limitation in the scope of work.
Indications that client may be involved in money laundering or other criminal
Reasons given for non-reappointment of previous auditors.
Information can be gathered through communications with previous auditors or other
professionals who may have provided services and through other third parties such as
bankers, legal counsel and industry peers. There are also a multitude of relevant databases
where one can do some background research.
Competence of the firm
Matters to be considered:
Has the firm got sufficient knowledge of the relevant industry and the relevant
regulatory environment.
Are there sufficient personnel within the firm having the necessary capabilities and
competence and are experts/specialists available when needed.
Page 34
Are competent individuals available to perform engagement quality control reviews.
Will the firm be able to complete the engagement within the reporting deadline.
Other issues
Where a potential conflict of interest is identified, the firm should consider whether it
is appropriate to accept the engagement.
Need to consider any significant matters that may have arisen during the current or
previous engagements of whatever description.
ISQC1 goes on to state that where the firm obtains information that would have caused it to
decline an engagement if that information had been available earlier, policies and procedures
(on the continuance of the engagement and the client relationship) should include
consideration of:
The professional and legal responsibilities that apply to the circumstances, including
whether there is a requirement for the firm to report to the person or persons who made
the appointment or, in some cases, to regulatory authorities, and
The possibility of withdrawing from the engagement or from both the engagement and
the client relationship.
Some suggested procedures would include discussing with appropriate client management the
appropriate action that the firm might make based on the relevant facts and circumstances.
Also, the firm should document the significant issues, consultations, conclusions and the
basis for those conclusions.
Once an engagement has been accepted it is important to agree the terms. It is essential that
both parties fully understand what the agreed services are. Any misunderstanding could lead
to a breakdown in the relationship and could result in legal action.
ISA 210: terms of audit engagements establishes standards and provides guidance on:
Agreeing the terms of an engagement with the client and
The auditor’s response to a request by a client to change those terms to one that
provides a lower level of assurance.
It states that the auditor and the client should agree on the terms of the engagement. The
agreed terms would need to be recorded in an audit engagement letter or other suitable form
of contract. The terms should be recorded in writing.
The objective and scope of an audit and the auditor’s obligations may be established by law,
but the auditor may still find that an audit engagement letter will be informative for their
The main points to be clarified in the letter of engagement would include:
Confirmation of the auditor’s acceptance of the appointment.
The auditor is responsible for reporting on the accounts to the shareholders
Page 35
The directors of the company have a statutory duty to maintain the books of the
company and are responsible for the preparation of the financial statements.
The directors are responsible for the prevention and detection of fraud.
The fact that because of the test nature and other inherent limitations of an audit, there
is the unavoidable risk that some material misstatements may remain undiscovered.
The scope of the audit including reference to appropriate legislation and standards.
There should be unrestricted access to whatever books and records the auditor needs
in the performance of his duties.
Other points to be included:
Arrangements regarding the planning and performance of the audit.
The expectation of receiving from management written confirmation regarding
representations made in connection with the audit.
Request for the client to confirm in writing the terms of the letter.
The fee to be charged and the credit terms.
The form of any reports or other communication of results of the engagement.
Other issues
On recurring audits, the auditor should consider whether circumstances require the
terms of the engagement to be revised and whether there is a need to remind the client
of the existing terms of the engagement.
An auditor who, before the completion of the engagement, is requested to change the
engagement to one which provides a lower level of assurance, should consider the
appropriateness of doing so. Where the terms are changed, both parties should agree on
the new terms. Note, the auditor should not agree to a change of engagement where
there is no reasonable justification for doing so.
ISQC1 states that the firm should establish policies and procedures for the retention of
engagement documentation for a period sufficient to meet the needs of the firm or as required
by law or regulation.
Unless otherwise specified by law or regulation, engagement documentation is the property
of the audit firm. The firm may, at its discretion, make portions of, or extracts from,
engagement documentation available to clients, provided such disclosure does not undermine
the validity of the work performed, or, in the case of assurance engagements, the
independence of the firm or its personnel.
Audit working papers belong to the auditor and cannot be taken over by another set of
auditors taking over the audit assignment. In practice, the previous auditors provide the new
auditors with enough carry over information such as the lead schedules behind the make up
of the financial statements.
The auditor owes a duty of confidentiality to the client, so documents about the client should
not be given to third parties unless:
Page 36
The client agrees to the disclosure
The disclosure is required by law or court order
Disclosure is otherwise in accordance with the rules of professional conduct.
The previous auditors should ensure that all the books and documents belonging to the client
are returned promptly. In some cases, the previous auditors are allowed to keep the books
where they are exercising a lien. This is a suppliers right to retain possession of a customer’s
property until the customer pays up what is owed.
There are strict conditions when this can be enforced:
The books and documents must actually belong to the client
The auditor must have got them by proper means
The actual work must have been done and a fee note raised and given to the client
The fee must relate to the held documents.
Financial statements and tax compliance work belong to the client, even if the
auditor/accountant has prepared them.
Companies do actually change their auditors. It is important that auditors understand why a
company may seek to change their auditor in a bid to prevent this from happening to them.
The following sets out the reasons why this can happen:
Audit fee
Many companies perceive that an audit has very little value. In turn this makes the audit fee
a very sensitive issue.
The fee may be perceived to be too high. Remember, a lot of the audit work may be
done off site and the hours charged at the firms office will belong to the managers and
partners, so the client might not understand why the fee is so high.
It may not be seen as good value for money. For example, a client may have important
tax work carried out for him. The fee charged may be way lower than that of the audit,
probably due to the time involved, yet the client might see the value of this work far
greater than that of the audit.
The current fee might not appear to be very competitive. Other similar firms may be
getting audit services for less.
The client may put the audit out to tender to see whether the price is actually
negotiable, even though he may have no intention of changing his auditor.
The audit fee may breach the recommended level of overall practice fees as laid down
by ethics and auditor may have no other alternative but to resign.
Audit firm may not seek re-election
The auditor may choose not to stand for ethical reasons, such as he doubts the integrity
of management
Conflicts of interest may have arisen such as competition between clients or maybe he
has been offered some lucrative work by the client and he may have to resign the audit
Page 37
The auditor may have a disagreement with the client such as in the formulation of
accounting policies
The auditor may simply not want to reduce his audit fee.
Size of the company
The company may be growing at such a rate that the audit firm no longer has the
necessary resources, staff, time, and expertise, to allow it to retain the audit.
Remember the principle of professional competence and due care.
Alternatively, the company may be constricting and it now finds that it can avail of the
audit exemption specified under relevant jurisdiction regulations.
There is very little that the auditor can do in each of these cases.
Other reasons
With small companies, the audit is almost a personal service. If the relationship
breaks down, there may be no where to go except discontinue the relationship. Within
a big firm with big audit clients, you could simply change the engagement partner.
As part of the safeguards against the threats to independence, audit rotation was put
forward. This is where the audit moves to another firm although in the previous point,
rotating to another engagement partner within the same firm will mean the same thing.
Question 3.1
A B Ltd, a large quoted company, was founded and controlled by Mr. Narang. The principle
business of the company was to develop undeveloped land in city centres into apartment
blocks. In 2010, the Revenue Authorities became suspicious of the nature of the operations
been carried out by the company and instigated an investigation.
The investigation highlighted weak organisational internal controls and non-existence in
many cases. Payments to unknown persons and fictitious consultancy firms were found. In
addition Mr Narang maintained a secret expense account that was used to disburse funds to
himself. The board of directors did not know of the existence of the account which was
maintained by the audit engagement partner. The auditors were heavily criticised in the
Winalot & Co the firm of auditors had an aggressive marketing campaign and had increased
its audit fees substantially over a number of years. They had accepted the audit appointment
in 2008 after the previous auditor had been dismissed. The audit report for 2007 had been
heavily qualified on the ground of poor internal control and lack of audit evidence. Mr
Narang had approached several firms of auditors in order to ascertain whether they would
qualify the audit report given the present system of internal controls. Winalot said it was
unlikely that they would qualify the report. They realised that Mr Narang was opinion
shopping but were prepared to give an opinion in order to attract the client to their firm.
The PLC subsequently filed for insolvency and the auditors were sued for negligence by a
Page 38
You are required to:
1. Describe the procedures that an audit firm should carry out before accepting a new
client with a potentially high audit risk.
2. Detail the ethical problems raised by the maintenance of the secret expense by the
audit partner.
3. Suggest measures to try and minimise the practice of opinion shopping by
prospective audit clients.
4. Explain how audit firms can reduce the risk of litigation and its effects upon the
audit practice.
Question 3.2
Why would an auditor not seek re-election and what practical issues should an auditor
consider when submitting a tender.
Question 3.3
Discuss accountants and the advertising of fees.
Page 39
Study Unit 4
Professional Responsibility and Liability
Professional Liability
Professional Indemnity Insurance
Sample Questions
Page 40
An auditor’s main concern in an audit is the risk of a material misstatement in the financial
statements. These material misstatements can arise from fraud or error.
An error is an unintentional misstatement in the financial statements, whether an omission
of an amount or a disclosure. It can be a mistake in gathering or processing data for the
accounts, an incorrect accounting estimate or a mistake in the application of accounting
Fraud is an intentional act by one or more individuals among management, employees or
third parties, involving the use of deception to obtain an unjust or illegal advantage.
Auditors do not make legal determination of whether fraud has actually occurred, the
auditor is concerned with fraud that causes a material misstatement in the financial
ISA 240: the auditor’s responsibility to consider fraud in an audit of financial
statements, states quite clearly in paragraph 240.13 that the primary responsibility for the
prevention and detection of fraud rests with the management and those charged with
governance of the entity. It is their responsibility to establish a control environment to assist
in achieving the orderly and efficient conduct of the entities operations. It is up to them to
put a strong emphasis within the entity on fraud prevention.
The auditor does not have a specific responsibility to prevent or detect fraud, but he must
consider whether it has caused a material misstatement in the financial statements.
Types of fraud
There are two types of intentional misstatement:
Fraudulent financial reporting
Misappropriation of assets
Fraudulent financial reporting
This may be accomplished by the following:
Manipulation, falsification, or alteration of accounting records or supporting
documentation from which the accounts are prepared
Misrepresentation in or intentional omission from the accounts of events, transactions
or other significant information
Page 41
Intentional misapplication of accounting principles relating to amounts, classification,
manner of presentation or disclosure.
Specifically fraud can be committed by management overriding controls using techniques
such as:
recording fictitious journal entries
inappropriately adjusting assumptions
omitting, advancing or delaying recognition of events or transactions in the correct
accounting period
Concealing or not disclosing facts that could affect amounts recorded in the financial
Engaging in complex transactions that are structured to misrepresent the financial
Altering records and terms related to significant and unusual transactions.
Misappropriation of assets
This involves the theft of a company’s assets. While management are in a position to be able
to disguise or conceal misappropriations in ways that are difficult to detect, small and
immaterial amounts misappropriated are often perpetrated by employees.
Misappropriations can be accomplished in a number of ways:
Embezzling receipts
Stealing physical assets or intellectual property
Causing a entity to pay for something they never received
Using an entity’s assets for own personal use.
The misappropriation of assets is often accompanied by false or misleading records or
documents in order to conceal the fact that the assets are missing.
Why is there fraud
Fraud occurs because
There is an incentive or pressure to commit fraud
A perceived opportunity to do so
Rationalisation of the act.
Individuals may be living beyond their means
Management is under pressure to reach targets
An individual may believe internal controls can be over-ridden.
The auditors approach in relation to fraud
ISA paragraph 240.3 states that in planning and performing the audit to reduce risk to an
acceptable level, the auditor should consider the risks of material misstatement in the
financial statements due to fraud.
Page 42
1. Maintain an attitude of professional scepticism
2. Audit team should discuss the entity’s susceptibility to fraud
3. Carry out risk assessment procedures
4. Respond to the assessed risks
5. Consider whether any identified misstatement is indicative of fraud
6. Obtain written representations from management relating to fraud
7. Communicate with management
ISA 240.24 states that the auditor should maintain an attitude of professional scepticism
throughout the audit, recognising the possibility that a material misstatement due to fraud
could exist notwithstanding the auditors past experience with the entity about the honesty and
integrity of management.
Members of the engagement team should discuss the susceptibility of the entity’s financial
statements to material misstatements due to fraud. (ISA 240.27)
The engagement partner should consider which matters are to be communicated to members
of the audit team not involved in the discussion (ISA 240.29).
The discussion may include:
An exchange of ideas about how and where a company may be susceptible to fraud,
how management could conceal fraud and how assets could be misappropriated.
A consideration of circumstance that might lead to aggressive earnings management
A consideration of known factors both external and internal that may create an
incentive or pressure from management or others to commit fraud
A consideration of management involvement in the supervision of employees with
access to cash or other assets susceptible to misappropriation
A consideration of any unusual or unexplained changes in behaviour or lifestyle of
management or employees that has come to the teams’ attention
Emphasising the importance of professional scepticism
A consideration of the types of circumstances that might indicate fraud
A consideration of how unpredictability will be incorporated into the audit
A consideration of audit procedures that might be selected to respond to any suspicions
of fraud
A consideration of any allegations that have come to the auditors attention
A consideration of the risk of management override of controls.
Risk assessment procedures
The auditor should undertake risk assessment procedures in order to obtain an understanding
of the entity and its environment, including its internal control.
As part of this work the auditor performs procedures to obtain information that is used to
identify the risks of misstatement due to fraud. These procedures include:
Making inquiries of management as to how they identify and respond to the risks of
Consider whether fraud risk factors are present
Page 43
Consider the results of analytical procedures and any other relevant information
When obtaining an understanding of the entity and its environment, including its internal
control, the auditor should make inquiries of management regarding:
Management’s assessment of the risk of fraud
Management’s process for identifying and responding to the risks
Management’s communication to those charged with governance
Management’s communication, if any, to employees regarding its views on business
practices and ethical behaviour.
The auditor should make inquiries of management, internal audit and others within the entity,
to determine whether they have knowledge of any actual or suspected fraud.
The auditor should obtain an understanding of how those charged with governance exercise
oversight of management processes for identifying and responding to risks and the internal
control that management has established to mitigate these risks.
The auditor should make inquiries of those charged with governance to determine whether
they have knowledge of any actual or suspected fraud.
When obtaining an understanding of the entity and its environment, the auditor should
consider whether the information obtained indicates that one or more fraud risk factors are
Fraud risk factors are detailed in appendix 1 of ISA 240.
When performing analytical procedures, the auditor should consider unusual or unexpected
relationships that may indicate risks of material misstatements due to fraud.
When identifying and assessing the risks of material misstatement at the financial statement
level, and at the assertion level for classes of transactions, account balance and disclosures,
the auditor should identify and assess the risk of material misstatement due to fraud. Those
assessed risks that could result in a material misstatement are significant risks and
accordingly, the auditor should evaluate the design of the related controls and determine
whether they have been implemented.
The auditor identifies the risks of fraud, relates the identified risks to what can go
wrong at the assertion level and considers the likely magnitude of a potential
Responses to risk
The auditor should determine overall responses to address the assessed risks of material
misstatement due to the fraud at the financial statement level and should design and perform
further audit procedures whose nature, timing and extent are responsive to the assessed
risks at the assertion level.
Page 44
The auditor should respond in the following ways:
A response that has an overall effect on how the audit is conducted
A response to identified risks at the assertion level
A response to identified risks where management override controls are involved.
In determining overall responses to address the risk of material misstatement due to fraud at
the financial statement level the auditor should consider
the assignment and supervision of personnel
the accounting policies used
Incorporate an element of unpredictability in the selection of the nature, timing and
extent of audit procedures.
Audit procedures responsive to risks at assertion level may change the nature, timing and
extent of audit procedures such as:
Audit evidence may need to be more reliable and relevant or to obtain additional
corroborative information. Physical inspection or observation may become more
Timing of substantive tests may need to be modified, for example in revenue
recognition testing.
Sample sizes may need to be increased.
(see appendix 2 ISA 240)
To respond to the risk of management override of controls, the auditor should design and
perform audit procedures to
test the appropriateness of journal entries
review accounting estimates and
obtain an understanding of the business rationale of significant transactions that are
outside the normal course of business for the entity.
Evaluation of audit evidence
The auditor evaluates whether the risks of material misstatement are appropriate based on the
evidence gathered. He must also consider the reliability of management representations and
must obtain from the management in writing, that the management accepts its responsibilities
in relation to the prevention and detection of fraud and has made all relevant disclosure to the
The auditor must document:
The significant decisions reached during the audit team discussion of fraud
The identified and assessed risks of material misstatement due to fraud
The response to the assessed risks
Communication to management
Page 45
The auditor should communicate to the appropriate level of management any identified fraud.
Where the fraud involves management or key employees in internal control operations, the
auditor should communicate as soon as possible any such fraud to those charged with
The auditor may have a statutory duty to report fraudulent behaviour to a regulator outside
the entity.
Withdrawal from audit
The auditor should consider resigning from the audit if exceptional circumstances arise that
would bring into question the auditor’s ability to continue in office.
If the auditor withdraws, he should discuss with the appropriate level of management as to
the reasons and should consider whether there are legal or professional requirements to report
to third parties.
Auditors may have professional liability under statute law and in the tort of negligence.
Statute law
There are occasions when auditors have professional liability under statute law:
In insolvency legislation, the auditor could be found to be an officer of the company
and thus could be charged with a criminal offence in connection with the winding up of
the company.
An auditor could be found to be guilty of insider dealing, which is a criminal offence.
Auditors could be found guilty of a criminal offence in respect of money laundering
issues as to their failure to report any known suspicions to the proper authority.
Tort of negligence
Negligence is based on customary/common law. It seeks to provide compensation to loss
suffered by one due to another’s wrongful neglect.
To succeed, an injured party must prove:
A duty of care existed
The duty of care was breached
The actual breach caused the loss.
Who would take an action against an Auditor
If an auditor gave an incorrect audit opinion the following parties might take an action:
The company
The shareholders
Page 46
The bank
Other lenders
Other interested third parties
The key difference between all the above mentioned parties is the nature and duty of care
owed to them by the auditor.
Audit client
An auditor owes a duty of care to the company as it is the audit client. The company has a
contract with the audit firm. Therefore, the duty of care is automatic under law.
The company is all the shareholders acting as a body; it cannot be represented by one
shareholder alone.
The standard of work of the auditor is generally defined by legislation. A number of
judgements exist which have gauged the level of care as specific legislation does not exist
which states clearly how an auditor should discharge his duty of care.
EG. Re Kingston cotton mills 1896 Court of Appeal, England
“.it is the duty of the auditor to bring to bear on the work he has performed that skill, care and
caution which a reasonably competent, careful and cautious auditor would use. What is
reasonable skill, care and caution, must depend on the particular circumstances of the case.
EG. Re Thomas Gerrard & son Ltd 1967 Chancery Division, England
“…the real ground on which re Kingston cotton mills….is, I think, capable of being
distinguished is that the standards of reasonable care and skill are, upon the expert evidence,
more exacting today than those which prevailed in 1896.”
EG. Re Fomento(sterling area) Ltd v Selsdon fountain pen co Ltd 1958
“…they must come to it with an inquiring mind, not suspicious of dishonesty…..but
suspecting that someone may have made a mistake somewhere and that a check must be
made to ensure that there has been none.”
Auditors have to be careful in forming an opinion and they must give consideration to all
relevant matters.
If an opinion reached by an auditor is one that no reasonably competent auditor would be
likely to reach, then the auditor would possibly be held for negligence.
Third parties
The auditor can only owe a duty of care to parties other than the audit client, if one can be
Third parties will include any individual shareholders, potential investors and the bank. In
these cases, there is no contract with the audit firm. Therefore, there is no implied duty of
Page 47
Case law seems to suggest that the courts have been reluctant to attribute a duty of care for
third parties to the auditor.
EG. Caparo industries plc v Dickman and others 1990 England House of Lords - Tort
Caparo relied on a set of accounts to purchase shares in a company. Subsequently, they
alleged that the accounts were misleading. They argued the auditors owed a duty of care.
The House of Lords found that there was no duty of care. The audit complied with the
company’s legislation and there was no mention in that legislation to suggest that auditors
should protect the interests of investors.
EG. James McNaughton paper group Ltd v Hicks Anderson 1990
The position held that a restrictive approach was now adopted to any extension of the scope
of the duty of care beyond the person directly intended by the auditor. In addition, all
circumstances should now be taken into account in deciding on a duty of care.
However, in 1995, a high court judge made an award against BDO as their joint audit of a
company in which ADT were investing was held to be a contractual relationship with ADT.
Problems however still arise after this case law. The reality is that third parties do rely on
audited accounts. The perception is if you are required to file your accounts with for
example the Office of Registrar General in Rwanda, then this information must be credible
and independent.
It seems unfair that auditors should bear full responsibility for something for which they do
not have the primary responsibility.
In recent times, directors of companies are required by law not to make misleading
statements to auditors.
Banks and other major lenders appear to have a more special relationship than other third
Loan facilities will often contain clauses requiring audited accounts and up to date financial
information on a regular basis. This may be seen to document a relationship with the auditor
that establishes a duty of care.
EG. Royal Bank of Scotland v Bannerman, Johnstone Maclay and other 2002
The bank provided an overdraft facility to the company, who it is claimed misstated its
position due to a fraud. It was argued that the auditors neglected to find the fraud.
The judge found that the auditors had a duty of care. They knew that the bank need audited
accounts as part of the overdraft arrangement and could have issued a disclaimer to the bank.
But they didn’t and this was an important factor in deciding that they did owe a duty of care.
Litigation avoidance
One way of dealing with litigation is to try and avoid it.
Have clear client acceptance procedures, screen new clients, use an engagement letter.
Perform all audit work in accordance with standards and best practice.
Have sensible and effective quality control procedures in place.
Page 48
Issue appropriate disclaimers. Auditors may attempt to limit their liability by issuing
disclaimers, although this may not always be effective in law.
Misconduct includes any act or default that is likely to bring discredit to the member, relevant
firm or registered student.
A member should comply with relevant laws and regulations and should avoid any action that
discredits the profession.
A member found guilty of misconduct by a competent court shall be liable to disciplinary
action, the penalties for which are at the discretion of the professional bodies committees
dealing with this area.
Misconduct could include:
Honesty and integrity is a fundamental principle for auditors as they are in a position of
trust. Dishonesty therefore would be taken very seriously.
Most professions insist that auditors take out professional indemnity insurance.
This is insurance against civil claims made by clients and third parties arising out of the work
undertaken by a firm.
Fidelity guarantee is insurance against liability arising through any acts of fraud or
dishonesty by an employee of a firm in respect of money or goods held in trust by the firm.
Insurance is important in order to compensate the client as it is highly unlikely that a firm
would have the necessary resources to fully compensate a client. It also provides some
protection for the firm against bankruptcy.
There is a downside to the insurance. It is quite expensive and there may also be limits to the
cover. There is also the risk that some auditors will take less care than their duty requires as
they have a safety net if something goes wrong.
It is also common for the insurance requirement to remain in place after a member ceases to
engage in public practice.
The major accountancy firms have been interested in trying to limit their liability for
partners in the event of negligence.
Page 49
Question 4.1
Write a note, where you must consider the extent to which an auditor should be responsible
for detecting fraud when auditing the accounts of limited companies.
1. Outline the extent to which an auditor is responsible for detecting fraud.
2. Discuss whether it would be reasonable to extend the auditors responsibilities and are
there any practical problems of extending such responsibilities?
3. Conclude on and define the extent to which you consider it reasonable for an auditor to
be responsible for detecting fraud.
Question 4.2
In an action for negligence, what must occur in order to proceed?
Question 4.3
What practical actions can an auditor apply in order to avoid litigation?
Page 50
Page 51
Study Unit 5
Practice Management & Regulatory Environment
Risks to which firms are exposed
Quality Control
What are the Current Trends?
Corporate Governance
Law and Regulation
Sample Questions
Page 52
A key risk facing any audit firm is that the business will fail. In this respect an audit firm is
no different from any other business venture.
Risks specific to audit firms:
Litigation against the firm
Client loss (changes in auditors!!)
Disciplinary action by the professional body
Loss of key audit personnel
Diagram 1
Loss of the
Loss of
To competitors
Loss of key
audit personnel
Litigation against
audit firm
action by
Risk of Business
Page 53
Risk Management
As part of managing their own business effectively, auditors should have a system of risk
management in place.
They should identify the risks and take steps to mitigate against these risks. For example, an
auditor can mitigate against business risks by taking out key person (keyman) insurance and
putting in place client care procedures.
In general, the risk of business failure for audit firms can be mitigated by observing
regulatory or professional requirements. Such requirements can be found within the
International standards on auditing and the code of ethics. The standards give a good
framework within which auditors can operate.
This framework ensures that there is a standard level of quality and consistency between all
audit firms. If the international standards on auditing are not followed by auditors, they run
the risk of disciplinary action by their respective professional bodies. In addition, where
there is negligence, there is also the risk of litigation and thus the risk of business failure.
Auditing standards stress the importance of quality control, both at the audit firm level and
the audit engagement level.
ISQC1 Quality Control for firms that perform audits and reviews of historical financial
information, and other assurance and related services engagements helps audit firms
establish quality standards for their own business, while ISA 220 Quality Control for audits
of historical financial information requires firms to implement quality control procedures
over individual audit assignments.
Quality control at firm level
ISQC1 (11) establishes that the firm should establish a system of quality control designed to
provide it with reasonable assurance that the firm and its personnel comply with professional
standards and regulatory and legal requirements, and that reports issued by the firm or
engagement partners are appropriate in the circumstances.
A system of quality control consists of policies designed to achieve the objectives and the
procedures necessary to implement and monitor compliance with those policies.
All quality control policies and procedures should be documented and communicated to the
firm’s personnel (ISQC1(17)).
Elements of a system of quality control:
Leadership responsibilities for quality within the firm
Ethical requirements
Acceptance and continuance of client relationships and specific engagements
Page 54
Human resources
Engagement performance
The aim is to instill such policies and procedures in that the internal culture of the firm is
one where quality is essential and should be considered to be the norm. Leadership must
come from the top down and with that in mind the standard recommends that a senior
management person should assume the overall responsibility.
ISQC1(19) sets out that any person assigned the overall responsibility for a firm’s quality
control system should have sufficient and appropriate experience and ability and the
necessary authority to assume that responsibility.
The firm should establish policies and procedures designed to provide it with reasonable
assurance that the firm and its personnel comply with relevant ethical requirements. Such
ethical requirements include the fundamental principles of integrity, objectivity, professional
competence & due care, confidentiality and professional behaviour.
Acceptance and continuance of client relationships and specific
A firm should establish policies and procedures for the acceptance and continuance of client
relationships and specific engagements. They should be designed to provide it with
reasonable assurance that it will only undertake or continue relationships and engagements
where it has considered (1) the integrity of the client and does not have information that
would lead it to conclude that the client lacks integrity, (2) is competent to perform the
engagement, (3) has the capabilities, time and resources to do so and (4) can comply with
ethical requirements.
Human Resources
An audit firm’s desire for quality will require policies and procedures on ensuring excellence
in its staff. It should have sufficient personnel with the necessary experience, competence
and ethical principles necessary to perform audits in accordance with the professional
standards and regulatory and legal requirements.
Such policies and procedures will address the following issues:
Performance evaluation
Career development
Estimation of personnel needs
Page 55
Capabilities and competence can be developed through:
Professional education
Continuing professional development and training
Work experience
On the job training
Engagement performance
ISQC1(32-47) states that the firm should establish policies and procedures designed to
provide it with reasonable assurance that engagements are performed in accordance with
professional standards and regulatory and legal requirements, and that the firm or the
engagement partner issues reports that are appropriate in the circumstances.
Through its policies and procedures, the firm seeks to establish the consistency in the quality
of engagement performance. This is often accomplished through written or electronic
manuals, software tools or other forms of standardized documentation.
Ensuring good engagement performance involves a number of issues:
Resolution of disputes
In ISQC1.34 the firm should establish policies and procedures designed to provide it with
reasonable assurance that:
Appropriate consultation takes place on difficult or contentious matters
Sufficient resources are available to enable appropriate consultation
The nature and scope of such consultations are documented
Conclusions resulting from consultations are documented and implemented
Where an audit firm is small, this may necessitate external consulting.
Resolution of disputes
A firm should establish policies and procedures for dealing with and resolving differences of
Quality control review
A firm should establish policies and procedures requiring, for appropriate engagements, a
quality control review that provides an objective evaluation of significant judgments made
on an assignment and the conclusions reached in forming an opinion on a set of accounts.
An audit firm must have standards as to what constitutes a suitable quality control review.
These standards should cover:
The nature, timing and extent of such a review,
Page 56
This could be discussions with an engagement partner, a review of financial statements
and consideration of whether reporting is appropriate. May involve some selective
review of working papers particularly where there was significant judgment applied,
The criteria of eligibility of the reviewer,
The individual selected should have sufficient technical expertise and should be
The documentation required -
It should show that the review was competed before the audit report is signed off.
In respect of a listed company, a quality control review must be carried out before the
audit report is signed off.
In respect of a listed company, a review should consider:
The engagement teams evaluation of independence
Significant risks identified and the responses to those risks
Judgments with respect to materiality and significant risks
Whether appropriate consultation has taken place
Significance of misstatements identified, both amended and un-amended
Matters to be communicated to management
Whether selected working papers support conclusions reached
Whether report to be issued is appropriate
Firms must have policies and procedures in place to ensure that their quality control system
Operating effectively
Complied with in practice
In order to achieve the objectives, a firm must monitor the quality control system. This
should be reported to the management of the firm on an annual basis.
Types of monitoring activities:
Ongoing evaluation and/or
Periodic inspection of selected audits
Deficiencies found may be one-offs, but systematic or repetitive deficiencies will require
corrective action such as:
Taking appropriate remedial action relating to an individual
Changes to the quality control system
Pointers to the training dept.
Disciplinary action against those who fail to comply with the policies and
Page 57
Quality control at audit engagement level
ISA 220.2 states that the engagement team should implement quality control procedures that
are applicable to the individual audit engagement. This standard applies the principles laid
down in the ISQC1.
The engagement partner should
Take responsibility for the overall quality on each audit engagement to which the
partner is assigned.
Consider whether members of the engagement team have complied with ethical
Form a conclusion on compliance with independence requirements that apply to the
audit engagement.
Be satisfied that appropriate procedures regarding the acceptance and continuance of
client relationships and specific audit engagements have been followed, and that
conclusions reached in this regard are appropriate and have been documented.
Be satisfied that the engagement team has the appropriate capabilities, competence and
time to perform the audit engagement in accordance with professional standards and
regulatory and legal requirements, and to enable an auditor’s report that is appropriate
in the circumstances.
Take responsibility for the direction, supervision and performance of the audit
engagement in compliance with professional standards and regulatory and legal
Engagement performance
ISA 220.21 states that the engagement partner should take responsibility for the direction,
supervision and performance of the audit engagement in compliance with professional
standards and regulatory and legal requirement, and for the auditor’s report that is issued to
be appropriate in the circumstances.
The audit engagement can be directed by informing members of the team of:
Their responsibilities such as maintaining an objective state of mind, an appropriate
level of professional scepticism and performing the work in accordance with due care.
The nature of the entity’s business
Risk related issues
Problems that may arise
The detailed approach to the performance of the engagement.
Supervision includes:
Tracking the progress of the engagement
Considering the capabilities and competence of members of the team, whether they
have sufficient time, they understand their instructions, and whether the work is being
carried in accordance with the planned approach.
Addressing significant issues as they arise, considering their significance and
modifying the planned approach appropriately.
Page 58
Identifying matters for consultation by more experienced engagement team members
during the engagement.
Review responsibilities are determined on the basis that the more experienced members of
the audit engagement, review work performed by less experienced persons. The reviewers
consider whether:
The work has been performed in accordance with professional standards
Significant matters have been raised for further consultation.
Appropriate consultations have taken place and the consultations have been
documented and implemented.
There is a need to revise the nature, timing and extent of the work performed.
The work performed supports the conclusions reached and is appropriately
The evidence obtained is sufficient and appropriate to support the auditor’s report.
The objectives of the audit engagement procedures have been achieved.
Before the auditor’s report is issued, the engagement partner, through review of the audit
documentation and discussion with the engagement team, should be satisfied that sufficient
appropriate audit evidence has been obtained to support the conclusions reached and for the
audit report to be issued.
When difficult or contentious issues arise, the team should consult on the matters and
document the conclusions.
If the differences arise as between partner and audit team, or partner and quality control
reviewer, the differences should be resolved according with the firm’s policies.
In some circumstances, it may be appropriate for the engagement team to consult outside the
firm, for example, where the firm lacks the internal resources.
Quality control review
For audits of financial statements of listed companies, the engagement partner should:
Appoint a quality control reviewer.
Discuss with the reviewer significant matters which have arisen during the audit.
Not issue the audit report until completion of the review.
The engagement partner should consider:
Whether deficiencies noted from the results of the firm’s monitoring process may affect
the audit engagement.
Whether the measures the firm took to rectify the situation are sufficient in the context
of the audit.
A deficiency in the firm’s system of quality control does not indicate that a particular audit
engagement was not performed in accordance with professional standards.
Page 59
There are three distinct types of audit firms.
Big four1
Medium sized
Their size is classified by their fee income earned.
There is merger activity at all levels as firms attempt to consolidate their position or attempt
to move up the ladder.
The merger activity among the big four raises issues about monopolies. This can result in
reduced choices for larger clients. Also, conflicts of interest may arise.
The current debate about the audit exemption limits under certain jurisdiction regulationsand
the fact that it is going to rise substantially could have a significant impact on the client base
of small audit firms. They may be forced to merge to compete for the larger audit clients.
This concerns the big four and the larger of the medium sized firms.
There are two approaches to globalization:
Mainly affects the big four. It allows a brand name to develop.
Mainly affects the medium firms. It is international co-operation through a network of
sister companies.
The benefits of globalization are that audit firms can now meet the needs of international
However, there can be dramatic knock on effects for international firms e.g. Andersens
(Enron’s auditors).
Divesting Services
Consultancy is one of the key services which have been divested from the audit firms. The
independence ethics are certainly fuelling this.
Quality Control Regulations
These regulations impact differently on large and small firms. Small firms may need to hire
external experts.
1 Being PricewaterhouseCoopers (PwC), Deloittes, KPMG and Ernst & Young. All are in Rwanda
Page 60
In the previous sections we looked at frameworks within which audit firms operated. Now,
we will look at frameworks, for client companies, to ensure that they deal fairly with their
A string of high profile scandals and frauds in the 1980’s and the 1990’s forced for example,
the UK government to set up voluntary codes of best practice to enforce good practice by
directors and to communicate the adherence to good practice by management to the
It was vital that companies were managed well i.e. there was good corporate governance.
For example: The Cadbury report (in the UK) defines Corporate Governance as:
The system by which companies are directed and controlled”.
Why is good corporate governance important?
Shareholders and managers are usually separate in a company and it is important that the
management of a company deals fairly with the investment made by the owners.
In smaller companies, shareholders are fully informed about the management of the business
as they are often the directors themselves. However, in large companies the day to day
running of a company is the responsibility of the directors. Shareholders only get a look-in at
the Annual Meeting.
In addition, auditors only report on the truth and fairness of financial statements. They do not
report on how the shareholders’ investment is being managed and whether their investment is
subject to fraud.
Codes of best practice
Two prominent codes have been formed and are considered best practice in modern times.
1. The Cadbury report
2. The Combined code
The Cadbury Report
The Cadbury report was issued in 1992. Its terms of reference considered:
The responsibilities of executive and non-executive directors and the frequency, clarity
and form in which information should be provided to shareholders.
The case for audit committees, their composition and role.
The responsibilities of auditors and the extent and value of the audit.
The links between auditors, shareholders and the directors.
The Cadbury report was aimed at directors of all UK PLCs, but directors of all companies are
encouraged to apply the code. Directors should state in the financial statements, normally
through the directorsreport, whether they comply with the code and must give any reasons
for non-compliance.
Page 61
The Cadbury report covered a number of areas including the board of directors, non-
executive directors, executive directors and the audit function. Some of the provisions
Board of Directors
They should meet on a regular basis.
They should have clearly accepted divisions of responsibilities, so no one person has
complete power.
The posts of chairman and CEO should be separate.
Decisions which require a single signature or several signatures need to be laid out in a
formal schedule and procedures must be put in place to ensure that the schedule is
followed. It will probably include material acquisitions and disposals of company
assets, investments, capital projects, borrowings and foreign currency transactions.
Non-executive directors
They are not involved in the day to day running of the company and should bring their
independent judgment to bear in the affairs of the company. Such affairs may include
key appointments and standards of conduct.
There should be no business or financial connection between the company and the non-
executive directors other than fees and a shareholding.
Their fees should reflect the time they spend on the business.
They should not participate in share option schemes or pension schemes.
Appointments of non-executive directors should be for a specific term and automatic
re-appointment is discouraged.
Procedures should exist whereby they may take independent advice.
A remuneration committee consisting of non-executive directors should decide on the
level of pay for executive directors.
Executive directors
They run the company on a day to day basis and should have service contracts in place
of not more than three years in length, unless approved by the shareholders.
Directors’ emoluments should be fully disclosed in the accounts and should be analysed
between salary and performance based pay.
The code states that the audit is the cornerstone of corporate governance. It is an
objective and external check on the stewardship of management.
Some flaws exist in the framework for auditing, such as choices in accounting
treatments, poor links between shareholders and auditors, price competition between
audit firms and the “expectations gap” between auditors and the public.
Disclosing fees for audit in the financial statements should safeguard against the threat
of objectivity where auditors offer other services to their audit clients.
Formal guidelines concerning audit rotation should be drawn up by the accounting
The accountancy profession should be involved in setting criteria for the evaluation of
internal control.
Page 62
There is a need for auditors to report on going concern. This is now reflected in
auditing standards.
The Cadbury code is quite detailed and could be cumbersome for small companies. With this
in mind a special version was formed for small listed companies (Cisco code). Reduction in
required numbers of non-executive directors and the non- requirement to split roles of CEO
and chairman are the main differences.
The Combined Code
For example the UK stock exchange issues guidance on a regular basis. In 1998, it issued the
combined code. This combined key guidance from various reports including the Cadbury
report into the one code.
Some of its principles included:
Every company should have an effective board.
There should be clear divisions of responsibilities at board level.
There should be an appropriate balance of executive and non-executive directors.
A formal procedure for appointments to the board should exist.
The board should receive timely information in order to discharge its duties.
All directors should maintain and upgrade their skills and knowledge.
There should be an annual evaluation of its own performance.
All directors should be submitted to re-election at appropriate time intervals.
There should be appropriate levels of remuneration that is sufficient to attract, retain
and motive individuals of the necessary quality required.
A significant portion of pay should be performance related.
A formal procedure for the fixing of pay levels should exist and no director should have
a hand in fixing his/her own pay.
The board should present a balance assessment of the company’s performance.
The board should implement a good system of internal control.
The board should have meaningful communication with the shareholders and should
use the Annual Meeting to communicate with investors.
For example the UK Stock exchange rules require that the annual report includes a statement
of how a company has applied the principles of the combined code and must disclose whether
there has been compliance with those principles. Auditors should review this statement.
Although the stock exchange rules require the code to be complied with, there is no statutory
duty for companies to do so. It is in fact a voluntary code.
This allows for flexibility in its application although shareholders will be aware of the
position due to the disclosure requirements. There is a view though that the disclosure of
non-compliance is insufficient as the Annual Meeting is not sufficient protection for
In addition, being a voluntary code allows companies to opt out to the detriment of their
shareholders and there are companies which, while unlisted, should be encouraged to apply
the codes.
Page 63
Making the code obligatory may create an excessive burden of requirement especially for
smaller companies.
Audit Committees
Audit committees are generally made up of non-executive directors. They are perceived to
increase confidence in financial reports.
Recommendations contained in the combined code include
Audit committee should comprise at least three non-executive directors (two for smaller
Its main role and responsibilities should be clearly set out in written terms of reference.
The committee should be provided with sufficient resources to undertake its duties.
Role and responsibilities
To monitor the integrity of the financial statements and other formal announcements.
To review the internal financial controls and the company’s control and risk
management systems.
To monitor and review the effectiveness of the internal audit function.
To make recommendations regarding the appointment of external auditors and their
To monitor and review the external auditor’s independence and objectivity.
To develop and implement policy on the engagement of the external auditor in other
non-audit services.
Advantages of an audit committee
Provides an independent point of contact for the external auditor, particularly in the
event of disagreements.
Can create a climate of discipline and control.
Increased confidence in the credibility and objectivity of financial reports, by
increasing the quality of the financial reporting and enabling the non-executive
directors to contribute an independent judgment.
Internal auditors can report directly to the committee thereby providing a greater degree
of independence from management.
The existence of such a committee should make the executive directors more aware of
their duties and responsibilities.
Can act as a deterrent to fraud or illegal acts by executive directors.
Disadvantages of an audit committee
Can be difficult to source sufficient non-executive directors with the necessary
competence to be effective.
Auditors may not raise issues of judgment where there are formalised reporting
Costs may increase.
Findings are generally not made public, so it is not always clear what they actually do.
Page 64
Internal control effectiveness
Internal control is an essential tool in having good corporate governance.
The directors of a company are responsible for putting in place an effective system of
internal control. An effective system of internal control will help management safeguard the
assets of a company, prevent and detect fraud and therefore, safeguard the shareholders’
In addition, it helps ensure reliability of reporting and compliance with laws. The use of the
word help denotes the fact that there are inherent limitations in any system of internal
controls and as such there can be no such thing as absolute assurance.
The directors need to set up internal control procedures and need to monitor these to ensure
that they are operating effectively.
The system of internal control will reflect the control environment which depends a lot on the
attitude of the directors towards risk.
A company may decide to set up an internal audit function to monitor and assess the system
of internal control.
The combined code recommends that the board of directors reports on the review of internal
controls. This assessment should cover the changes in risks which the company faces and its
ability to respond to these changes, the scope and quality of management’s monitoring of risk
and internal control and the extent and frequency of reports to the board. It should also assess
the significant controls, failings and weaknesses that might have a material impact on the
Auditors should assess the review carried out by the directors. They should assess whether
the company’s summary of the process of review is supported by documentation prepared by
the directors and that it reflects that process.
This review is not as defined as an audit. Therefore, it is only possible to give limited
assurance. For this reason, the auditors are not expected to assess whether the director’s
review covers all risks and controls and whether the risks are satisfactorily addressed by the
internal controls.
In order to avoid any misunderstandings, a paragraph is inserted into the audit report setting
out the scope of the auditor’s role.
Auditors should bring to the attention of directors any material weaknesses they find in the
system of internal control.
Auditors may report by exception if problems arise such as:
The auditors understanding of the review process differs somewhat from what the
board says.
Page 65
The processes that deal with material internal control aspects do not reflect what the
auditor believes.
The board failing to make appropriate disclosures, failing to conduct a review or makes
disclosures which are not consistent with what the auditor already knows.
The previous sections referred to codes which, by and, large are voluntary codes.
Companies, however, are statutory bound to comply with laws and regulations.
Some of the laws and regulations affecting companies are:
Company law
Health and safety regulations
Employment law
Civil law, both tort and contract
Environmental law and regulation
Customary law where not covered by statute
ISA 250: consideration of laws and regulations in an audit of financial statements
establishes standards and guidance on the auditor responsibilities to consider laws and
regulations in an audit of financial statements.
ISA 250.2 states that when designing and performing audit procedures and in evaluating
and reporting the results thereof, the auditor should recognise that non-compliance by the
entity with laws and regulations may materially affect the financial statements.
As with the system of internal control, an audit cannot be expected to detect non-compliance
with all the laws and regulations applicable to a company. Detection, regardless of
materiality, requires consideration of the implications for the integrity of management or
employees and the possible effect on other aspects of the audit.
Non-compliance can be intentional or unintentional acts of omission or inclusion by the
Non-compliance is a legal determination and is beyond the auditor’s professional competence
and while an auditor’s experience and training may well provide a basis for recognition,
ultimately, it can only be determined by a court of law.
The further removed the non-compliance is from the events and transactions normally
reflected in the financial statements, the less likely the auditor is to become aware of it or
recognise non-compliance.
Responsibility of Management
It is management’s responsibility to ensure that the entity’s operations are conducted in
accordance with laws and regulations. The responsibility for the prevention and detection of
non-compliance rests with management.
Page 66
The following policies and procedures may assist management in discharging its
Monitoring legal requirements and ensuring that operating procedures are designed to
meet these requirements.
Instituting and operating appropriate internal control.
Developing, publicising and following a code of conduct.
Ensuring employees are properly trained and understand the code of conduct.
Monitoring compliance with the code of conduct and acting appropriately to discipline
employees who fail to comply with it.
Engaging legal advisors to assist in monitoring legal requirements
Maintaining a register of significant laws with which the entity has to comply within its
particular industry and a record of complaints.
In larger companies, these policies and procedures may be supplemented by an internal audit
function and an audit committee possibly split between a legal dept. and a compliance
Directors of the company have responsibility to provide information required by the auditor,
to which they have a legal right of access. Such legislation also provides that it is a criminal
offence to give the auditor information or explanations which are misleading, false or
The auditor’s consideration
The auditor cannot be held responsible for preventing non-compliance, although an annual
audit may act as a deterrent.
Even though an audit is properly planned and performed in accordance with standards, there
is the unavoidable risk that some material misstatements will not be detected in the financial
statements. The risk is higher with regard to material misstatements resulting from non-
compliance with laws and regulations due to factors such as:
There are many laws and regulations that typically do not have a material effect on the
financial statements (mainly operational aspects) and are not captured by the entity’s
information systems.
The effectiveness of audit procedures is affected by the inherent limitations of internal
control and the use of testing.
Much of the audit evidence obtained is persuasive rather than conclusive.
Non-compliance may involve conduct designed to conceal it, such as collusion,
forgery, omission, senior management override of controls or intentional
misrepresentations made to the auditor.
ISA250(12 -17) states that auditors should plan and perform the audit with an attitude of
professional scepticism recognising that the audit may reveal conditions or events that would
lead to questioning whether an entity is complying with laws and regulations.
The auditor would test for compliance with specific laws and regulations only if engaged to
do so.
Page 67
In order to plan the audit, the auditor should obtain a general understanding of the legal and
regulatory framework applicable to the entity and the industry and how the entity is
complying with that framework. The auditor should recognise that some laws may give rise
to business risks that have a fundamental effect on the operations of the entity. For example,
non-compliance with the licensing laws relating to a bank could force it out of business.
One of the most difficult distinctions in practice is deciding which laws are central to which
businesses and when.
To obtain a general understanding of laws and regulations, an auditor would ordinarily:
Use the existing understanding of the entity’s industry, regulatory and other external
Inquire of management concerning their policies and procedures regarding compliance
and as to the laws and regulations that may be expected to have a fundamental effect on
the operations of the entity.
Discuss with management the policies or procedures adopted for identifying, evaluating
and accounting for litigation claims and assessments.
Discuss the legal and regulatory framework with auditors of subsidiaries.
ISA25018-29 lays out that, after obtaining the general understanding, the auditor should
design procedures to help identify possible or actual instances of non-compliance with the
laws and regulations, which are central to the entity’s ability to conduct its business and
hence to its financial statements.
Further, the auditor should obtain sufficient, appropriate audit evidence about compliance
with those laws and regulations, which the auditor recognises as having an effect on the
determination of material amounts and disclosures in the financial statements.
Some of the laws and regulation include ones which prohibit a company from making
distributions except out of distributable profits and laws which require the auditor to
expressly report on non-compliance such as maintenance of proper books of account or
disclosures of directors’ remuneration.
Other than those mentioned above, the auditor does not perform other audit procedures on the
entitys compliance since this would be outside the scope of the audit.
The auditor should be alert to the fact that audit procedures applied for the purposes of
forming an opinion on the financial statements, such as reading of minutes, may highlight
possible instances of non-compliance. In addition, non-compliance issues might incur
obligations for audit firms to report money laundering offences.
It should be noted though that there is a distinction between checking systems of compliance
and checking actual compliance.
The auditor should obtain written representations from management that they have
disclosed to the auditor all known actual or possible non-compliance with laws and
regulations whose effects should be considered when preparing the financial statements. In
addition, where applicable, the written representations should include the actual or contingent
consequences which may arise from the non-compliance.
Page 68
In the absence of audit evidence to the contrary, the auditor is entitled to assume the entity is
compliant with these laws and regulations.
The auditor’s responsibility in expressing an opinion on financial statements does not extend
to determining whether the entity has complied in every respect with tax legislation. The
auditor only needs sufficient audit evidence to give a reasonable assurance that the tax
amounts in the financial statements are not materially misstated.
ISA 250 A1 – A21 gives a number of examples where non-compliance may have occurred.
What to do when non-compliance is discovered
When the auditor becomes aware of non-compliance, the auditor should obtain an
understanding of the nature of the act and the circumstances in which it has occurred, and
sufficient other information to evaluate the possible effect on the financial statements.
The auditor must consider:
The potential financial consequences such as fines, penalties and/or litigation.
Whether the potential financial consequences require disclosure.
Whether these consequences are so serious they call into question the truth and fairness
of the accounts.
When the auditor believes there is non-compliance, he must document the findings and
discuss them with management. Bear in mind that the discussions with management should
be subject to compliance with legislation relating to “tipping off” particularly with any
requirement to report findings direct to a third party.
When adequate information about suspected non-compliance cannot be obtained, the auditor
should consider the effect of the lack of sufficient appropriate audit evidence on the audit
report. He should consider the implications in relation to the reliability of management
Reporting of non-compliance
As soon as possible, the auditor should communicate with management, or obtain audit
evidence that management are appropriately informed, regarding non-compliance that comes
to the auditor’s attention. If in the auditor’s judgment, the non-compliance is intentional
and/or material, the auditor should communicate without delay.
If the auditor suspects senior management, then he should communicate to the next higher
level, such as the audit committee. Failing that, he should seek legal advice.
In the case of money laundering it may be appropriate to report the matter direct to the
appropriate authority.
Audit report implications
If the auditor concludes that the non-compliance has a material effect on the accounts
and has not been properly reflected, he should express a qualified or adverse opinion.
Page 69
If the auditor has not been able to obtain sufficient evidence to evaluate whether a
material non-compliance has occurred, he should qualify his report or issue a disclaimer
of opinion on the basis of a scope limitation.
Third part reporting
Although the auditor has a duty of confidentiality, where non-compliance gives rise to a
statutory duty to report, the auditor should do so without undue delay.
Withdrawal from the engagement
The auditor may conclude that withdrawal is necessary when remedial action is not taken,
even when the non-compliance is not material. Resignation is a step of last resort.
Money Laundering
Money laundering is a very hot topic in recent times.
Money laundering is the process by which criminals attempt to conceal the true origin and
ownership of the proceeds of their criminal activity, allowing them to maintain control over
the proceeds and ultimately, providing a legitimate cover for the source of their income.
Anti-money laundering legislation imposes a duty to report money laundering in respect of
the proceeds of all crime. Audit firms are required to report suspicions that a criminal
offence has been committed, regardless of whether the offence has been committed by a
client or by a third party. In addition, they need to be alert to the danger of making
disclosures that are likely to tip off a money launderer, as this is a criminal offence
There is no legal right not to make a report and the auditor is not constrained by his
professional duty of confidence, although in all cases any such reporting must be made in
good faith. In this case, he is protected by law from having the client take a civil case against
him. However, if he did not have reasonable grounds on which to make a report to a third
party, he may be sued by his client for breach of confidentiality.
Under legislation, all businesses (including audit firms) are required to set up systems to
prevent money laundering such as:
Appointing a money laundering reporting officer, who reports direct to the Police.
Undertaking customer due diligence, mandatory verification of identification.
Reporting suspicions of money laundering.
Maintaining specific records, for a minimum period of five years.
Put in place internal controls to ensure continued compliance with the legislation
Training staff in all of these issues.
Failure to do these is a criminal offence.
Problems for auditors
The duty of confidentiality, which will probably require further ethical guidance, is a problem
for the auditor, although firms should not risk breaking the law by not reporting.
Normal reporting requirements may conflict with money laundering offences.
Page 70
For example, reporting a suspicion may have a material impact on the accounts which should
be disclosed to the shareholders in an audit report. However, this may be considered to be
tipping off. Even resigning your position could be seen as tipping off.
Question 5.1
There has been an increase in the size of audit firms and this has been a source of concern to
regulators and clients. Some audit firms feel that mergers between the largest firms of
auditors are necessary in order to meet the global demand for their services. However, clients
are concerned that such mergers will create monopolistic market for audit services which will
not be in anyone’s best interests.
You are required to explain why:
1. The larger audit firms might wish to merge.
2. These mergers have the potential to create problems.
Question 5.2
A key risk facing audit firms is that their business will fail. What factors causes this risk?
Question 5.3
Explain how an audit can be lost due to its size.
Question 5.4
Read Ltd carries on a wholesale book operation. To the end of 2010 the growth in turnover
to RWF25m has continued to match the rate of inflation. Costs have been contained by
reducing staff numbers from 96 to 90. The asset turnover is holding at five times. The
accountant has prepared draft accounts and has included a directors’ responsibilities
“The directors are required by company law to prepare financial statements for each financial
period which give a true and fair view of the state of affairs of the group as at the end of the
financial period and of the profit and loss for that period. In preparing the financial
statements, suitable accounting policies have been used and applied consistently, and
reasonable and prudent judgment and estimates have been made, applicable accounting
standards have been followed. The directors are also responsible for maintaining adequate
accounting records, for safeguarding the assets of the group and for preventing and detecting
fraud and other irregularities.”
On reading the statement, a director comments that the statement included aspects he had
always assumed were the responsibility of the auditor and complained about all these
irrelevant new rules.
He requested that the accountant should prepare a memo for the board of directors what is
going on.
Page 71
Assume you are the accountant and draft a memo for the board explaining:
1. The background to the directors’ responsibilities statement and its inclusion in the
annual report
2. What is meant by a true and fair view and how the board can assess whether the
financial statements give a true and fair view and recommend adequate steps for
safeguarding the assets and preventing and detecting fraud.
Page 72
Page 73
Study Unit 6
Audit Planning and Strategy
Audit Planning
The Risk Approach
Systems and Controls
Cycles and Transactions
Balance Sheet Approach
Directional Testing
Analytical Procedures
Sample Questions
Page 74
ISA 300: planning an audit of financial statements establishes standards and guidance on
the considerations and activities applicable to planning an audit.
The auditor should:
Plan the audit so that the engagement will be performed in an effective manner.
Perform certain procedures at the beginning of the audit, namely, the continuance of the
client relationship, evaluation of compliance with ethical requirements including
independence and establishing an understanding of the terms of the engagement.
Establish the overall audit strategy and set out the scope, timing and direction of the
Develop an audit plan in order to reduce audit risk to an acceptably low level.
Update and change the audit strategy and plan as necessary during the course of the
Plan the nature, timing and extent of direction and supervision of the audit team and a
review of their work.
Document the overall audit strategy and the audit plan, including any significant
changes made during the audit engagement.
Prior to starting an initial audit, perform procedures regarding the acceptance of the
client relationship and the specific audit engagement, and communicate with the
previous auditor in compliance with relevant ethical requirements.
Adequate planning helps to ensure that:
Appropriate attention is devoted to the important areas
Potential problems are identified and resolved on a timely basis
The audit engagement is properly organised and managed
There is proper assignment of work to engagement members
There is direction and supervision of team members and review of their work
There is proper co-ordination of work done by experts.
The nature and extent of planning activities will vary according to the size and complexity of
the entity, the auditor’s previous experience with the entity and changes in circumstances that
occur during the audit engagement.
The establishing of the overall strategy involves considering the important factors that will
determine the focus of the audit team’s effort, such as the:
The determination of appropriate materiality levels,
Preliminary identification of areas where there may be higher risks of material
Preliminary identification of material components and account balances,
Evaluation of whether the auditor may plan to obtain evidence regarding the
effectiveness of internal control,
The identification of recent significant entity-specific, industry, financial reporting or
other relevant developments.
Page 75
The appendix of ISA 300 sets out examples of matters the auditor may consider in
establishing the overall audit strategy. It is split between the scope of the audit engagement,
the reporting objectives, timing of the audit and communications required and the direction of
the audit.
ISA 315: Understanding the entity and its environment and assessing the risks of material
misstatement establishes standards and guidance on obtaining an understanding of the entity
and its environment including its internal control, and on assessing the risks of material
misstatement in a financial statement audit.
The auditor should:
Obtain an understanding of the entity and its environment, including its internal
control. This understanding should be sufficient to identify and assess the risks of
material misstatement of the financial statements whether due to fraud or error, and it
should be sufficient to design and perform further audit procedures.
The auditor may obtain this understanding through:
- Performing risk assessment procedures such as inquiries of management and
others within the entity, analytical procedures, and observation and inspection.
- Determining whether changes have occurred that may affect the relevance of
information, obtained in prior periods, in the current audit.
- Ensuring that members of the engagement team discuss the susceptibility of the
entity’s financial statements to material misstatements.
Obtain an understanding of relevant industry, regulatory, and other external factors
including the applicable financial reporting framework.
Obtain an understanding of the nature of the entity, such as its operations, ownership,
governance, types of investments it is making, structure and financing.
Obtain an understanding of the entity’s selection and application of accounting policies
and consider whether they are appropriate for its business and consistent with the
applicable financial reporting framework and accounting policies used in the relevant
Obtain an understanding of the entity’s objectives and strategies, and the related
business risks that may result in material misstatements of the financial statements.
Obtain an understanding of the measurement and review of the entity’s financial
performance such as internal management information (budgets, variance analysis,
dept. reports) and external information (analyst’s reports and credit rating agency
reports). When the auditor intends to make use of the performance measures, he should
consider whether the information provides a reliable basis and is sufficiently precise for
such a purpose.
Obtain an understanding of internal control relevant to the audit. This involves
evaluating the design of a control and determining whether it has been implemented.
Not all controls are relevant to the auditor’s risk assessment.
Obtain an understanding of the control environment. The control environment sets
the tone of an organisation, influencing the control consciousness of its people. It is the
foundation for effective internal control, providing discipline and structure.
Obtain an understanding of the entity’s process for identifying business risks relevant to
financial reporting objectives and deciding about actions to address those risks, and the
results thereof.
Page 76
Obtain an understanding of the information systems, including the related business
processes, relevant to financial reporting.
Understand how the entity communicates financial reporting roles and responsibilities
and significant matters relating to financial reporting.
Obtain a sufficient understanding of control activities to assess the risks of material
misstatements and to design further audit procedures responsive to assessed risks.
Examples of specific control activities include authorisation, performance reviews,
information processing, physical controls and segregation of duties.
Obtain an understanding of how the entity has responded to risks arising from IT. The
auditor considers whether the entity has responded adequately to the risks arising from
IT by establishing effective general controls and application controls.
Obtain an understanding of the major types of activities that the entity uses to monitor
internal controls over financial reporting, including those related to those control
activities relevant to the audit, and how the entity initiates corrective actions to its
Identify and assess the risks of material misstatements at the financial statement
level, and at the assertion level for classes of transactions, account balances and
Determine which of the risks identified require special audit consideration. In
considering the nature of the risks, the auditor should consider the risk of fraud,
relationship to recent developments, complexity of transactions, significant related
transactions, the degree of subjectivity and the existence of unusual transactions.
Routine, non-complex transactions are less likely to give rise to significant risk than
unusual transactions because the latter have probably more management intervention or
complex accounting principles.
Inform management as soon as is practicable, and at an appropriate level of
responsibility, of material weaknesses in the design or implementation of internal
controls which come to the auditor’s attention.
Document the discussion among the audit team of the susceptibility of the entity’s
accounts to material misstatements and significant decisions reached, key elements of
the understanding obtained of the entity, identified and assessed risks of material
misstatement and the risks identified and related controls evaluated.
Risk assessment procedures
The auditor may consider making inquiries of the entity’s legal counsel or of valuation
experts. Reviewing information obtained from external sources such as reports by analysts,
banks or other rating agencies, trade and economic journals may also be useful in obtaining
information about the entity.
Although much of the information can be obtained from management and those responsible
for financial reporting, inquiries of others such as production and internal audit personnel
may be useful in providing a different prospective in identifying risks of material
Observation and inspection may support inquiries of management. Such audit procedures
Page 77
Observation of activities and operations
Inspection of documents and records
Reading reports prepared by management
Visits to premises and plant facilities
Carrying out walk-through tests
Controls relevant to the audit
Ordinarily, controls that are relevant to an audit pertain to the objective of preparing financial
statements. Controls over the completeness and accuracy of information may also be relevant
if the auditor intends to make use of the information in designing and performing further
procedures. Controls relating to operations and compliance objectives may be relevant if
they pertain to data the auditor evaluates or uses in applying audit procedures.
Information systems
The auditor should obtain an understanding of the information systems, including the
business processes, relevant to financial reporting, including the following areas:
The classes of transactions in the entity’s operations that are significant to the financial
The procedures, within both IT and manual systems, by which those transactions are
initiated, recorded, processed and reported in the financial statements
The related accounting records, whether electronic or manual, supporting information,
and specific accounts in the financial statements, in respect of initiating, recording,
processing and reporting transactions
How the information systems capture events and conditions, other than classes of
transactions, that are significant to the financial statements
The financial reporting processes used to prepare the entity’s financial statements,
including significant accounting estimates and disclosures.
IT controls
General IT controls are policies and procedures that relate to many applications and support
the effective functioning of such controls by helping to ensure the continued proper operation
of information systems. These controls maintain the integrity of information and security of
data and include:
Data centre and network operations
System software acquisition, change and maintenance
Access security
Application system acquisition, development and maintenance
Application controls are manual or automated procedures that typically operate at a business
process level. They can be preventative or detective in nature and are designed to ensure the
integrity of the accounting records. Examples include:
Edit checks of input data
Page 78
Numerical sequence checks
Assessing the risks of material misstatement
The auditor should:
Identify risks throughout the process
Relate the risk to what can go wrong at the assertion level
Consider whether the risks are of a magnitude that could result in a material
misstatement in the financial statements
Consider the likelihood that the risks could result in a material misstatement of the
financial statements.
A1- A 134 ISA 315 provides additional guidance on understanding the entity and its
environment and lays out conditions and events that may indicate risks of material
ISA 330: The auditor’s procedures in response to assessed risks establishes standards and
provides guidance on determining overall responses and designing and performing further
audit procedures to respond to the assessed risks of material misstatements.
The standard requires the auditor to determine overall responses to address risks of material
misstatement at the financial statement level and provides guidance on the nature of those
The auditor is required to design and perform further audit procedures, including tests of
the operating effectiveness of controls, when relevant or required, and substantive
procedures, whose nature, timing, and extent are responsive to the assessed risks of material
misstatement at the assertion level. In addition, this section includes matters the auditor
considers in determining the nature, timing, and extent of such audit procedures.
The auditor is required to evaluate whether the risk assessment remains appropriate and to
conclude whether sufficient appropriate audit evidence has been obtained.
The standard establishes related documentation requirements.
In order to reduce the audit risk to an acceptably low level, the auditor should determine
overall responses to assessed risks at the financial statement level.
Overall responses may include:
Emphasising to the audit team of the need to maintain professional scepticism
Assigning more experienced staff or hiring expert help when needed
Providing more supervision
Incorporating additional elements of unpredictability in the selection of further audit
procedures to be performed
Making changes to the nature, timing, or extent of audit procedures
The assessment of the risk of material misstatement is affected by the auditor’s understanding
of the control environment.
Page 79
An effective control environment may allow an auditor to have more confidence in internal
control and the reliability of audit evidence generated internally within the entity.
If there are weaknesses in the control environment, the auditor:
conducts more audit procedures as at the period end rather than at an interim date,
seeks more extensive audit evidence from substantive procedures,
modifies the nature of audit procedures to obtain more persuasive audit evidence,
Increases the number of locations to be included in the audit scope.
The evaluation of the control environment will help the auditor determine whether there
should be a substantive or a combined approach (tests of controls and substantive
In designing further audit procedures, the auditor should consider:
the significance of the risk
the likelihood that a material misstatement will occur
the characteristics of the class of transactions or account balances
the nature of specific controls and in particular whether they are manual or automated
Whether the auditor expects to obtain evidence to determine if controls are effective in
preventing, or detecting and correcting material misstatements.
The nature of further audit procedures refers to their:
Tests of controls or substantive procedures;
Inspection, observation, inquiry, confirmation, recalculation, re-performance, analytical
Certain audit procedures may be more appropriate for some assertions. The selection of the
procedure is based on the assessment of risk. The higher the risk, the more reliable and
relevant is the audit evidence from substantive tests.
The auditor may perform audit procedures at an interim date or at period end (timing). The
higher the risk, the more likely the auditor will perform substantive tests nearer to or at the
period end. Certain audit procedures can only be performed at or after the period end, such
as agreeing the financial statements to the accounting records and examining adjustments
made during the course of preparing the financial statements.
The extent (sample size or number of observations) is determined by the judgement of the
auditor after considering:
Assessed risk
Degree of assurance required
Page 80
The auditor is required to perform tests of controls when the auditor relies on the
effectiveness of controls or when substantive tests alone do not provide sufficient appropriate
audit evidence.
The auditor should perform other audit procedures in combination with inquiry to test the
operating effectiveness of controls.
Irrespective of the assessed risk of material misstatements, the auditor should design
and perform substantive tests for each material class of transaction, account balance
and disclosure. Remember, an auditor’s assessment of risk is judgemental and there
are inherent limitations to internal control.
The auditor’s substantive procedures should include the following related to the financial
statement closing process:
Agreeing the financial statements to the underlying accounting records and
Examining material journal entries and other adjustments made during the course of
preparing the financial statements.
Where an auditor determines that an assessed risk at the assertion level is a significant risk,
he should perform substantive procedures that are specific to that risk.
The auditor should perform audit procedures to evaluate whether the overall presentation of
the financial statements, including the related disclosures, are in accordance with the
applicable financial reporting framework.
Based on the audit procedures performed and the audit evidence obtained, the auditor should
evaluate whether the assessments of the risks at the assertion level remain appropriate.
He should conclude whether sufficient appropriate audit evidence has been obtained to
reduce to an acceptably low level the risk of material misstatement in the financial
Where it is not sufficient and the auditor is unable to obtain further evidence, he should
express a qualified opinion or a disclaimer of opinion.
Finally, the auditor should document the overall responses to address the risks and the
nature, timing and extent of the further audit procedures and the results thereof. In addition,
where there is reliance on controls, the auditor should document the conclusions reached with
regard to relying on such controls that were tested.
General planning matters
When planning an audit you also need to consider some admin matters:
Audit Staff
Have the staff got the correct level of qualifications and experience. Do they have specialist
skills that may be required. What about the staff’s relationship among themselves and with
client staff. Are staff available and what about travel arrangements.
Page 81
Client management
Continuity of staff is often important to client companies. Also, consistency of staff may
help audit efficiency.
Location of audit
Need to consider the distance for audit staff to travel, the staff’s mobility and the location of
the review by manager. Multiple locations often require some decision as to which locations
should be visited, the allocation of your staff to these locations and managing the visits to
each selected sites.
Key deadlines are stock-counts, date of draft accounts available, main audit visit, audit
manager review, partner review, audit clearance meeting, audit report to be signed and date
of Annual Meeting. It is important to plan the work so that these deadlines can be achieved.
Use of IT
Need to consider whether the client has a computerised system and whether the auditor will
use CAATs2. Will the auditor use computers to complete the working papers and
communicate with the partner.
Time budgets
These are an important part of planning. Times should be estimated accurately and
communicated to the audit team. The audit team should record variances with the budget for
planning purposes for the next audit.
The budget will be based on prior year records, risk assessments and materiality.
Example of an outline audit plan
Initial visit
If this is a new client, this visit should occur as soon as possible after the terms of the
engagement have been agreed between the client and the audit partner.
This visit is essential in building up a background about the client company in order to assist
in the detailed planning of the audit.
The auditor will use techniques such as inquiry, observation and review of documentation in
order to understand details about the company such as:
The development and past history
The nature of the environment in which it operates
Products and processes
Organisational plans
Accounting and internal controls in operation
The maintenance of accounting records.
In respect of the internal controls, it would be expected to carry out walkthrough tests to
confirm the operation of the controls as described. If this is an existing client, the visit may
2 CAAT - Computer aided auditing techniques
Page 82
simply take the form of a brief meeting, or simply be a phone call, to establish any changes
since the previous audit in respect of the company’s operations or environment.
Interim Visit
Ideally this visit should take place close to the year end.
The purpose of this visit is to carry out detailed tests on the client’s accounting and internal
controls with a view to establishing those controls on which you can rely. Where controls are
operating effectively, restricted only substantive procedures need be carried out. Where
controls are ineffective in practice, more extensive substantive tests will need to be carried
At this stage, if any weaknesses in controls have been noted, it may be appropriate to draft a
letter to the client management.
Final Visit
This visit will take place after the accounting year end.
On this visit, the detailed substantive procedures will be carried out in order to substantiate
the figures in the accounting records and subsequently, the financial statements. After an
overall review of the financial statements, the auditor will be able to assess whether sufficient
and appropriate evidence has been obtained in order to draw reasonable conclusions so that
an opinion can be expressed on the financial statements.
Examples of the work to be carried out would include:
Discussion with management of known risk areas
Attendance at stock count
Verification of assets/liabilities and income/expenditure
Follow up on outstanding interim audit issues
Review of post balance sheet events
Seek and obtain representations from management
Review financial statements
Draft an audit report
An auditor should consider materiality and its relationship with audit risk when conducting
an audit. In designing the audit plan, the auditor should set an acceptable materiality level.
He should consider this materiality at both the overall financial statement level and in relation
to classes of transactions, account balances and disclosures.
Information is material if its omission or misstatement could influence the economic
decisions of users taken on the basis of the financial statements.
An item might be material due to its nature, value or impact on users of accounts.
Transactions involving directors generally affect users of accounts.
Page 83
Inventory stocks in a manufacturing company may represent a high percentage of
current assets.
An end of year journal could convert a loss into a profit, thus affecting the users of
The auditor’s assessment of materiality helps the auditor to decide:
What items and how many to examine
Whether to use sampling and analytical procedures
What audit procedures can be expected to reduce audit risk to an acceptably low level.
There is a relationship between materiality and the level of audit risk. The higher the
material figure is set, the higher the audit risk. The auditor could compensate for this by
Reducing the risk, where this is possible, and supporting this by carrying out extended
or additional tests of control or
Reducing detection risk by modifying the nature, timing and extent of planned
substantive tests.
Materiality is a matter of judgement.
Some matters could fall outside the criteria, although they could affect users of the
Percentage guidelines need to be used carefully. What figure do you select to base the
percentage on - Gross profit, profit before director’s salaries, assets, costs?
Materiality needs to be tailored to the business and the anticipated user.
There is currently an exposure draft on Materiality. The key issues are:
Clear definition of materiality,
Auditors should consider users as a whole rather than considering individual users,
More guidance on the use of percentage benchmarks,
Requires auditors to communicate all discovered misstatements to management,
Setting a level doesn’t mean that some matters should be ignored.
Auditors should assess the risk of material misstatements arising in the financial statements
and carry out procedures in response to assessed risks.
Page 84
Risk can be analysed as follows:
Overall risk is split into audit risk and business risk. Audit risk is sometimes known as
assignment or engagement risk. It is focused on the financial statements of the business.
Inherent risk is the susceptibility of an account balance or class of transaction to material
misstatement, irrespective of related internal controls. It may be due to the characteristics of
those items such as the fact they are estimates or that they are important items in the
accounts. Auditors use their professional judgment and their understanding of the client
company to assess the inherent risk.
Control risk is such that the clients controls fail to prevent, detect and/or correct material
Detection risk is such that the audit procedures applied by the auditor will fail to detect
material misstatements. There are limitations to the audit process and detection risk relates to
the inability of auditors to examine all evidence. Also, we have seen previous that audit
evidence is persuasive rather than conclusive, so some detection risk always exists.
The auditor’s assessment of inherent and control risk will influence the nature, timing and
extent of the substantive procedures which are required to reduce the detection risk and,
hence, audit risk.
Examples of risk factors which affect the client:
Risk of
Page 85
Integrity and attitude to risk of management. Problems can be caused where there is
domination by a single individual,
A lack of management experience and knowledge can affect the quality of financial
Unusual pressures on management can lead to tight reporting deadlines or market or
financing expectations,
The nature of the business can lead to potential problems such as technological
obsolescence or over-dependence on single products,
Industry factors such as competitive conditions, regulatory requirements, technology
IT problems include lack of supporting documentation, expertise heavily dependent on
a few people and potential risk of unauthorised access to systems.
Examples of risk factors affecting account balances or transactions:
Areas which require prior year adjustments or require high level of estimation,
Where expert valuations are required due to complex issues,
Account balances such as cash, stock, portable assets which are prone to fraud,
The existence of high volume transactions where systems may be unable to cope,
Unusual transactions,
Major changes in staff or low morale issues.
Business risk arises in the operations of a business. It is split into three distinct types:
Financial risk arising from financial activities or financial consequences such as cash
flow issues, overtrading, going concern, breakdown of accounting systems, credit risk
and currency risk.
Operational risks arise with regard to the operations of the business such as risk of
losing a major supplier, physical disasters, loss of key personnel and poor brand
Compliance risks arise from non-compliance with laws and regulations within which
the company operates or environmental issues.
Relationship between risks
Initially, it would appear that audit risk and business risk are unrelated, as audit risks are
limited only to the financial statements. However, business risks include all risks facing the
business and this includes inherent risks and control risks, which form part of the audit risk.
Although audit risk is focused on the financial statements, business risk does form part of the
inherent risk associated with the financial statements because, if such risks materialise, then
the whole going concern basis of the business could be affected and this has major
implications for the financial statements.
Risk is a key issue in any audit and the most common approach to carrying out an audit
incorporates a recognition of those risks. This is called the risk-based approach.
There are other approaches and other techniques and the risk based approach is used in
conjunction with these other approaches.
Page 86
Auditors apply judgment to determine what level of risk pertains to different areas of a
client’s system and devise appropriate audit tests. Risk-based auditing ensures that the
greatest effort is directed at those areas of the financial statements that are most likely to be
misstated. The chance of detecting errors is therefore improved and time is not wasted on
testing safe areas.
For example, in a small manufacturing company, an auditor will need to do more work on
inventory than say land & buildings. Inventory can be a complex area, with probably a
significant number of line items and there is the risk of obsolete stock.
Why is the risk-based auditing used more increasingly:
Growing complexity of the business environment, such as advanced computer systems
and the globalisation of business, increases the risk of fraud or misstatement.
Pressure on auditors to keep fees down but improve the level of service.
ISA 315 requires that auditors consider the entity’s process for assessing its own business
risks. They must consider the factors that lead to the problems which may cause material
misstatements and what can the audit contribute to the business pursuing its goals.
The business risk approach was developed because it was believed that in some instances
the risk of misstatement arose mainly from the business risks of the company.
This business approach tries to mirror the risk management steps that have been taken by the
directors. It is also known as the top down approach in that it starts at the objectives of the
company and works down to the financial statements, rather than working up from the
financial statements which has been the historical approach to auditing.
Controls testing is aimed at high level controls and substantive testing is reduced.
Principal risks include:
Economic pressures causing reduced sales and eroding margins,
Demands for extended credit,
Product quality issues re inadequate control over supply chain etc.,
Customer dissatisfaction re order requirements and invoicing errors etc.,
Unacceptable service response calls,
Out of date IT systems.
These risks can impact on inventory values, receivables recoverable, provisions and
contingencies and going concern.
The effect of the top down approach is that the auditor pays more attention to high level
controls, such as the control environment and corporate governance, than the traditional
approach. In addition, analytical review procedures are used more extensively as the
auditor is keen to understand the business more clearly. The combination of the above two
factors will result in reduced substantive detailed testing, although it is not eliminated
Page 87
Business risk approach advantages:
There is added value given to clients as the approach focuses on the business as a
whole rather than just the financial statements.
Where audit attention is focused on high levels of controls and use of analytical
procedures, there is increased audit efficiency.
There is no need to focus on routine processes where technological developments
have rendered them less prone to error than in previous times.
The approach responds to corporate governance issues in recent years.
There is a lower engagement risk through a better understanding of the clients
This approach is always used in conjunction with other approaches as substantive testing can
never be eliminated completely.
Management is required to institute a system of controls which is capable of safeguarding the
assets of the shareholders. Auditors assess the controls put in place by directors and ascertain
whether they are effective and can be relied upon for the purposes of the audit. They carry
out tests to ensure that the systems operate as they are supposed to. If the controls are
ineffective, the control risk is high and it is important to undertake higher levels of
substantive testing.
An auditor may choose to carry out substantive tests on the transactions of the business in the
relevant period. Cycles testing is closely linked to systems testing as it is based on the same
systems. However, with the cycles approach, the auditors test the transactions which have
occurred, resulting in the entries in the books, such as sales transactions, purchases, expenses
etc. The auditor substantiates the transactions which appear in the financial statements.
A sample of transactions is selected and each transaction is tested to ensure that the
transaction is complete and is processed correctly through the complete cycle.
An auditor may choose to carry out substantive tests on the year end balances. This is the
most common approach to substantive testing after controls have been tested.
The balance sheet shows a snapshot of the financial position. If it is fairly stated and the
previous years figures were also fairly stated, then it is reasonable to undertake lower level
testing on the profit and loss transactions e.g. analytical review.
There is a relationship with the business risk approach. The element of substantive testing
which remains in a business risk approach can be undertaken in this approach.
In some cases, most notably small companies, the business risks may be strongly linked to
management being concentrated in one person, and/or balance sheets may be uncomplicated.
In these cases, it is probably more cost effective to undertake a highly substantive balance
sheet audit rather than to undertake a business risk assessment.
Page 88
It should be noted though, that when not undertaken in conjunction with a risk based
approach or systems testing, the level of detailed testing required can be high in a balance
sheet approach making it very costly.
Directional testing is a method of discovering errors and omissions in the financial statements
through undertaking detailed substantive testing. It can be broken down into two categories:
tests to discover errors and tests to discover omissions.
Checking entries from the books back to supporting documentation should help to detect
errors causing an overstatement or an understatement. For example, selecting sales
transactions from the sales ledger and tracing them back to sales invoices and price lists to
ensure that sales are priced correctly.
To discover omissions the auditor must start from outside the accounting records and trace
through to the records in the books. For example, to check the completeness of purchases,
select a number of GRNs and check through to the stock records and the purchase ledger.
Directional testing is appropriate when testing the financial statement assertions of existence,
completeness, rights & obligations, and valuation.
The concept of directional testing derives from the principle of double entry bookkeeping.
Therefore any misstatement of a debit entry will result in either a corresponding misstatement
of a credit entry or a misstatement in the opposite direction of another debit entry.
A test for an overstatement of an asset also gives comfort on understatement of other assets,
overstatement of liabilities, overstatement of income and understatement of expenses.
In other words by performing tests, the auditor obtains audit assurance in other audit areas.
A major advantage of this approach is its cost-effectiveness. Assets and expenses are tested
for overstatement only, while liabilities and income for understatement only.
Directional testing is particularly useful when there is a high level of detailed testing to be
carried out, such as when the auditors have assessed the controls and accounting systems and
have found them to be ineffective.
These procedures are important at all stages of the audit, such as planning, substantive
procedures and the overall review.
It consists of comparing items like current financial information with prior year financial
information and analysing predictable relationships such as the relationship between
receivables and credit sales.
The use of analytical procedures generally arises in the business risk approach and is also
used in reviews, assurance engagements and reviewing prospective financial information.
Page 89
When deciding to use analytical procedures as substantive procedures, the auditor must
The plausibility and predictability of the relationships, such as the strong relationship
between turnover and sales commission,
The objectives of the procedures and the extent to which their results are reliable,
The detail to which information can be analysed, such as info at dept. level,
The availability of information both financial and non-financial,
The relevance of the information such as budgets,
The comparability of the information - Average performances over an industry may
vary widely,
The knowledge gained during previous audits such as effectiveness of controls.
When determining that reliance can be placed on the results of such testing the auditor should
consider whether there are other audit procedures directed towards the same assertions, the
accuracy with which the results can be predicted and the frequency with which a relationship
is observed.
Practical techniques
Important accounting ratios
Gross profit margins
Average collection period
Stock turnover
Current ratio
Acid test ratio
Debt to equity capital
Return on capital employed
Related items
Payables and purchases
Inventories and cost of sales
Non-current assets and depreciation, repairs and maintenance
Loans and interest
Receivables and bad debts
Receivables and sales
Ratios on their own are of little use. They should be compared to previous years and other
comparable companies. In addition, the auditor should use non-financial information to
produce ratios such as sales revenue per unit of sale.
Other analytical techniques include:
Examining related accounts in conjunction with others
Trend analysis
Reasonableness tests such as calculating expected values.
Page 90
Information technology can be used in trend analysis to enable auditors to see trends
graphically with relative ease and speed.
When seeking to identify an appropriate strategy for a particular audit, it is important to
remember that the approaches are linked and in some cases it is wise to use two or more:
Directional testing with balance sheet approach as they are both substantive testing
Risk and cycles based approach with low level of large transactions,
Risk and balance sheet approach where substantial numbers of sales transactions with
substantial receivables.
Question 6.1
M Ltd is a long standing client of the audit firm. You were the audit senior on the assignment
last year and now you are the audit supervisor. The partner has asked you to plan the audit
for the current year.
Client has approx. 100 customers but 6 account for 80% of value. A new customer, York,
has come in with the potential to account for 20% of total sales in the coming year. Only 1
month of its sales are included in the figures to be audited. York is also an audit client of the
firm and you are aware that they have had problems with their previous suppliers who broke
off relations with them due to York’s poor payment record.
This year the company decided to factor its debts the result of a previous history of bad debts
where large customers went bust and they sacked a sales ledger clerk near the end of the year
and outsourced the sales ledger function to the factor. The sales ledger clerk has threatened
that she will sue for unfair dismissal and for sexual discrimination.
There is also a large bank loan with a covenant attaching. One specific term states that the
bank requires an interest cover of 2.5 and current ratio of 1.5. Your audit assistant has
attended the stock count and noted a high level of old inventory included in the count.
Balance sheet extract
Tangible assets
Current assets:
Current liabilities:
Bank loan
Long term liabilities:
Bank loan
Page 91
Profit and Loss extracts
Cost of sales
Gross margin
Admin exp.
Other exp.
Profit before interest & tax
1. Comment on the materiality level you would set
2. Identify the audit risks
3. Outline the key administrative planning matters that are outstanding
4. Discuss whether a conflict of interest arises with respect to the audit and what steps
the auditor should take.
Question 6.2 is a company with a chain of shops selling gifts to the tourist market. The
company has been a long standing client. Half way through the year the two directors who
are also shareholders decided to close down some of the smaller shops which have not been
performing well. Instead they have decided to set up a mail order business and to trade
through their website. Customers can order gifts via an email order form giving their credit
card details on that form. The goods will then be posted to the customer or the gift recipient.
The company has retained its major shops in solid locations. Customers may log on in the
shops and order what they require, if it is not available in the store they are in. At the same
time as launching the mail order system, the owners decided that they would offer a mailing
service for goods bought in the shops as well.
Some of the staff from the closed shops have been transferred to the warehouse where the
electronic arm of the business now operates.
The website is not integrated into the sales ledger. A sales clerk, Ange prints 2 copies of
every email request. She checks the order to the availability of stock and then emails the
customer if the gift is going to take more than a week to process. She offers them the chance
to change their order if they do so wish. When the item is in stock, she sends one copy of the
order to the warehouse where the order is packed and despatched to the customer. The
warehouse manager returns the first copy of the order to another sales clerk, Mary, marked
despatched. Mary retrieves the second copy of the order, processes the credit card payment,
marks the first order as paid and shreds the second copy of the order. The marked up invoice
is filed in a paid invoices file. When there are lots of orders, Mary helps Ange out and vice
versa if lots of orders have been despatched.
Page 92
1. Identify the business risks now facing the company with its e-commerce operations;
2. Identify any additional audit risks which may have arisen from the decision;
3. Propose and justify an audit strategy;
4. Suggest minor amendments to control procedures in order to make operations run
more smoothly.
Page 93
Study Unit 7
Audit Evidence
Audit Evidence Introduction
Related Parties
Management Representations
Using the Work of Others
Sample Questions
Page 94
The purpose of ISA 500 is to establish standards and provide guidance on what constitutes
audit evidence in an audit of financial statements, the quantity and quality of audit evidence
to be obtained, and the audit procedures that auditors use for obtaining that audit evidence.
In order to form an opinion, an auditor must obtain evidence. This evidence should be
sufficient, relevant and reliable. The auditor designs substantive procedures to obtain this
evidence about the financial statement assertions.
By approving the financial statements, the directors are making representations about the
information therein. These assertions may fall into the following categories:
(a) Assertions about classes of transactions and events for the period under audit:
Occurrencetransactions and events that have been recorded have occurred and
pertain to the entity.
Completenessall transactions and events that should have been recorded have
been recorded.
Accuracyamounts and other data relating to recorded transactions and events
have been recorded appropriately.
Cut-offtransactions and events have been recorded in the correct accounting
Classification—transactions and events have been recorded in the proper accounts.
(b) Assertions about account balances at the period end:
Existenceassets and liabilities exist.
Completenessall assets and liabilities that should have been recorded have been
Rights and obligations—the entity holds or controls the rights to assets and
liabilities are the obligations of the entity.
Valuation and allocation assets and liabilities are included in the financial
statements at appropriate amounts.
(c) Assertions about presentation and disclosure:
Occurrence and rights and obligations—disclosed events, transactions, and other
matters have occurred and pertain to the entity.
Completenessall disclosures that should have been included in the financial
statements have been included.
Classification and understandabilityfinancial information is appropriately
presented and described, and disclosures are clearly expressed.
Accuracy and valuationfinancial and other information are disclosed fairly and
at appropriate amounts.
Page 95
Procedures used by auditors to obtain evidence
Inspection of tangible assets
Inspection confirms existence and valuation and gives evidence of completion. It does not
however confirm rights and obligations.
Inspection of documents and records
Confirmation to documentation confirms existence of an asset or that a transaction has
occurred. Confirmation that items are in the books shows completeness. Also helps testing
cut-off. It provides evidence of valuation, measurement, rights and obligations and
presentation and disclosure.
This procedure is of limited use in that it only confirms that a procedure took place when it
was observed.
Inquiry and confirmation
Information sought from client or external sources. The strength of the evidence depends on
knowledge and integrity of the source of the information.
Recalculation and Re-Performance
Checking calculations of client records
Audit automation tools
Such as computer assisted auditing techniques
Analytical procedures
Sufficient and appropriate
Sufficiency is the measure of the quantity of the evidence, while the appropriateness is the
measure of the quality (reliability & relevance) of the evidence. This applies to both tests of
controls and substantive procedures.
An auditor’s judgment as to what is sufficient appropriate evidence is influenced by the
following factors:
Risk assessment, is it low or high,
The nature of the accounting and internal control systems,
The materiality of the item being examined,
The experience gained during previous audits,
The auditor’s knowledge of the business and industry,
The results of audit procedures,
The source and reliability of the information available.
The relevance of audit evidence should be considered in relation to the overall audit objective
of forming an audit opinion and reporting on the financial statements. The evidence should
allow the auditor to conclude on the following:
Balance sheet items -
Page 96
Is there suitable completeness, existence, ownership, valuation and disclosure
Profit and loss items -
Is there suitable completeness, occurrence, valuation and disclosure issues?
Appropriate reliable
Reliability of audit evidence depends on the particular circumstances of each case. However,
the following should be considered:
Documentary evidence is more reliable that oral evidence;
Evidence from external independent sources is more reliable than that within an
Evidence from the auditor by such means as analysis and physical inspection is more
reliable than evidence obtained by/from others.
The auditor needs to obtain sufficient, relevant and reliable evidence to form a reasonable
basis for his opinion on the financial statements. His judgement of sufficiency will be
influenced by such factors as:
His knowledge of the business and its environment,
The risk of misstatement,
The quality of the evidence. However, merely obtaining more audit evidence may not
compensate for its poor quality.
Computer assisted audit techniques (CAAT)
Audit software
Used where client has computer systems and large volumes of data. The auditor can
scrutinise large volumes of data and free up his time for review and follow up results rather
than having to extract the data and select samples.
Before using software the auditor should have a basic understanding of data processing and
the client’s computer application. If the application is complex the auditor may need to have
some knowledge of systems analysis. He also needs to consider how easy is it to transfer the
data and extract it.
Examples of audit software include interrogation software (e.g. IDEA), comparison
programmes, interactive software for on-line interrogation and resident code software to
review transactions as they are processed.
Page 97
Test data are used to assess a system’s performance. The expected results are known in
advance and are compared against the output using the test data. You can also use the test
data to check the controls of the system such as attempting to process invalid data.
A significant problem using test data is that it may result in corrupting a data file. Some
systems have controls that prevent the easy removal of data without leaving a mark. Other
problems include the fact that you are only testing the operation of the system at a point in
Audit sampling
ISA 530 states that when designing audit procedures, the auditor should determine
appropriate means for selecting items for testing so as to gather sufficient appropriate audit
evidence to meet the objectives of the audit procedures.
Auditors do not examine all information that is available to them (audit limitation) as it is
impractical to do so and as a result audit sampling is used to produce valid conclusions.
Audit sampling involves the application of audit procedures to less than 100% of items
within a class of transactions or account balance such that all sampling units have a chance of
selection. Audit sampling can use either a statistical or a non-statistical approach.
Error means either control deviations, when performing tests of controls, or misstatements,
when performing tests of details. Similarly, total error is used to mean either the rate of
deviation or total misstatement.
Anomalous error means an error that arises from an isolated event that has not recurred
other than on specifically identifiable occasions and is therefore not representative of errors.
Population means the entire set of data from which a sample is selected and about which the
auditor wishes to draw conclusions.
Sampling risk arises from the possibility that the auditor's conclusion, based on a sample,
may be different from the conclusion reached if the entire population were subjected to the
same audit procedure. There are two types of sampling risk:
The risk the auditor will conclude that controls are more effective than they actually
are, or that a material error does not exist when in fact it does. This type of risk affects
audit effectiveness and is more likely to lead to an inappropriate audit opinion; and
The risk the auditor will conclude that controls are less effective than they actually are,
or that a material error exists when in fact it does not. This type of risk affects audit
efficiency as it leads to additional work to establish that initial conclusions were
incorrect.Non-sampling risk arises from factors that cause the auditor to reach an
Page 98
erroneous conclusion for any reason not related to the size of the sample. For example,
ordinarily the auditor finds it necessary to rely on audit evidence that is persuasive rather than
conclusive, the auditor might use inappropriate audit procedures, or the auditor might
misinterpret audit evidence and fail to recognise an error.
Sampling unit means the individual items constituting a population, for example checks
listed on deposit slips, credit entries on bank statements, sales invoices or debtors' balances.
Statistical sampling means any approach to sampling that has the following characteristics:
Random selection of a sample; and
Use of probability theory to evaluate sample results.
Sampling, that does not have the above characteristics, is considered non-statistical sampling.
Stratification is the process of dividing a population into subpopulations, each of which is a
group of sampling units which have similar characteristics (often monetary value).
Tolerable error means the maximum error in a population the auditor is willing to accept.
Selecting Items for Testing to Gather Audit Evidence
The decision as to which approach to use will depend on the circumstances, and the
application of any one or combination of the available means may be appropriate in particular
circumstances. While the decision is made on the basis of the risk of material misstatement
related to the assertion being tested and audit efficiency, the auditor needs to be satisfied that
methods used are effective in providing sufficient appropriate audit evidence to meet the
objectives of the audit procedure.
Selecting All Items (100% examination)
The auditor may decide that it will be most appropriate to examine the entire population of
items that make up a class of transactions or account balance. 100% examination is unlikely
in the case of the tests of controls, it is more common for tests of details. For example, 100%
examination may be appropriate when the population constitutes a small number of large
value items, when there is a significant risk and other means do not provide sufficient
appropriate audit evidence, or when the repetitive nature of a calculation or other process
performed automatically by an information system makes a 100% examination cost effective,
for example, through the use of computer assisted audit techniques (CAATs).
Selecting Specific Items
The auditor may decide to select specific items from a population based on such factors as the
auditor's understanding of the entity, the assessed risk of material misstatement, and the
characteristics of the population being tested. The judgmental selection of specific items is
subject to non-sampling risk. Specific items selected may include high value or key
items.While selective examination of specific items from a class of transactions or account
balance will often be an efficient means of gathering audit evidence, it does not constitute
audit sampling. The results of audit procedures applied to items selected in this way cannot
Page 99
be projected to the entire population. The auditor considers the need to obtain sufficient
appropriate evidence regarding the rest of the population when that remainder is material.
Audit Sampling
The auditor may decide to apply audit sampling to a class of transactions or account balance.
Audit sampling can be applied using either non-statistical or statistical sampling methods.
Statistical Versus Non-statistical Sampling Approaches
The decision whether to use a statistical or non-statistical sampling approach is a matter for
the auditor's judgment regarding the most efficient manner to obtain sufficient appropriate
audit evidence in the particular circumstances. For example, in the case of tests of controls
the auditor's analysis of the nature and cause of errors will often be more important than the
statistical analysis of the count of errors. In such a situation, non-statistical sampling may be
most appropriate.
Sample Size
In determining the sample size, the auditor should consider whether sampling risk is reduced
to an acceptably low level. Sample size is affected by the level of sampling risk that the
auditor is willing to accept. The lower the risk the auditor is willing to accept, the greater the
sample size will need to be.
The sample size can be determined by the application of a statistically-based formula or
through the exercise of professional judgment objectively applied to the circumstances.
Selecting the Sample
The auditor should select items for the sample with the expectation that all sampling units in
the population have a chance of selection. Statistical sampling requires that sample items are
selected at random so that each sampling unit has a known chance of being selected. The
sampling units might be physical items (such as invoices) or monetary units. With non-
statistical sampling, an auditor uses professional judgment to select the items for a sample.
Because the purpose of sampling is to draw conclusions about the entire population, the
auditor endeavours to select a representative sample by choosing sample items which have
characteristics typical of the population, and the sample needs to be selected so that bias is
ISA 550 states that the auditor should perform audit procedures designed to obtain sufficient
appropriate audit evidence regarding the identification and disclosure by management of
related parties and the effect of related party transactions that are material to the financial
statements. Where there is any indication that such circumstances exist, the auditor should
perform audit procedures as are appropriate in the circumstances.
Page 100
Management is responsible for the identification and disclosure of related parties and
transactions with such parties. This responsibility requires management to implement
adequate internal control to ensure that transactions are appropriately identified and
As transactions between related parties may not be on an arm's length basis and there may
be a conflict of interest, management usually ensure that such transactions are subject to
appropriate approval procedures. The approval of material related party transactions is often
recorded in the minutes of meetings.
In owner managed entities similar approval procedures would ideally apply. Often, however,
procedures are less formalised because the owner manager is often personally aware of and,
implicitly or explicitly approves, all such transactions.
Definition of Related Parties and Related party transactions
Parties are related if one controls the other or is in a position to exercise influence over the
other in financial and operational decisions. Related transactions are those between related
parties regardless of whether any consideration has taken place.
Inherent difficulties of detection
Related party transactions are often inherently difficult for the auditor to detect.
The definition of a related party is complex and in part subjective and it may not always
be self-evident to management whether a party is related.
Many information systems are not designed to either distinguish or summarise related
party transactions and outstanding balances between an entity and its related parties.
An audit cannot be expected to detect all related party transactions.
Importance of related Parties
The auditor needs to have a sufficient understanding of the entity and its environment to
enable identification of the events and transactions that may result in a risk of material
misstatement regarding related parties and transactions with such parties because:
The applicable financial reporting framework may require disclosure in the financial
statements of certain related party relationships and transactions
The existence of related parties or related party transactions may affect the financial
statements such as the entity's tax liability.
The source of audit evidence affects the auditor's assessment of its reliability. A greater
degree of reliance is placed on audit evidence that is obtained from unrelated third
A related party transaction may be motivated by other than ordinary business
considerations, for example, profit sharing or even fraud; and
Transfers of goods and services with related parties may be in accordance with
specified transfer pricing policies or under reciprocal trading arrangements which may
give rise to accounting recognition and measurement issues. In particular an entity may
have received or provided management services at no charge.
The risk that undisclosed related party transactions, or outstanding balances between an
entity and its related parties, will not be detected by the auditor is especially high when:
Related party transactions have taken place without charge,
Page 101
Related party transactions are not self-evident to the auditor,
Transactions are with a party that the auditor could not reasonably be expected to know
is a related party,
Transactions undertaken with a related party in an earlier period have remained
unsettled for a considerable period of time,
Active steps have been taken by those charged with governance or management to
conceal either the full terms of a transaction or that a transaction is, in substance, with a
related party.
Existence and Disclosure of Related Parties
When planning the audit the auditor should assess the risk that material undisclosed related
party transactions, or undisclosed outstanding balances between an entity and its related
parties may exist.
The auditor should review information provided by management identifying the names of all
known related parties and should perform the following audit procedures in respect of the
completeness of this information:
Review prior year working papers for names of known related parties;
Review the entity's procedures for identification of related parties;
Inquire as to the affiliation of management and officers with other entities;
Review shareholder records to determine the names of principal shareholders or, if
appropriate, obtain a listing of principal shareholders from the share register;
Review minutes of the meetings of shareholders and those charged with governance
and other relevant statutory records such as the register of directors' interests;
Inquire of other auditors currently involved in the audit, or predecessor auditors, as to
their knowledge of additional related parties;
Review the income tax returns and other information supplied to regulatory agencies;
Review invoices and correspondence from lawyers for indications of the existence of
related parties or related party transactions; and
Inquire of the names of all pension and other trusts established for the benefit of
employees and the names of their management.
If, in the auditor's judgment, there is a lower risk of significant related parties remaining
undetected, these procedures may be modified as appropriate.
Where the applicable financial reporting framework requires disclosure of related party
relationships, the auditor should be satisfied that the disclosure is adequate.
Transactions with Related Parties
The auditor should review information provided by management identifying related party
transactions and should be alert for other material related party transactions. When obtaining
an understanding of the entity's internal control, the auditor should consider the adequacy of
control activities over the authorisation and recording of related party transactions.
Page 102
During the course of the audit, the auditor needs to be alert for transactions which appear
unusual in the circumstances and may indicate the existence of previously unidentified
related parties. Examples include:
Transactions which have abnormal terms of trade, such as unusual prices, interest rates,
guarantees, and repayment terms.
Transactions which lack an apparent logical business reason for their occurrence.
Transactions in which substance differs from form.
Transactions processed in an unusual manner
High volume or significant transactions with certain customers or suppliers as
compared with others.
Unrecorded transactions such as the receipt or provision of management services at no
During the course of the audit, the auditor carries out audit procedures which may identify the
existence of transactions with related parties. Examples include:
Performing detailed tests of transactions and balances,
Reviewing minutes of meetings of shareholders and those charged with governance,
Reviewing accounting records for large or unusual transactions or balances, paying
particular attention to transactions recognised at or near the end of the reporting period,
Reviewing confirmations of loans receivable and payable and confirmations from
banks. Such a review may indicate guarantor relationship and other related party
Reviewing investment transactions, for example, purchase or sale of an equity interest
in a joint venture or other entity.
Examining Identified Related Party Transactions
In examining the identified related party transactions, the auditor should obtain sufficient
appropriate audit evidence as to whether these transactions have been properly recorded
and disclosed.
Given the nature of related party relationships, audit evidence of a related party transaction
may be limited. Because of the limited availability of appropriate audit evidence about such
transactions, the auditor considers performing audit procedures such as:
Discussing the purpose of the transaction with management ,
Confirming the terms and amount of the transaction with the related party,
Inspecting information in possession of the related party,
Corroborating with the related party the explanation of the purpose of the transaction
and, if necessary, confirming that the transaction is bona fide,
Obtaining information from an unrelated third party,
Confirming or discussing information with persons associated with the transaction such
as banks, lawyers, guarantors and agents.
Page 103
Disclosures Relating to Control of the Entity
The auditor should obtain sufficient appropriate audit evidence that disclosures in the
financial statements relating to control of the entity are properly stated.
Management Representations
The auditor should obtain a written representation from management concerning the
completeness of information provided regarding the identification of related parties; and the
adequacy of related party disclosures in the financial statements
Audit Conclusions and Reporting
If the auditor is unable to obtain sufficient appropriate audit evidence concerning related
parties and transactions with such parties or concludes that their disclosure in the financial
statements is not adequate, the auditor should modify the audit report appropriately.
Problems associated with applying the standard include the identification of the controlling
party which may be difficult and the auditor may not be able to determine whether
transactions are material. (See materiality notes and limitations of criteria)
What procedures should a company put in place:
Advise all directors and officers that they have a responsibility to disclose appropriate
Record all such transactions in the minutes of directors’ meetings;
Maintain a register of all details which should be disclosed;
Set out approval procedures in respect of transactions which fall under related party
Obtain a formal statement annually from each director indicating the necessary
Audit procedures to assess such a system
Inspect the board minutes
Examine any agreements and contracts involving directors
Consider whether transactions disclosed are on commercial grounds
Assess the recoverability of amounts due in respect of directors or connected persons
Review the legality of the disclosable transactions
Review subsequent events after the year end for any additional disclosure requirements
ISA 580 states that the auditor should obtain appropriate representations from management.
These are an important source of evidence. Indeed these may be the only suitable evidence
available where knowledge of such facts is confined to management or may even be one of
Page 104
judgement and opinion. The representations may be oral or written and may be obtained
either on a formal or informal basis. The auditors will include this information in their audit
working papers where it forms part of their total audit evidence. Written confirmation should
be obtained before the audit report is issued.
Acknowledgment by Management of its Responsibility for the Financial
The auditor should obtain audit evidence that management acknowledges its responsibility
for the fair presentation of the financial statements in accordance with the applicable financial
reporting framework, and has approved the financial statements. This normally occurs when
the auditor gets a signed copy of the financial statements which usually includes a statement
of management responsibilities. On the other hand the auditor can obtain audit evidence
from relevant minutes of meetings by obtaining a written representation from management.
Representations by Management as Audit Evidence
The auditor should obtain written representations from management on matters material to
the financial statements when other audit evidence cannot reasonably be expected to exist. It
may be necessary to inform management of the auditor's understanding of materiality.
The possibility of misunderstandings between the auditor and management is reduced when
oral representations are confirmed by management in writing.
The auditor should obtain written representations from management that:
It acknowledges its responsibility for the design and implementation of internal
control to prevent and detect error; and
It believes the effects of those uncorrected financial misstatements aggregated by the
auditor during the audit are immaterial to the financial statements taken as a whole.
During the course of an audit, management makes many representations to the auditor, either
unsolicited or in response to specific inquiries. When such representations relate to matters
which are material to the financial statements, the auditor will need to:
Seek corroborative audit evidence from sources inside or outside the entity,
Evaluate whether the representations made by management appear reasonable and
consistent with other audit evidence obtained and
Consider whether the individuals making the representations can be expected to be
well informed on the particular matters.
Representations by management cannot be a substitute for other audit evidence that the
auditor could reasonably expect to be available. If the auditor is unable to obtain sufficient
appropriate audit evidence regarding a matter which has a material effect on the financial
statements and such audit evidence is expected to be available, this will constitute a
limitation in the scope of the audit, even if a representation has been received on the matter.
Page 105
In certain instances, audit evidence other than that obtained by performing inquiry may not be
reasonably expected to be available; therefore the auditor obtains a written representation by
If a representation by management is contradicted by other audit evidence, the auditor should
investigate the circumstances and, when necessary, reconsider the reliability of other
representations made by management.
Documentation of Representations by Management
The auditor would ordinarily include, in audit working papers, evidence of management's
representations in the form of a summary of oral discussions with management or written
representations from management.
A written representation is ordinarily more reliable audit evidence than an oral representation
and can take the form of:
A representation letter from management,
A letter from the auditor outlining the auditor's understanding of
management's representations, duly acknowledged and confirmed by
Relevant minutes of meetings of the board of directors or similar body or a
signed copy of the financial statements.
Basic Elements of a Management Representation Letter
When requesting a management representation letter, the auditor should request that it be
addressed to the auditor, contain specified information and be appropriately dated and signed.
It would ordinarily be dated the same date as the auditor's report.
A management representation letter would ordinarily be signed by the members of
management who have primary responsibility for the entity and its financial aspects
(ordinarily the senior executive officer and the senior financial officer) based on the best of
their knowledge and belief.
Action if Management Refuses to Provide Representations
If management refuses to provide a representation that the auditor considers necessary, this
constitutes a scope limitation and the auditor should express a qualified opinion or a
disclaimer of opinion. In such circumstances, the auditor would evaluate any reliance placed
on other representations made by management during the course of the audit and consider if
the other implications of the refusal may have any additional effect on the auditor's report.
The auditor is not expected to have the expertise of a person trained for or qualified to engage
in the practice of another profession or occupation, such as an actuary or engineer. For this
Page 106
reason an auditor may need to use the work of an expert to obtain sufficient, appropriate audit
"Expert" means a person or firm possessing special skill, knowledge and experience in a
particular field other than accounting and auditing.
When using the work performed by an expert, the auditor should obtain sufficient appropriate
audit evidence that such work is adequate for the purposes of the audit.
If unable to obtain sufficient appropriate audit evidence, the auditor should consider the need
to modify the auditor's report. Although the auditor may use the work of an expert, the
auditor has sole responsibility for the audit opinion.
The expert can be engaged by the client or the auditor themselves. When the expert is
employed by the audit firm, the auditor will be able to rely on the firm's own systems for
recruitment and training that determine that expert's capabilities and competence instead of
needing to evaluate them for each audit engagement.
If neither the auditor nor the entity employs an appropriate expert, the auditor considers
asking management to engage an appropriate expert subject to the auditor being satisfied as
to the expert's competence and objectivity. If management is unable or unwilling to engage
an expert, the auditor may consider engaging an expert or whether sufficient appropriate audit
evidence can be obtained from other sources.
Determining the Need to Use the Work of an Expert
In obtaining an understanding of the entity and performing further procedures in response to
assessed risks, the auditor may need to obtain, in conjunction with the entity or
independently, audit evidence in the form of reports, opinions, valuations and statements of
an expert. Examples are:
Valuations of certain types of assets, for example, land and buildings, plant and
machinery, works of art, and precious stones.
Determination of quantities or physical condition of assets, for example, minerals
stored in stockpiles, underground mineral and petroleum reserves, and the remaining
useful life of plant and machinery
Determination of amounts using specialised techniques or methods, for example, an
actuarial valuation.
The measurement of work completed and to be completed on contracts in progress
Legal opinions concerning interpretations of agreements, statutes and regulations.
When determining the need to use the work of an expert, the auditor would consider
The engagement team's knowledge and previous experience of the matter being
The risk of material misstatement based on the nature, complexity, and materiality of
the matter being considered and
The quantity and quality of other audit evidence expected to be obtained.
Page 107
Competence and Objectivity of the Expert
When planning to use the work of an expert, the auditor should evaluate the professional
competence of the expert. This will involve considering
The expert's professional certification or licensing by, or membership of, an
appropriate professional body and
Experience and reputation in the field in which the auditor is seeking audit evidence.
The auditor should also evaluate the objectivity of the expert. The risk that an expert's
objectivity will be impaired increases when the expert is:
Employed by the entity or
Related in some other manner to the entity, for example, by being financially
dependent upon or having an investment in the entity
If the auditor is concerned regarding the competence or objectivity of the expert, the auditor
needs to discuss any reservations with management and consider whether sufficient
appropriate audit evidence can be obtained concerning the work of an expert. The auditor
may need to undertake additional audit procedures or seek audit evidence from another
If the auditor is unable to obtain sufficient appropriate audit evidence concerning the work of
an expert, the auditor needs to consider modifying the auditor's report.
Scope of the Expert's Work
The auditor should obtain sufficient appropriate audit evidence that the scope of the expert's
work is adequate for the purposes of the audit. Audit evidence may be obtained through a
review of the terms of reference which are often set out in written instructions from the entity
to the expert. Such instructions to the expert may cover matters such as:
The objectives and scope of the expert's work,
A general outline of the specific matters the auditor expects the report to cover,
The intended use by the auditor of the expert's work, including the possible
communication to third parties of the expert's identity and extent of involvement,
The extent of the expert's access to appropriate records and files,
Clarification of the expert's relationship with the entity, if any,
Confidentiality of the entity's information,
Information regarding the assumptions and methods intended to be used by the expert
and their consistency with those used in prior periods.
In the event that these matters are not clearly set out in written instructions to the expert, the
auditor may need to communicate with the expert directly to obtain audit evidence in this
regard. In obtaining an understanding of the entity, the auditor also considers whether to
include the expert during the engagement team's discussion of the susceptibility of the entity's
financial statements to material misstatement.
Page 108
Evaluating the Work of the Expert
The auditor should evaluate the appropriateness of the expert's work as audit evidence