CPA I1.4 AUDITING Study Manual

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 201 [warning: Documents this large are best viewed by clicking the View PDF Link!]

CPA
Certified Public Accountant Examination
Stage: Intermediate Level I1.4
Subject Title: Auditing
Study Manual
INSIDE COVER - BLANK
Page 1
INTRODUCTION
© CPA Ireland
All rights reserved.
The text of this publication, or any part thereof, may not be reproduced or transmitted in any
form or by any means, electronic or mechanical, including photocopying, recording, storage
in an information retrieval system, or otherwise, without prior permission of the publisher.
Whilst every effort has been made to ensure that the contents of this book are accurate, no
responsibility for loss occasioned to any person acting or refraining from action as a result of
any material in this publication can be accepted by the publisher or authors. In addition to
this, the authors and publishers accept no legal responsibility or liability for any errors or
omissions in relation to the contents of this book.
INSTITUTE OF
CERTIFIED PUBLIC ACCOUNTANTS
OF
RWANDA
INTERMEDIATE I1
I1.4 AUDITING
First Edition 2012
This study manual has been fully revised and updated
in accordance with the current syllabus.
It has been developed in consultation with experienced lecturers.
Page 2
INTRODUCTION
BLANK
Page 3
CONTENTS
CONTENTS
Study
Unit
Title
Page
Introduction to Your Course
7
1
Introduction
13
Assurance
14
Levels of Assurance
14
The Audit Function
15
Types of Audits
15
The Limitations of an Audit
16
The need for Regulation
17
Methodology of an Audit
18
ISA 200
19
2
The Auditor and the Audit Environment
21
Audit Opinion
22
Role of the Auditor
23
Relationships & Responsibilities
23
The Audit Profession
24
International Standards on Auditing
25
Corporate Governance
28
Codes of Best Practice
29
3
Auditors Legal, Ethical & Professional Responsibilities Part 1
35
Professional & Ethical Responsibilities
36
Statutory Responsibilities & Rights
43
Appointment of Auditors
44
Resignation & Removal of Auditors
44
Auditor Duties & Rights
46
4
Auditors Legal, Ethical & Professional Responsibilities Part 2
49
Auditor’s responsibilities in relation to fraud and for the entities
compliance with Laws & Regulations
50
Auditor’s responsibilities defined by case law arising from negligence
and Related exposure and consequences
55
Pre-Appointment Procedures
58
5
Audit Planning and Supervision
65
Materiality
67
Audit Risk and its Components
69
Audit Strategies
71
Knowledge of the entity and its environment
76
Response to assessed risks of material misstatement
79
Documentation
85
Audit Supervision and Review
88
Page 4
CONTENTS
Study
Unit
Title
Page
6
Internal Control Assessing Control Risk & Tests of Control
91
Internal Control
92
Information Systems, including the Related Business Process relevant
to Financial reporting and communication
95
Control Activities
95
Assessing the Risk of Material Misstatement
97
Tests of Control
98
Assessment of impact on audit strategy
100
The recording of control systems
100
Audit Programmes
102
7
Financial Statement items Substantive Procedures
115
Assertions
116
Specific Audit Procedures
116
Balance Sheet items
119
Profit & Loss items
137
Assessment of Misstatements
139
Impact on Audit Reporting
140
8
Audit Execution Other Considerations
141
Sampling
142
Analytical Review
144
Going Concern
146
Subsequent Events
150
Accounting Estimates
153
Commitments & Contingencies
154
Management Representations
156
Use of Experts
158
Opening Balances
161
Comparatives
163
9
Computer Information Systems
167
Entity computer systems and controls
168
Computer Assisted Audit Techniques (CAAT’s)
175
10
Audit Reporting
179
Review Considerations
180
Reporting on audited financial statements
183
Key concepts
185
Basic element of report
186
Modified Reports
188
Circumstances giving rise to modified reports
190
Auditors’ responsibilities before and after date of audit report
191
Auditors’ responsibilities for other documents
191
Page 5
CONTENTS
Study
Unit
Title
Page
11
Public Sector Auditing
195
The role of the Office of the Auditor General (OAG)
196
The Legal Environment in which the OAG and auditees function
196
Specific considerations for public sector auditing
198
The role of INTOSAI
198
Page 6
INTRODUCTION
BLANK
Page 7
INTRODUCTION
INTRODUCTION TO THE COURSE
Stage: Intermediate 1
Subject Title: I1.4 Auditing
Aim
The aim of this subject is to introduce students to the concepts and principles of the audit
process and to develop their understanding of its application in the context of the legal,
regulatory and ethical framework of the profession.
Auditing as an Integral Part of the Syllabus
Auditing is an essential foundation subject for the subsequent study of Audit Practice and
Assurance Services at Advanced 2 Stage. It is also an essential component for the study of
Advanced Financial reporting at Advanced 2 Stage. In carrying out the audit of an entity’s
financial statements there is a critical need to identify the source, and test the treatment of
financial statement items (period transactions and year-end balances) and disclosures, to
ensure compliance with generally accepted accounting practice. The subjects: Financial
Accounting and Financial Reporting will provide students with this necessary knowledge.
Introduction to Law, Company Law, Taxation and Information Systems will increase
students’ awareness of other matters that an auditor must consider in the audit process.
Learning Outcomes
On successful completion of this subject students should be able to:
Interpret and discuss the legal, regulatory and ethical framework within which the
auditor operates.
Differentiate and explain the respective responsibilities of directors and auditors.
Explain the nature, purpose and scope of an audit and discuss and defend the role of
the auditor.
Apply and explain the process relating to the acceptance and retention of professional
appointments, to include the purpose and content of engagement letters.
Devise an overall audit strategy and develop an audit plan.
Supervise and review the various stages of the audit process.
Outline the nature of internal controls and the procedures required to evaluate control
risk relating to specific accounting systems, in order to identify internal controls and
weakness within the systems.
Distinguish between Tests of Control and Substantive Procedures.
Design and apply the appropriate audit tests to include in the audit programme.
Carry out analytical procedures and assess the implications of the outcome.
Page 8
INTRODUCTION
Explain the significance, purpose and content of management letters and management
representations.
Explain the distinction between an internal and external audit.
Apply and discuss audit sampling.
Demonstrate the outcome and implications of subsequent event reviews.
Plan and describe the audit of computer information systems.
Draw appropriate conclusions leading to the formulation of the auditor’s opinion.
Apply and explain the basic component elements of the Auditor’s Report.
Identify and analyse matters that impact on the wording of Modified
Reports differentiating between matters that do not affect the auditor’s opinion and
matters that do affect the auditor’s opinion.
Recognise ethical issues, discuss, escalate or resolve these as appropriate within the
Institute’s ethical framework, demonstrating integrity, objectivity, independence and
professional scepticism.
Page 9
INTRODUCTION
Syllabus:
1. The Auditor and the Audit Environment
The Statutory Audit: need, objective, focus, nature and structure. Public interest,
expectations, interrelationships between auditor, directors (management) and
shareholders and other users of financial statements, including their respective
roles and the auditor’s duties to these parties.
The Rwandan audit profession and ICPAR: organisation and regulation.
International Standards on Auditing (ISAs) and other technical pronouncements
issued by APB: nature, formulation, issuance and compliance enforcement.
The audit implications of International Accounting Standards (IFRS/IAS):
understanding and basis for application.
Directors’ responsibilities versus auditor’s responsibilities for financial statements
and internal controls; distinction between external and internal audit.
Corporate governance.
2. Auditor’s Legal, Ethical and Professional Responsibilities
Professional ethical responsibilities:
- IFAC Code of Ethics.
Statutory responsibilities and rights:
- Key responsibilities derived from International Standards on Auditing (ISAs).
- Auditor’s responsibility in relation to fraud and for the entity’s compliance
with laws and regulations.
- Auditor’s responsibilities defined by case law arising from alleged negligence
(financial statements misstated) and related exposure and consequences
- Pre-appointment procedures: client assessment (including management
integrity) and completion of engagement letter.
3. Audit Planning and Supervision
Materiality: nature (quantitative and qualitative), determination, impact and use
throughout different phases of the audit.
Audit risk and its components (inherent, control and detection risks):
interrelationships, evolution as audit progresses and impact on nature, timing and
extent of audit work.
Audit strategies (risk based auditing, tests of control, substantive procedures,
combined procedures, audit around and through computerised systems) and their
impact on the conduct of the audit.
Knowledge of the entity and its environment: business, risks, management, and
accounting systems.
Nature, extent and timing of audit procedures in response to assessed risks of
material misstatement, sufficient and appropriate audit evidence, types of audit
evidence, general audit techniques (enquiry, observation, inspection, analysis,
computation, confirmation).
Audit planning memo, audit programmes and working papers.
Audit supervision and review.
Page 10
INTRODUCTION
4. Audit Execution: Internal Control, Assessing Control Risk and Tests
of Control
Entity’s control environment and control procedures, objectives, limitations,
attributes.
Auditor’s and management’s respective responsibilities.
Internal control descriptions (flowcharts, narrative descriptions, walkthroughs)
and internal control assessments (ICEs/ICEQs).
Broad approach to internal controls, components of internal controls, limitations
of internal control.
Assessing the Risk of Material Misstatement, Internal Controls assessment and
Tests of Control for the following major systems: sales, purchases, payroll, cash
receipts and disbursements, inventory.
Audit Programmes for Tests of Control.
Final Assessment of Control Risk.
Management letter reporting and assessment of impact on audit strategy.
5. Audit Execution: Financial Statement Items Substantive Procedures.
Application of specific substantive procedures to test the following categories of
assertions:
- Assertions relating to classes of transactions and events;
- Assertions relating to account balances;
- Assertions relating to presentation and disclosure.
Audit of statements of financial position, validation procedures, applied in audit
of: - Tangible fixed assets.
- Inventory.
- Accounts receivable, prepayments & sundry debtors.
- Investments and market securities.
- Bank and cash balances.
- Accounts Payable, accruals & sundry creditors, provisions for
liabilities.
- Debenture loans and bank borrowings.
- Capital and Reserves, Equity.
Audit of statements of comprehensive Income account, validation procedures,
applied in audit of:
- Revenues and expenses.
- Sales/purchases.
- Wages and salaries.
- Other statement of comprehensive income account items.
Understanding of IFRS/IAS concerning above items.
Misstatements / aggregation / assessment / impact on audit reporting.
Page 11
INTRODUCTION
6. Audit Execution: Other Considerations
Sampling methods: decision to use, judgemental versus statistical (MUS)
sampling methods for controls and financial statement items, sample selection and
assessment.
Analytical review: nature and use (financial statements/data) throughout audit.
Going concern and its impact throughout the different phases of the audit.
Subsequent events.
Accounting estimates.
Commitments and contingencies.
Management representation letters.
Use of experts.
7. Audit Execution: Computer Information Systems (Cis) Auditing
Entity’s computer systems and controls:
- Computer systems: general applications of e-commerce and impact on control
and audit work, key computer processes including data organisation and
access, network and electronic transfers and transaction processing
modes, key computer system hardware and software, including XBRL
(eXtensible Business Reporting Language.
- Key computer system general controls: design and implementation, data
integrity, privacy and security, system program changes, system access and
disaster recovery plans.
- Key computer system application controls: transactions input, processing and
output, master-file changes.
Computer Assisted Audit Techniques (CAATs):
- Nature (computer software including expert systems and test data),
- Purpose (testing, administration),
- Application and related audit concerns (integrity and security of CAATs, audit
planning considerations).
8. Audit Reporting
Reporting on Audited Financial Statements.
Key concepts: opinion, true and fair view, materiality, statutory requirements.
Basic elements of the Auditor’s Report.
Modified Reports, differentiating between
- Matters that do not affect the auditor’s opinion, and
- Matters that do affect the auditor’s opinion.
Circumstances giving rise to Modified Reports:
- Limitations on Scope.
- Disagreements with management.
Auditor’s responsibility before and after the date of the Auditor’s Report.
Auditor’s responsibility for other information in documents (e.g. Annual Report)
containing audited financial statements.
Page 12
INTRODUCTION
9. Public sector auditing
The role of the OAG
The legal environment in which the OAG and auditees function
Specific considerations for public sector auditing
The role of INTOSAI
Page 13
UNIT 1 - INTRODUCTION
Study Unit 1
Introduction to Auditing
Contents
A. Assurance
B. Levels of Assurance
C. The Audit Function
D. Types of Audits
E. The Limitations of an Audit
F. The need for Regulation
G. Methodology of an Audit
H. ISA 200
Page 14
UNIT 1 - INTRODUCTION
INTRODUCTION
There has been a huge growth in information that is available today in all aspects of business.
The use of the internet has made access to information relatively easy and more and more
information is been required in all areas, not just financial. For example, take a look at the
Bank of Kigali annual report.
This growth in information has led to a need for assurance as to the quality and reliability of
that information so that users can make informed decisions based on the information that is
available to them.
A. ASSURANCE
The International Standards on Auditing (ISA) glossary of terms gives a definition of an
assurance engagement as “one in which a practitioner expresses a conclusion designed to
enhance the degree of confidence of the intended users other than the responsible party about
the outcome of the evaluation or measurement of a subject matter against criteria.”
In practice, this could be an auditor expressing an opinion to the shareholders of a company
on a set of financial statements prepared by management as to whether they have been
prepared in a true and fair manner in accordance with accounting standards and relevant
company law.
An audit is a type of assurance engagement.
B. LEVELS OF ASSURANCE
Various levels of assurance may be given but this depends very much on (1) the individual
engagement, (2) the criteria applied and (3) the subject matter. The glossary of terms refers
to two types but I will refer to three:
Reasonable level of assurance subject matter materially conforms to criteria; i.e.
accounts give a true and fair view having regard to the accounting standards and law,
such as carried out in an audit. This can also be known as a positive expression.
Limited level of assurance – no reason to believe that subject matter does not
conform to criteria. Essentially, a negative form of expression. Expect to see this in a
review engagement. A review engagement is another type of assurance engagement.
Absolute assurance - Can never be given. There are inherent limitations of an audit
that affect the auditor’s ability to detect material misstatements in a set of financial
statements.
Page 15
UNIT 1 - INTRODUCTION
C. THE AUDIT FUNCTION
What is an audit?
An audit is an exercise, of which the objective is to enable an independent auditor to express
an opinion on whether a set of financial statements has been prepared in a true and fair
manner and in accordance with an identified financial reporting framework.
An audit is an exercise the objective of which is:
to enable an independent auditor to express an opinion,
on whether a set of financial statements,
are prepared, in a true and fair manner,
in accordance with an identified financial reporting framework.
Overview of Syllabus and audit
D. TYPES OF AUDITS
Statutory audits as required by companies’ legislation.
Non-statutory audits preferred by interested parties rather than being required by law.
For example, charities, societies, public interest companies
Small entity audits.
A statutory audit is an independent examination of a company’s financial statements in order
to verify that the accounts have been prepared in accordance with company law and
International Financial Reporting standards (IFRS) .
Not all companies however, are required to have an audit. Audit exemption guidelines exist
within certain jurisdictions.
Legal &
Regulatory
environment
Internal controls &
financial
statements
Ethics
AUDIT
Corporate
Governance &
current issues
Risk Assessment
& Audit process
Reporting
Page 16
UNIT 1 - INTRODUCTION
Small companies depending on the jurisdiction could possibly avail of the audit exemption
because:
The cost may outweigh the benefit.
Small companies are generally owner managers, so no distinction between
shareholders and managers.
Many small companies lack a system of internal controls.
Their use of basic books of record.
However, small companies can opt to have an audit carried out specifically where the
potential users of financial statements may expect it.
There are arguments for and against small company audits.
For
Against
Reassurance given by audited accounts for
shareholders not involved in management.
Where shareholders are part of management,
the whole audit exercise may not appear to
be value for money.
Audited accounts provide a good indication
of a fair valuation for shares particularly
unquoted shares.
An audit provides management with an
independent check on the accuracy of their
financial statements. Also, some auditors do
provide decent management letters.
In reality, a more focused systems review or
similar consultancy report would be of more
benefit to management.
Employees can gain comfort from audited
accounts as to their job security and for
wage negotiations.
In reality, I don’t think this actually
happens.
Bank managers often rely on audited
accounts when reviewing security in the
event of granting a loan.
More importantly though, a bank manager
may want to see a good credit history in a
company’s transactions with the bank.
Suppliers can gain assurance from audited
accounts when giving credit to customers.
On the contrary, the accounts might be out
of date and the customer could be
experiencing difficulties. Might be more
appropriate to get relevant credit references.
Revenue can rely on audited accounts to
back up tax returns.
In reality, revenue accepts sets of accounts
prepared by independent accountants.
E. THE LIMITATIONS OF AN AUDIT
Not every item is checked. In fact, only test checks are carried out by auditors. It
would be impractical to examine all items within a class of transactions or account
balance. Hence, it is not really possible to give absolute assurance.
Auditors depend on representations from management and staff. Collusion can
mitigate some good controls such as division of duties. There is always the
possibility of collusion or misrepresentation for fraudulent purposes.
Page 17
UNIT 1 - INTRODUCTION
Evidence gathered is persuasive rather than conclusive. It often indicates what is
probable rather than what is certain. Take for example vouching a bank statement. It
only shows you that one account. Are there others?
Auditing is not purely an objective exercise. Judgements have to be made in a
number of areas. The view in financial statements is itself based on a combination of
fact and judgement. For example, valuing stock in a grain silo or valuing jewellery.
The timing of an audit. Significant credit notes after the year-end can alter a true and
fair view. Problems arise whether you audit too early or too late.
An unqualified audit opinion is not a guarantee of a company’s future viability, the
effectiveness and efficiency of management, nor that fraud has not occurred in the
company. Profit margins can differ from firm to firm yet both could have a clean
audit report.
So are there any benefits of an audit? Yes, there are.
The shareholders of a company are given an independent opinion as to the true and
fair view of the accounts that have been prepared by management.
The use made by third parties such as suppliers and banks of the accounts as
confidence in the performance of a company.
Auditors themselves can use the knowledge accumulated during the course of the
audit to provide additional services to the company such as the provision of
consultancy services or a management letter showing weaknesses in the business and
recommendations to alleviate such weaknesses in the future.
While not responsible for detecting fraud, the very fact that an audit is carried out and
may uncover evidence of fraud, can help to mitigate against such risks.
Managers in some firms may be removed from day to day transactions especially
regarding remote locations and an audit can allay fears of fraud or simple bad book-
keeping
F. THE NEED FOR REGULATION
Where there is reduced confidence in the markets and this leads to business failure, this in
turn leads to instability. As a result there is increased demand for regulation.
There has been regulation in the markets since the introduction of the concept of limited
liability. The requirement for audited financial statements is a way to protect the owners of a
business from unscrupulous management and also prevent the abuse of the limited liability
status. Standards used are a form of self-regulation. Company law is regulation, where self-
regulation doesn’t appear to be working.
Enron raised serious questions about self- regulation. In response the Sarbanes-Oxley Act
of 2002 was passed in the USA. This set up improved corporate governance including
Page 18
UNIT 1 - INTRODUCTION
enhanced internal controls and improved levels of auditor independence. This has led to
attempts to strengthen regulation in a number of other countries too.
The conduct of audits is covered by:
1. A code of ethics
2. International Standards on Auditing
3. Company Law.
In addition, Auditors are regulated by a number of different bodies, for example:
The International Auditing and assurance standards board (IAASB)
The Government
Professional Accountancy bodies such as ICPAR
G. METHODOLOGY OF AN AUDIT
1. Determine the scope and the audit approach.
Legislation and the auditing standards lay down the scope for statutory audits. An auditor
should prepare a plan for his audit.
2. Ascertain the system and controls.
Discuss the accounting system and the flow of documents with all the relevant personnel
in the company. Document all your notes. Some auditors do flow charts, narrative notes
and/or internal control questionnaires. Get to know the client’s business. Confirm that
you have recorded the system accurately by carrying out walkthrough tests.
3. Assess the system and internal controls.
Evaluate the system as it is, to weigh up its reliability and draw up a plan to test its
effectiveness. At this stage you could draw up a letter to management recommending any
improvements you consider from your findings. In addition, what you have learned here
may influence the type of further audit testing you may carry out later on.
4. Test the system and internal controls.
Above, you evaluated the controls that are in place. Now you need to test that they were
effective, Compliance tests will cover many more transactions than the walkthrough tests.
You need to carry out a representative sample through the accounting period.
If you can establish that the controls are indeed effective, you can reduce the amount of
detailed testing later on. However, if the controls turn out to be ineffective, then more
substantive tests will need to be carried out.
5. Test the financial statements.
This section covers the substantive testing which has been described earlier. You are
effectively trying to stand over the figures in the financial statements. Substantive tests
are audit procedures performed to detect material misstatements. Remember, if you think
Page 19
UNIT 1 - INTRODUCTION
that any error you might find in a class of transactions will not be significant, then there is
little point carrying out the substantive test.
6. Review the financial statements.
After all the testing has been done and the evidence gathered, you should review the
accounts as to their overall reliability making a critical analysis of the content and
presentation.
7. Express an opinion.
You need to evaluate all the evidence you have gathered and express an opinion on a set
of accounts by way of a written audit report.
You may, in addition, write a management letter which can set out improvements you
recommend or to place on record specific points in connection with the audit.
H. ISA 200
ISA 200 International standards on auditing) 200: objective and general principles
governing an audit of financial statements sets out what audits are all about.
The auditor should comply with the code of ethics for professional accountants issued
by the International Federation of Accountants (IFAC) and the ethical pronouncements
issued by the auditor’s relevant professional body.
The auditor should conduct an audit in accordance with International Standards of
Auditing and should plan and perform an audit with an attitude of professional
scepticism.
ISA 200 also makes a very important point in that while the auditor is responsible for
forming and expressing an opinion on the financial statements, the responsibility for
preparing and presenting those financial statements lies with the management.
Furthermore, the auditor does not have any responsibility with regard to the prevention
and detection of fraud. Again, that lies with the management.
Page 20
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
BLANK
Page 21
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
Study Unit 2
The Auditor and the Audit Environment
Contents
A. Audit Opinion
B. Role of the Auditor
C. Relationships & Responsibilities
D. The Audit Profession
E. International Standards on Auditing
F. Corporate Governance
G. Codes of Best Practice
Page 22
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
THE AUDITOR AND THE AUDIT ENVIRONMENT
The Statutory Audit
The Companies Acts depending on the applicable jurisdiction shall require that the majority
of all companies must have an audit carried out. An exemption exists for small companies
depending on the applicable jurisdiction.
In addition to qualifying as a small company the following would need consideration
depending on the applicable jurisdiction:
Company must be a private company
Company must not be a bank or insurance entity
Company must not be part of a group
All filing requirements within the applicable jurisdiction are kept up to date.
A. AUDIT OPINION
The objective of an audit is for an independent auditor to express an opinion on a set of
financial statements.
The key opinion is whether the accounts give a true and fair view. Unfortunately, there is
no formal definition as it is not laid out in Company law. However, it is generally accepted
that a set of accounts can only give a true and fair view if they are not factually incorrect and
present information in an impartial way that is clearly understood by the reader.
It could also be argued that in order to ensure that a set of accounts gives a true and fair view,
an auditor should have regard for Company Law and Accounting Standards pertaining to
those financial statements and that he himself has carried out the audit in accordance with the
relevant regulatory pronouncements, codes of ethics and Auditing Standards.
Aside from the key opinion, there are a number of other issues that the auditor needs to report
on and these should be laid out by the companies’ acts.
These are matters of opinion and matters of fact.
Matters of opinion:
1. Have proper accounting records been kept?
2. Is the information in the directors’ report consistent with that given in the financial
statements?
3. Does a financial situation exist which may require an Special Meeting?
4. Have the accounts been prepared in accordance with the provisions of the companies’
acts?
Page 23
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
Matters of fact:
1. Has the auditor received all the information and explanations he deems necessary for
the purposes of his audit?
2. Do the financial statements agree with the books of account?
The statutory audit opinion is given by way of a written standard audit report addressed to the
shareholders of a company. The report should be signed and dated by the auditor.
B. THE ROLE OF THE AUDITOR
The auditor is the independent person that gives his opinion on a set of financial statements.
He does not provide absolute assurance. In other words he does not say the “accounts are
correct”. Audits have their limitations.
However, this is often misunderstood by users of accounts who seem to wrongly accuse the
auditor of shortcomings especially where there are infamous business failures or perceived
wrong doing. This is known as the “expectation gap”.
The expectation gap exists because the role and duties of the auditor which are recommended
to be laid out by the companies acts, codes of ethics and auditing standard could be different
from the perceived role of the auditor by the general public and even company directors
themselves. For example, it is believed that the auditor should find all errors whether
unintentional or intentional such as fraud.
C. RELATIONSHIPS AND RESPONSIBILITIES
There are a number of stakeholders interested in financial statements from the shareholders to
management, customers to suppliers, revenue authorities to bank managers, and even future
investors.
The audit report is prepared by the auditor for the shareholders on the actions of the
management (directors).
The auditor has no legal duty to report to management or anyone else in respect of the
financial statements. However, in practice other parties do read the audit report and often
rely on the assurance given by the auditors.
Key issues:
Management are responsible for the preparation and presentation of the accounts
Management are responsible for the prevention and detection of fraud within a
company
Page 24
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
Management are responsible for safeguarding the assets of a company
The auditor is responsible for expressing an opinion on a set of accounts prepared by
management.
D. THE AUDIT PROFESSION
Depending on the jurisdiction it would be recommended to set up an Accounting
Supervisory Authority together with an Auditing Authority. Its role would be to supervise the
practice of auditing and accounting in the relevant country.
Previously, each professional accounting body supervised their own members, however more
recently Independent Supervisory Authorities are being established in countries e.g. in
Ireland (IAASA)
The main functions of an Auditing and Accounting Supervisory Authority would be:
To supervise how each body regulates its own members
To promote adherence to the highest possible professional standards
To monitor the accounts of companies to ensure compliance with companies
legislation.
Each professional body will regulate and monitor its own members. Each body will issue its
own code of ethics. By and large the codes of ethics are very similar.
Persons carrying out audits must have the permission of the relevant authorities. It is strongly
recommended that all auditors have to be registered. Members of recognised bodies such as
CPA, ACCA and Chartered Accountants are registered auditors if they have practising and
auditing certificates from their respective bodies.
The Institute of Certified Public Accountants of Rwanda (ICPAR) is the Professional
Accountancy Organization (PAO) mandated by law number 11/2008 to regulate the
Accounting profession in the Republic of Rwanda. ICPAR is the only authorized by law to
register and grant practising certificates to Certified Public Accountants (CPAs) in Rwanda.
Certified Public Accountant Certificate holders that are registered as members of ICPAR are
entitled to the CPA( R ) designation.
The Institute operates in the public interest including promotion of financial reporting,
auditing and ethical standards.
The practising audit firms in Rwanda are very small in size and need capacity building with
respect to quality of audit.
Page 25
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
E. INTERNATIONAL STANDARDS ON AUDITING
Readers of information need assurance as to the reliability of that information. In addition,
they will want to know that this reliability will not vary from one set of company accounts to
another. In order to ensure this, an auditor audits a set of accounts in accordance with
common standards.
There is a need then for auditors to be regulated so that all auditors follow the same
standards. One of the main points of IAS200 (objective and general principles governing an
audit of financial statements) is that auditors must follow the international standards of
auditing in the exercise of an audit.
The International standards of auditing (ISAs) are produced by the International Auditing and
Assurance Standards Board (IAASB), which is part of the International Federation of
Accountants (IFAC). The IFAC is a global organisation for the accounting profession.
The intention is that the standards issued will improve the degree of uniformity of auditing
practices, both in a standardised approach to the audit and a standard reporting format.
Only in exceptional circumstances, can an auditor judge if it is necessary to depart from an
auditing standard in order to achieve the objective of an audit. The auditor would need to be
able to justify his actions.
ISAs need only be applied to material matters. What is material is not defined in law but it is
generally accepted that something is material if its omission or misstatement could influence
the economic decisions of users of financial statements. Materiality can be based on value,
e.g. large amounts are more likely to be material than small ones, though sometimes they may
also be material by nature, for example if it exposes inappropriate decision-making within an
organisation possibly based on favouritism or personal bias.
ISAs are mandatory in some jurisdictions for the audit of companys accounts.
Setting Standards - The Process:
The IAASB identifies new developments,
The IAASB appoints a task force to draft a standard,
Consultation takes place,
An “exposure draft” is produced, essentially a draft standard issued welcoming
comments from the profession and any other interested party,
The taskforce considers comments and may make amendments,
The Standard is finalised and formally approved by the IAASB.
Page 26
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
International standards of Auditing
Glossary of terms
ISQC 1
ISA 200
Objective and general principles governing an audit of financial statements
ISA 210
Terms of audit engagements
ISA 220
Quality control for audits of historical financial information
ISA 230
(Revised) Audit Documentation
ISA 240
The auditor's responsibility to consider fraud in an audit of financial statements
ISA 250
Consideration of laws and regulations in an audit of financial statements
ISA 260
Communication of audit matters with those charged with governance
ISA 265
Communicating deficiencies in internal control to those charged with
governance
ISA 300
Planning an audit of financial statements
ISA 315
Obtaining an understanding of the entity and its environment and assessing the
risks of material misstatement
ISA 320
Audit materiality
ISA 330
The auditor's procedures in response to assessed risks
ISA 402
Audit considerations relating to entities using service organisations
ISA 450
Evaluation of misstatements identified during the audit
ISA 500
Audit evidence
ISA 501
Audit evidence - additional considerations for specific items
ISA 505
External confirmations
ISA 510
Initial engagements - opening balances and continuing engagements - opening
balances
ISA 520
Analytical procedures
ISA 530
Audit sampling and other means of testing
ISA 540
Audit of accounting estimates
ISA 545
Auditing fair value measurements and disclosures
ISA 550
Related parties
ISA 560
Subsequent events
ISA 570
Going concern
ISA 580
Management Representations
ISA 600
Using the work of another auditor
ISA 610
Considering the work of internal audit
ISA 620
Using the work of an expert
ISA 700
The auditor's report on financial statements
ISA 705
Modifications to opinions in the Independent Auditor’s Report
ISA 706
Emphasis of matter paragraphs and other matter paragraphs in the Independent
Auditor’s Report
ISA 710
Comparatives
ISA 720
(Revised) Section A - Other Information in Documents Containing Audited
Financial Statements; Section B -
The Auditor's Statutory Reporting
Responsibility in Relation to Directors’ reports
Page 27
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
International Accounting Standards, International Financial Reporting Standards and
International Public Sector Accounting Standards)
The auditor needs to express an opinion on a set of accounts as to whether they give a true
and fair view. In order to give a true and fair view, a set of accounts should have regard for
the provisions of company law and international accounting standards. Private sector
standards are known as International Financial Reporting Standards (IFRSs). There are public
sector equivalents, largely based on the IFRSs, known as International Public Sector
Accounting Standards (IPSASs).
The IFRSs are shown below (older Standards which have not been replaced by a more recent
IFRS are still called International Accounting Standards (IASs).
The private sector Standards in issue are shown below:
IAS 1
Presentation of Financial Statements
IAS 2
Inventories
IAS 7
Statement of Cash Flows
IAS 8
Accounting Policies, changes in Accounting Estimates and Errors
IAS 10
Events After the Reporting Period
IAS 11
Construction contracts
IAS 12
Income Taxes
IAS 16
Property, Plant and Equipment
IAS 17
Leases
IAS 18
Revenue
IAS 19
Employee Benefits
IAS 20
Accounting of Government Grants and Disclosure of Assistance
IAS 21
The Effects of Changes in Foreign Exchange Rates
IAS 23
Borrowing Costs
IAS 24
Related Party Disclosures
IAS 26
Accounting and Reporting by Retirement Benefit Plans
IAS 27
Consolidated and Separate Financial Statements
IAS 28
Investments in Associates
IAS 31
Interests in Joint Ventures
IAS 32
Financial Instruments: Presentation
IAS 33
Earnings per Share
IAS 34
Interim Financial Reporting
IAS 36
Impairment of Assets
IAS 37
Provisions, Contingent Liabilities and Contingent Assets
IAS 38
Intangible Assets
IAS 39
Financial Instruments: Recognition and Measurement
IAS 40
Investment Property
IAS 41
Agriculture
IFRS 1
First Time Adoption of International Financial Reporting Standards
IFRS 2
Share - Based Payment
IFRS 3
Business Combinations
Page 28
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
IFRS 5
Non-current Assets Held for Sale and Discontinued Operations
IFRS 7
Financial Instruments: Disclosures
IFRS 8
Operating Segments
F. CORPORATE GOVERNANCE
A string of high profile scandals and frauds in the 1980’s and the 1990’s forced the adoption
of voluntary codes of best practice in many countries (for example the UK) to enforce good
practice by directors and to communicate the adherence to good practice by management to
the shareholders. These Codes could be applied globally.
It was vital that companies were managed well i.e. there was good corporate governance.
It would be recommended to bring in many aspects of good corporate governance into
company law.
For example: The Cadbury report defines Corporate Governance as:
The system by which companies are directed and controlled”.
Why is good corporate governance important?
Shareholders and managers are usually separate in a company and it is important that the
management of a company deals fairly with the investment made by the owners.
Corporate governance is about ensuring that public companies are managed effectively for
the benefit of the company and its shareholders.
In smaller companies, generally, shareholders are fully informed about the management of
the business as they are the directors themselves. However, in large companies the day to
day running of a company is the responsibility of the directors. Shareholders only get a look-
in at the Annual Meeting.
In addition, auditors only report on the truth and fairness of financial statements. They do not
report on how the shareholders’ investment is being managed and whether their investment is
subject to fraud.
Why does the need for good corporate governance come about?
Unscrupulous management ignoring distinction between company’s money and their
own,
Management manipulating share price for personal gain,
Page 29
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
Management disguising poor results and mismanagement,
Management extracting funds from company and raising finance fraudulently.
Management inefficiencies in decision-making and internal control systems (these
might not be deliberate but are still problematic for shareholders)
Authority
Good corporate governance can be enforced by law (Sarbanes Oxley in the US) and/or by
agreement through codes of best practice.
So what does good corporate governance entail?
Effective management
Support /oversight of management by non-exec directors with sufficient experience
Fair appraisal of performance
Fair remuneration and benefits
Fair financial reporting
Sound systems of internal control
Constructive relationship with directors
G. CODES OF BEST PRACTICE
Two prominent codes have been formed in the UK and are considered best practice in
modern times and could be applied internationally.
For example: The Rwandan Stock Exchange commenced operations in January 2008 and has
presently four listed companies, namely:-
1. Balirwa
2. KCB
3. NMG
4. BOK
In Rwanda these codes could be applied as “Codes of Best Practice”
The Cadbury report
The Combined code
The Cadbury Report
The Cadbury report was issued in 1992. Its terms of reference considered:
The responsibilities of executive and non-executive directors and the frequency, clarity
and form in which information should be provided to shareholders.
Page 30
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
The case for audit committees, their composition and role.
The responsibilities of auditors and the extent and value of the audit.
The links between auditors, shareholders and the directors.
The Cadbury report was aimed at directors of all UK PLCs, however directors of all
companies are encouraged to apply the code. Directors should state in the financial
statements, normally through the director’s report, whether they comply with the code and
must give any reasons for non-compliance.
The Cadbury report covered a number of areas including the board of directors, non-
executive directors, executive directors and the audit function. Some of the provisions
include:
Board of Directors
They should meet on a regular basis.
They should have clearly accepted divisions of responsibilities, so no one person has
complete power.
The posts of chairman and CEO should be separate.
Decisions which require a single signature or several signatures need to be laid out in a
formal schedule and procedures must be put in place to ensure that the schedule is
followed.
Non-executive directors
They are not involved in the day to day running of the company and should bring their
independent judgment to bear in the affairs of the company. Such affairs may include
key appointments and standards of conduct.
There should be no business or financial connection between the company and the non-
executive directors other than fees and a shareholding.
Their fees should reflect the time they spend on the business.
They should not participate in share option schemes or pension schemes.
Appointments of non-executive directors should be for a specific term and automatic
re-appointment is discouraged.
Procedures should exist whereby they may take independent advice.
A remuneration committee consisting of non-executive directors should decide on the
level of pay for executive directors.
Executive directors
They run the company on a day to day basis and should have service contracts in place
of not more than three years in length, unless approved by the shareholders.
Directors’ emoluments should be fully disclosed in the accounts and should be analysed
between salary and performance based pay.
Page 31
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
Audit
The code states that the audit is the cornerstone of corporate governance. It is an
objective and external check on the stewardship of management.
Some flaws exist in the framework for auditing, such as choices in accounting
treatments, poor links between shareholders and auditors, price competition between
audit firms and the “expectations gap” between auditors and the public.
Disclosing fees for audit in the financial statements should safeguard against the threat
of objectivity where auditors offer other services to their audit clients.
Formal guidelines concerning audit rotation should be drawn up by the accounting
profession.
The accountancy profession should be involved in setting criteria for the evaluation of
internal control.
There is a need for auditors to report on going concern. This is now reflected in
auditing standards.
The Combined Code
For example the UK stock exchange issues guidance on a regular basis. In 1998 it issued the
combined code. This combined key guidance from various reports including the Cadbury
report into the one code.
Some of its principles included which can be adopted globally are:
Every company should have an effective board.
There should be clear divisions of responsibilities at board level.
There should be an appropriate balance of executive and non-executive directors.
A formal procedure for appointments to the board should exist.
The board should receive timely information in order to discharge its duties.
All directors should maintain and upgrade their skills and knowledge.
There should be an annual evaluation of its own performance.
All directors should be submitted to re-election at appropriate time intervals.
There should be appropriate levels of remuneration that are sufficient to attract, retain
and motivate individuals of the necessary quality required.
A significant portion of pay should be performance related.
A formal procedure for the fixing of pay levels should exist and no director should have
a hand in fixing his/her own pay.
The board should present a balanced assessment of the company’s performance.
The board should implement a good system of internal control.
The board should have meaningful communication with the shareholders and should
use the Annual Meeting to communicate with investors.
For example, the UK Stock exchange rules require that the annual report includes a statement
of how a company has applied the principles of the combined code and must disclose whether
there has been compliance with those principles. Auditors should review this statement.
Page 32
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
Although the UK stock exchange rules require the code to be complied with, there is no
statutory duty for companies to do so. It is in fact a voluntary code.
This allows for flexibility in its application although shareholders will be aware of the
position due to the disclosure requirements.
In addition, being a voluntary code allows companies to opt out to the detriment of their
shareholders and there are companies while unlisted companies should be encouraged to
apply the codes.
Making the code obligatory may create an excessive burden of requirement especially for
smaller companies.
Audit Committees
Audit committees are generally made up of non-executive directors. They are perceived to
increase confidence in financial reports.
A number of recommendations contained in the combined code are:
Audit committee should comprise at least three non-executive directors (two for smaller
companies).
Its main role and responsibilities should be clearly set out in written terms of reference.
The committee should be provided with sufficient resources to undertake its duties.
Role and responsibilities
To monitor the integrity of the financial statements and other formal announcements.
To review the internal financial controls and the company’s control and risk
management systems.
To monitor and review the effectiveness of the internal audit function.
To make recommendations regarding the appointment of external auditors and their
remuneration.
To monitor and review the external auditor’s independence and objectivity.
To develop and implement policy on the engagement of the external auditor in other
non-assurance services.
Advantages of an audit committee
Provides an independent point of contact for the external auditor, particularly in the
event of disagreements.
Can create a climate of discipline and control.
Page 33
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
Increased confidence in the credibility and objectivity of financial reports, by
increasing the quality of the financial reporting and enabling the non-executive
directors to contribute an independent judgment.
Internal auditors can report directly to the committee thereby providing a greater degree
of independence from management.
The existence of such a committee should make the executive directors more aware of
their duties and responsibilities.
Can act as a deterrent to fraud or illegal acts by executive directors.
Disadvantages of an audit committee
Can be difficult to source sufficient non-executive directors with the necessary
competence to be effective.
Auditors may not raise issues of judgment where there are formalised reporting
procedures.
Costs may increase.
Findings are generally not made public, so it is not always clear what they actually do.
Internal control effectiveness
Internal control is an essential tool in having good corporate governance and impacts
significantly on the audit approach that might be taken.
The directors of a company are responsible for putting in place an effective system of
internal control. An effective system of internal control will help management safeguard the
assets of a company, prevent and detect fraud and therefore, safeguard the shareholders’
investment.
In addition, it helps ensure reliability of reporting and compliance with laws. The use of the
word helpdenotes the fact that there are inherent limitations in any system of internal
controls and as such there can be no such thing as absolute assurance.
The directors need to set up internal control procedures and need to monitor these to ensure
that they are operating effectively.
The system of internal control will reflect the control environment which depends a lot on the
attitude of the directors towards risk.
The combined code recommends that the board of directors report on their review of internal
controls. This assessment should cover the changes in risks which the company faces and its
ability to respond to these changes, the scope and quality of management’s monitoring of risk
and internal control and the extent and frequency of reports to the board. It should also assess
the significant controls, failings and weaknesses that might have a material impact on the
accounts.
Page 34
UNIT 2 THE AUDITOR AND THE AUDIT
ENVIRONMENT
Auditors should assess the review carried out by the directors. They should assess whether
the company’s summary of the process of review is supported by documentation prepared by
the directors and that it reflects that process.
This review is not as defined as an audit. Therefore, it is only possible to give limited
assurance. For this reason, the auditors are not expected to assess whether the director’s
review covers all risks and controls and whether the risks are satisfactorily addressed by the
internal controls.
In order to avoid any misunderstandings, a paragraph is inserted into the audit report setting
out the scope of the auditor’s role.
Auditors should bring to the attention of directors any material weaknesses they find in the
system of internal control.
In order to monitor and assess the system of internal controls as to their reliability and
effective operation, a company may set up an internal audit department to carry out the
internal audit function.
There are significant differences between the external audit and internal audit functions.
1. An internal auditor is an employee of the company. Therefore, under applicable
company law, the internal auditor is precluded from acting as the external auditor of a
company.
2. External auditors are required by appropriate laws to belong to a recognised body,
which guarantees their appropriate qualification, adherence to technical standards and
overall competence. The internal auditor on the other hand requires no formal
training.
3. Unlike the external auditors, who are appointed at the Annual Meeting by the
shareholders of a company, the internal auditor is hired by the management of the
company. In turn this means he can be dismissed by the directors or other senior
managers, subject only to normal employment rights.
4. The primary objective of the external auditor is laid down by the applicable
companies’ acts, whereas the internal auditor’s objectives are dictated by the
management of the company. As a result, management can place limitations on the
scope of the internal auditor’s work. While some of his work may be similar to that
of the external auditor, more of it could relate to areas such as value for money.
Page 35
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
Study Unit 3
Auditors Legal, Ethical & Professional Responsibilities
Part 1
Contents
A. Professional & Ethical Responsibilities
B. Statutory Responsibilities & Rights
C. Appointment of Auditors
D. Resignation & Removal of Auditors
E. Auditors Duties & Rights
Page 36
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
AUDITOR’S LEGAL, ETHICAL & PROFESSIONAL
RESPONSIBILITIES PART 1
A. PROFESSIONAL AND ETHICAL RESPONSIBILTIES
ISA 200 sets out the general principles of an audit. The auditor should comply with the code
of ethics for professional accountants issued by the International Federation of Accountants.
Accountants require ethics because people rely on them for their expertise in specific areas.
Both the International Federation of Accountants (IFAC) and the Institute of Certified
Public Accountants of Rwanda (ICPAR) have issued a code of ethics of which the
fundamental principles of both associations are very similar.
Both identify-
Fundamental principles of ethical behaviour
Potential threats to those principles
Possible safeguards to counter those threats.
If the code of ethics is contravened, members may face disciplinary proceedings which could
result in a fine, censorship, suspension or withdrawal of membership and with it possibly the
right to practice.
The fundamental principles are as follows:
Integrity. A member should be straightforward and honest in all professional and
business relationships.
Objectivity. A member should not allow bias, conflict of interest or undue influence
of others to override professional or business judgements.
Professional competence and due care. A member has a continuing duty to
maintain professional knowledge and skill at the level required to ensure that a client
or employer receives competent professional service. If you are not up to the task,
you shouldn’t take it on.
Confidentiality. A member should respect the confidentiality of information
acquired as a result of professional and business relationships and should not disclose
any such information to third parties without proper and specific authority unless
there is a legal or professional right or duty to disclose. Any information acquired
should not be used for the personal advantage of the member or third parties.
Professional behaviour. A member should comply with relevant laws and
regulations and should avoid any action that discredits the profession.
Page 37
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
The circumstances in which members operate may give rise to specific threats to compliance
with the fundamental principles. However, it is impossible to define every situation that
creates such threats and to specify the appropriate mitigating action.
The Institute of Certified Public Accountants of Rwanda ( ICPAR) conceptual framework
requires each member to identify, evaluate and address threats to compliance. ICPAR – Code
of Ethics – Part A 100.2
If the threats are significant, then you need to identify and apply safeguards to eliminate the
risk or to reduce it to an acceptable manner.
If no appropriate safeguards are available, then you need to eliminate the activities causing
the threat or decline the engagement or discontinue it as the case may be.
It would be recommended to follow the relevant ethical pronouncements which the
International Federation of Accountants (IFAC) outlines together with the auditor’s relevant
professional body.
ETHICAL STANDARDS
1. Integrity, Objectivity and Independence
2. Financial, business, employment and personal relationships
3. Long association with the audit engagement
4. Fees, remuneration and evaluation policies, litigation, gifts and hospitality
5. Non-Assurance Services provided to an Assurance Client
Integrity, Objectivity and Independence
An auditor should establish documented policies and procedures designed to ensure that in
relation to each audit engagement, the audit firm and anyone in a position to influence the
conduct and outcome of the audit should act with integrity, objectivity and independence.
The leadership of the audit firm should take responsibility for establishing a good control
environment within the firm.
Independence needs to be considered at all stages of the audit process.
The audit partner should ensure that the directors of an entity are informed of all matters that
affect an auditor’s objectivity and independence.
An auditor needs to be, and seen to be, independent. They must have independence of mind
and independence in appearance. It is a fundamental principle.
Independence is a state of mind that permits the provision of an opinion without being
affected by influences that compromise professional judgement, allows an individual to act
with integrity and exercises objectivity and professional judgement.
Page 38
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
An auditor needs to avoid facts and circumstance that are so significant that a reasonable and
informed third party would reasonably conclude an auditor’s integrity, objectivity or
professional scepticism had been compromised.
Public confidence in the operation of capital markets and in the conduct of public interest
entities depends upon the credibility of the opinions and reports issued by auditors.
What are the possible threats to independence?
Integrity, objectivity and independence are the principal types of threats.
Self- interest.
A financial interest in a client, undue dependence on fees, close business relationship,
concern over losing a client, potential employment with client or loans from client;
anything which may cause the auditor to be reluctant to make decisions during an
audit.
Self -review.
Reporting on the operation of financial systems after you were involved in their
design and implementation. Preparation of the accounts which are now being audited.
Management threat.
Making judgements and taking decisions which are the responsibility of management,
such as changing journal entries, approving transactions or preparing source
documents. This can be linked to self- review.
Advocacy.
Acting as a legal advocate for a client in litigation or promoting shares in the
company.
Familiarity.
Allowing close personal relationships to develop with client personnel through long
association or a family relationship. The auditor may not be sufficiently questioning
of the client point of view. Accepting gifts of significant value is also a sign of
excessive familiarity.
Intimidation.
Threat of replacement due to disagreement, perhaps you want to qualify the accounts.
Possible Safeguards to independence
Safeguards that may eliminate or reduce threats to an acceptable level fall into two general
categories:
1. Safeguards created by the profession, legislation or regulation and
2. Safeguards in the work environment whether within the auditor’s own systems and
procedures or within the client company.
Page 39
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
The first category includes:
Educational, training and experience requirements for entry into the profession.
The existence of a clear and robust Code of Ethics
Continuing professional development requirements.
Corporate governance regulations and Professional standards.
Professional or regulatory monitoring and disciplinary procedures.
The second category would include for example:
Firm wide safeguards
Documented policies and procedures to implement and monitor quality control of
engagements.
Documented policies regarding identification of threats, their evaluation and
application of safeguards.
Policies and procedures to enable identification of interests and relationships between
auditor and client.
Monitoring the fee income received.
Timely communication of a firm’s policies and procedures to all staff and appropriate
training thereof.
A suitable disciplinary mechanism to promote compliance with policies.
Possible Engagement specific safeguards
Involving an additional professional accountant to review the work done.
Consulting independent third parties.
Disclosing the nature of services provided and extent of fees charged to those charged
with client governance.
Rotating senior audit team personnel.
Possible Safeguards within client systems and procedures
Persons other than management ratify auditor appointment.
Client has competent employees with experience to make decisions.
The client has a corporate governance structure that provides appropriate oversight
and communications regarding the firm’s service.
International standard on quality control (ISQC 1) sets out the standards and provides
guidance regarding a firm’s responsibilities for its system of quality control for audits.
The firm should establish a system of quality control designed to provide it with
reasonable assurance that the firm and its personnel comply with professional
standards and regulatory and legal requirements.
Page 40
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
The firm’s system of quality control should include policies and procedures
addressing elements such as leadership responsibilities, ethical requirements,
acceptance and continuance of client engagements, human resources, engagement
performance and monitoring.
The quality control policies and procedures should be documented and communicated
to the firm’s personnel.
Confidentiality
There is a duty of confidence to the client. Confidentiality ensures that all information
necessary for the audit is given to the auditor. However, there are several exceptions noted.
The principle is twofold. One, you should refrain from disclosing any information acquired
without proper authority to do so unless there exists a legal or professional right or duty to
disclose.
Secondly, you should refrain from using any information acquired for your own personal
advantage or that of a third party.
A member should maintain confidentiality even in a social environment and even needs to
comply with the principle even after the end of the professional relationship.
Exceptions when members may be required to disclose:
Disclosure permitted by law and authorised by client.
Disclosure by applicable law e.g. production of documents during course of legal
proceedings or disclosure to appropriate public authorities of infringements of law
that have come to light - EG: money laundering, Theft and Fraud Offences and a Duty
to report where books of account have not been kept.
Professional duty or right to disclose when not prohibited by law, such as to comply
with quality assurance reviews, to respond to an inquiry by an institute, to protect the
professional interests of a member in legal proceedings or to comply with technical
standards and ethics.
Under ISA 250 consideration of laws and regulations in an audit of financial statements, if
auditors become aware of a suspected or actual occurrence of non-compliance with law and
regulation which give rise to a statutory right or duty to report, they should report it to the
proper authority immediately.
Page 41
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
Areas of controversy
Independence
Multiple services
Many audit firms are moving away from their traditional roles and are offering a
wider variety of work to their clients. Audit is sometimes even seen as a loss leader in
gaining other lucrative work.
Having more legislation in this area could restrict clients and limit opportunities for
further business and any synergies found in the auditor also providing additional
services would be lost.
Note, in the USA, SEC guidance suggests that an auditor is not independent in
relation to a listed company if they provide certain non-assurance services, such as
bookkeeping, internal audit, management or human resources functions.
Specialist services
Services such as valuation of intangible assets, property or unquoted investments were
carried out by a firm who are also a company’s auditors can lead to a self- review
threat. A firm should not therefore audit a client’s accounts which include specialist
work carried out by them.
Second opinions
Second opinions are acceptable but not if the current auditors are pressurised to accept
the second opinion. In order to avoid this, there should be constant communication
between the two auditors.
The second firm has a duty to seek permission to approach the current auditors from
the client. Without such communication, the second opinion may be formed
negligently, as the second opinion may not be based on the same set of facts or is
based on inadequate evidence.
Confidentiality
Conflicts of interest
Conflicts of interest can arise when a firm has two or more audit clients, and the
clients are in direct competition with each other e.g. major banks.
An audit firm can argue that different audit teams are involved and this can maintain
independence and confidentiality. However, clients may not perceive it this way and
could well move the audit to another firm.
Takeovers also need special consideration. You could be the auditor to both
companies in a takeover. In these cases, the auditor should not be the principal
Page 42
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
advisors to either and should not issue any assessment reports on either party other
than the actual audit reports.
The public interest
There is no legal definition and therefore ‘public interest’ is difficult to prove.
Therefore, the auditor should be very careful here as any disclosure causing loss could
result in litigation. Seek legal advice at all times.
Insider dealing
Auditors can be seen as insiders as they often have access to very sensitive
information. Auditors should see the duty not to deal as an insider as an extension of
their duty of confidentiality to their clients. Again, it is not just in relation to third
parties but also to their own personal gain.
Financial, business, employment and personal relationships
Any partner in a position to influence a client audit should not have a financial interest in that
client and should not generally have any financial dealings other than those considered to be
at arm’s length and such dealings should not be material in value to either party involved.
As long as family members are not in a position of influence in relation to the accounting
records or the financial statements, the threat to independence and objectivity would not be
considered significant where a family member was employed in an audit client.
An audit firm must resign for at least 2 years where a former audit partner takes up a senior
position within an audit client.
Long association with the audit engagement
Long association can lead to a self- interest threat, self- review threat and a familiarity threat.
These may give rise to threats against independence and objectivity.
Firms need to monitor the length of time a specific senior person is engaged on a specific
assignment and should take appropriate steps if there is a perceived threat to the firm’s
objectivity.
For listed companies, it is recommended that the audit partner should rotate after 7 years,
other senior staff after 7 years also.
For other companies, there is no compulsory rotation, but good advice is that partners should
rotate off after 10 years.
Fees, remuneration and evaluation policies, litigation, gifts and hospitality
An audit should not be undertaken on a contingent fee basis. The fee charged should not
impact on the performance of an audit.
Page 43
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
If the total fees generated by a client or client group represents a large proportion of a firms
total fee income then this could create a self- interest threat. The significance of the threat
should be evaluated and possible safeguards that could be applied are:-
Discussing the extent and nature of fees charged with those charged with
governance
Taking steps to reduce dependency on the client
External Quality Control Review
Consult a third party e.g. Professional Regulatory Body
Gifts should not be accepted from clients, unless the value is insignificant.
Care needs to be taken with outstanding fees as they may be construed as loans. Remember;
only transactions in the normal course of business are allowed; otherwise there is a risk that
there is a perceived threat to independence.
Where there is threatened or actual litigation, the audit firm should not continue to act as
auditor.
Non-Assurance services provided to audit client
Firms need to have procedures in place to consider the impact of non-assurance services on
the firm’s independence and objectivity.
Internal Audit - audit firm should not provide such services where they intend to place
significant reliance on such work as part of external audit.
IT Services - audit firm should not undertake design or implement systems that are a
significant part of the accounting systems.
Valuation - auditors should not provide a valuation where it involves a significant degree of
subjective judgement.
Tax services - auditors should provide routine compliance work only.
Corporate finance services - auditors should not accept any role on a contingent fee basis.
Accounting services - auditors should not undertake such services for a listed company.
B. STATUTORY RESPONSIBILITIES AND RIGHTS
Statutory responsibilities and rights are laid out under companies and other related legislation
such as
Companies Acts
Page 44
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
We have already seen that company law - depending on the applicable jurisdiction - produces
a requirement that companies’ financial statements are audited.
Company Law should recommend dealing with a number of other auditor related issues
depending on the applicable jurisdiction, such as:
Appointment of auditors
Auditors’ remuneration
Resignation or removal of auditors
Auditors’ duties
Auditors’ rights
The Companies Acts of Rwanda – No 07/2009 of 27/4/09 – Law relating to Companies
C. APPOINTMENT OF AUDITORS
Auditors are appointed by members of a company at the Annual Meeting. The term lasts
from the end of one Annual Meeting until the next Annual Meeting unless of course the
auditor has resigned or has been removed during the year.
Where at the annual meeting, the company fails to appoint an auditor during that annual
meeting or the post continues to fall vacant for a one month period, the Registrar General
shall have the powers to have the company appoint its auditor within thirty (30) days.
Companies Acts – Article 238
Auditor’s remuneration
The auditor’s remuneration should be fixed at the Annual Meeting and should be disclosed in
the financial statements. It should be disclosed separately from those fees earned from non-
assurance services.
Companies Acts – Article 239
D. RESIGNATION & REMOVAL OF AUDITORS
An auditor who does not wish to be reappointed or wishes to resign
Where an auditor gives the Board of Directors of a company written notice that he/she does
not wish to be reappointed, the Board shall, if requested to do so by that auditor:
distribute to all shareholders and to the Registrar General, at the expense of the company,
a written statement of the auditor’s reasons for his/her wish not to be reappointed;
permit the auditor or his/her representative to explain at a shareholder’ meeting the
reasons for his/her wish not to be reappointed.
Page 45
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
An auditor may resign prior to the Annual Meeting of the company.
This shall, after receiving the notification thereof, call on the Board of Directors to a special
meeting to receive the auditor’s notice of resignation. The auditor shall provide a written
report which gives to him/her representative the opportunity to give an explanation why
he/she does not wish to be re- appointed as auditor. Also during that meeting, the Board of
Directors or the meeting of shareholders shall appoint a new auditor.
The auditor has the right to require that the directors call a Special Meeting to discuss his
resignation and the auditor can attend and speak at this meeting on any matter that concerns
him as the retiring auditor. Directors should send out notice of this meeting within a 30 day
period.
The auditor also has the right to receive all notices that relate to a general meeting at which
their term of office would have expired.
Companies Acts Articles 244 and 245
Removal
An auditor of a company shall be automatically reappointed at an annual meeting of the
company unless the company passes a resolution at the annual meeting appointing another
person to replace the auditor; Companies Acts Article 243.
The directors of a company should give at least 30 days’ notice to all those entitled to receive
a set of accounts if a motion to remove the auditors is to be put to the members at an Annual
Meeting. The auditors also have the right to receive a copy of such notice.
The motion to remove the auditor can be passed by a simple majority.
The auditor should have a right to make representations as to why they should retain their
office and they can require that a copy of these representations be sent to all the members.
The company should notify the registrar on the removal of the auditors and the auditor should
forward the statement of circumstances to the company within a period of at least 14 days of
ceasing to hold that office. A copy of this statement should be forwarded by the company to
the Registrar General.
The auditor has a right to receive notice of and speak at such an Annual Meeting where their
term of office would have expired.
Page 46
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
Communication between auditors
The new auditor is likely to request authorisation from the company to contact the previous
auditor in order to ascertain if there are any circumstances which should be brought to their
attention before accepting the appointment as auditors.
The previous auditor will forward copies of previous audited accounts together with
sufficient information relating to lead schedules of all the major areas of the audit. The
previous audit files remain in the ownership of the previous auditor.
E. AUDITORS DUTIES & RIGHTS
Auditors’ duties
We have already covered the fundamental duties as to issuing an auditor’s report on forming
an opinion on the financial statements as well as looking at a number of other areas which
were matters of opinion and matters of fact.
Auditors’ rights
Auditors should have the following rights:
Access to all relevant documents and books and any information and explanations that
they require from the directors of a company which they deem necessary in the
conduct of the audit.
Attendance at any general meeting and to receive all notices and written resolutions
which any member of the company is entitled to receive.
To be heard at any general meeting on any matters that concern them as auditors
To give written notice requiring that an Annual Meeting be held for the reason of
laying the accounts and reports before the members of a company.
Companies Acts Articles 248 and 249
Possible Company Law offences could include:
Non-filing of annual returns
Directors’ loan infringements
Non-holding of Special Meetings
Failure to keep proper books of accounts
No director resident in state
Page 47
UNIT 3 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 1
I1.4 Auditing
Acting as an auditor while not qualified to do so
It would be considered the auditor’s duty to report any offences outlined above to the Police
or the Revenue Authorities.
The main offence an auditor should be aware of is money laundering activities. Money
laundering is the process by which criminals attempt to conceal the true origin and ownership
of the proceeds of their criminal activity, allowing them to maintain control over the proceeds
and ultimately, providing a legitimate cover for the source of their income.
Audit firms are required to report suspicions that a criminal offence has been committed,
regardless of whether the offence has been committed by a client or by a third party. In
addition, they need to be alert to the danger of making disclosures that are likely to tip off a
money launderer, as this is a criminal offence
There is no legal right not to make a report and the auditor is not constrained by his
professional duty of confidence, although in all cases any such reporting must be made in
good faith. In this case, he is protected by law from having the client take a civil case against
him. However, if he did not have reasonable grounds on which to make a report to a third
party, he may be sued by his client for breach of confidentiality.
Page 48
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
BLANK
Page 49
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Study Unit 4
Auditors Legal, Ethical & Professional Responsibilities
Part 2
Contents
A. Auditor’s responsibilities in relation to fraud and for the entities
compliance with Laws & Regulations
B. Auditor’s responsibilities defined by case law arising from negligence
and related exposure and consequences
C. Re-appointment Procedures
Page 50
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
AUDITORS LEGAL, ETHICAL & PROFESSIONAL
RESPONSIBILITIES PART 2
A. AUDITOR’S RESPONSIBILITY IN RELATION TO FRAUD AND FOR THE
ENTITIES COMPLIANCE WITH LAWS AND REGULATIONS
Fraud
An auditor’s main concern in an audit is the risk of a material misstatement in the financial
statements. These material misstatements can arise from fraud or error.
An error is an unintentional misstatement in the financial statements, whether an omission
of an amount or a disclosure. It can be a mistake in gathering or processing data for the
accounts, an incorrect accounting estimate or a mistake in the application of accounting
principles.
Fraud is an intentional act by one or more individuals among management, employees or
third parties, involving the use of deception to obtain an unjust or illegal advantage.
Auditors do not make legal determination of whether fraud has actually occurred; the
auditor is concerned to the extent that fraud has caused a material misstatement in the
financial statements.
Responsibility
ISA 240 the auditor’s responsibility to consider fraud in an audit of financial
statements, states quite clearly in paragraph 240.13 that the primary responsibility for the
prevention and detection of fraud rests with the management and those charged with
governance of the entity. It is their responsibility to establish a control environment to assist
in achieving the orderly and efficient conduct of the entity’s operations. It is up to them to
put a strong emphasis on fraud prevention.
The auditor does not have a specific responsibility to prevent or detect fraud, but he must
consider whether it has caused a material misstatement in the financial statements.
Types of fraud
There are two types of intentional misstatement:
1. Fraudulent financial reporting
2. Misappropriation of assets
Page 51
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Fraudulent financial reporting
This may be accomplished by the following:
Manipulation, falsification, or alteration of accounting records or supporting
documentation from which the accounts are prepared
Misrepresentation in, or intentional omission from, the accounts of events, transactions
or other significant information
Intentional misapplication of accounting principles relating to amounts, classification,
manner of presentation or disclosure.
Misappropriation of assets
This involves the theft of a company’s assets. While management are in a position to be able
to disguise or conceal misappropriations in ways that are difficult to detect, small and
immaterial amounts misappropriated are often perpetrated by employees.
Misappropriations can be accomplished in a number of ways:
Embezzling receipts
Stealing physical assets or intellectual property
Causing an entity to pay for something they never received
Using an entity’s assets for own personal use.
The misappropriation of assets is often accompanied by false or misleading records or
documents in order to conceal the fact that the assets are missing.
Why is there fraud
Fraud occurs because:
There is an incentive or pressure to commit fraud
A perceived opportunity to do so
Rationalisation of the act.
Individuals may be living beyond their means
Management is under pressure to reach targets
An individual may believe internal controls can be over-ridden.
The auditor identifies the risks of fraud, relates the identified risks to what can go wrong at
the assertion level and considers the likely magnitude of a potential misstatement. Finally, he
should respond to those risks.
Page 52
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Reporting
The auditor should communicate to the appropriate level of management any identified fraud.
Where the fraud involves management or key employees in internal control operations, the
auditor should communicate as soon as possible any such fraud to those charged with
governance.
The auditor may have a statutory duty to report fraudulent behaviour to a regulator outside
the entity for example the police authorities.
Law and Regulation
Companies are statutorily bound to comply with laws and regulations. Some of the laws and
regulations affecting companies are:
Company law
Health and safety regulations
Employment law
Civil law, both tort and contract
Environmental law and regulation
The auditor should identify the laws and regulations that an entity operates within.
ISA 250 consideration of laws and regulations in an audit of financial statements
establishes standards and guidance on the auditor’s responsibilities to consider laws and
regulations in an audit of financial statements.
ISA 250.2 states that when designing and performing audit procedures and in evaluating
and reporting the results thereof, the auditor should recognise that non-compliance by the
entity with laws and regulations may materially affect the financial statements.
So the auditor’s responsibility is to plan and perform the audit to obtain reasonable assurance
that the company has in fact complied with relevant laws and regulations.
An audit cannot be expected to detect non-compliance with all the laws and regulations
applicable to a company. Detection, regardless of materiality, requires consideration of the
implications for the integrity of management or employees and the possible effect on other
aspects of the audit.
Non-compliance is a legal determination and is beyond the auditor’s professional competence
and while an auditor’s experience and training may well provide a basis for recognition,
ultimately, it can only be determined by a court of law.
Page 53
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
The further removed the non-compliance is from the events and transactions normally
reflected in the financial statements, the less likely the auditor is to become aware of it or
recognize non-compliance.
Responsibility of Management
It is management’s responsibility to ensure that the entity’s operations are conducted in
accordance with laws and regulations. The responsibility for the prevention and detection of
non-compliance rests with management.
In larger companies, policies and procedures may be supplemented by an internal audit
function and an audit committee possibly split between a legal department and a compliance
function.
Directors of the company have responsibility to provide information required by the auditor,
to which he/she has a legal right of access. Such legislation also provides that it is a criminal
offence to give the auditor information or explanations which are misleading, false or
deceptive.
The auditor’s consideration
The auditor cannot be held responsible for preventing non-compliance, although an annual
audit may act as a deterrent.
Even though an audit is properly planned and performed in accordance with standards, there
is the unavoidable risk that some material misstatements will not be detected in the financial
statements.
ISA250.13 states that auditors should plan and perform the audit with an attitude of
professional scepticism recognising that the audit may reveal conditions or events that would
lead to questioning whether an entity is complying with laws and regulations.
The auditor would test for compliance with specific laws and regulations only if engaged to
do so as otherwise outside the scope of his audit.
ISA250.18 lays out that the auditor should design procedures to help identify possible or
actual instances of non-compliance with the laws and regulations, which are central to the
entity’s ability to conduct its business and hence to its financial statements.
Further, the auditor should obtain sufficient, appropriate audit evidence about compliance
with those laws and regulations, which the auditor recognises as having an effect on the
determination of material amounts and disclosures in the financial statements.
Some of the laws and regulation include ones which prohibit a company from making
distributions except out of distributable profits and laws which require the auditor to
Page 54
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
expressly report on non-compliance such as maintenance of proper books of account or
disclosures of directors’ remuneration.
The auditor should obtain written representations from management that they have
disclosed to the auditor all known actual or possible non-compliance with laws and
regulations whose effects should be considered when preparing the financial statements. In
addition, where applicable, the written representations should include the actual or contingent
consequences which may arise from the non-compliance.
In the absence of audit evidence to the contrary, the auditor is entitled to assume the entity is
in compliance with these laws and regulations.
The auditor’s responsibility in expressing an opinion on financial statements does not extend
to determining whether the entity has complied in every respect with tax legislation. The
auditor only needs sufficient audit evidence to give a reasonable assurance that the tax
amounts in the financial statements are not materially misstated.
What to do when non-compliance is discovered
When the auditor becomes aware of non-compliance, the auditor should obtain an
understanding of the nature of the act and the circumstances in which it has occurred, and
sufficient other information to evaluate the possible effect on the financial statements.
The auditor must consider:
The potential financial consequences such as fines, penalties and/or litigation.
Whether the potential financial consequences require disclosure.
Whether these consequences are so serious they call into question the truth and fairness
of the accounts.
Reporting of non-compliance
As soon as possible, the auditor should communicate with management, or obtain audit
evidence that management are appropriately informed, regarding non-compliance that comes
to the auditor’s attention. If in the auditor’s judgment, the non-compliance is intentional
and/or material, the auditor should communicate without delay.
If the auditor suspects senior management, then he should communicate to the next higher
level, such as the audit committee. Failing that, he should seek legal advice.
In the case of money laundering it may be appropriate to report the matter directly to the
appropriate authority.
Page 55
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Audit report implications
If the auditor concludes that the non-compliance has a material effect on the accounts
and has not been properly reflected, he should express a qualified or adverse opinion.
If the auditor has not been able to obtain sufficient evidence to evaluate whether a
material non-compliance has occurred, he should qualify his report or issue a disclaimer
of opinion on the basis of a scope limitation.
Third part reporting
Although the auditor has a duty of confidentiality, where non-compliance gives rise to a
statutory duty to report, the auditor should do so without undue delay.
B. AUDITOR’S RESPONSIBILITIES DEFINED BY CASE LAW
ARISING FROM NEGLIENCE AND RELATED EXPOSURE AND
CONSEQUENCES
Professional Liability
Auditors may have professional liability under statute law and in the tort of negligence.
Statute law
There are occasions when auditors have professional liability under statute law:
In insolvency legislation, the auditor could be found to be an officer of the company
and thus could be charged with a criminal offence in connection with the winding up of
the company.
An auditor could be found to be guilty of insider dealing, which is a criminal offence.
Auditors could be found guilty of a criminal offence in respect of money laundering
issues as to their failure to report any known suspicions to the proper authority.
Failure to report issues that are required under company law such as those mentioned
on the audit report.
Tort of negligence
Negligence is based on common/customary law. It seeks to provide compensation to loss
suffered by one due to another’s wrongful neglect.
To succeed, an injured party must prove:
A duty of care existed
The duty of care was breached
The actual breach caused the loss.
Page 56
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Who would take an action against an Auditor
If an auditor gave an incorrect audit opinion the following parties might take an action:
The company
The shareholders
The bank
Other lenders
Other interested third parties
The key difference between all the above mentioned parties is the nature and duty of care
owed to them by the auditor.
Audit client
An auditor owes a duty of care to the company as it is the audit client. The company has a
contract with the audit firm. Therefore, the duty of care is automatic under law.
The company is all the shareholders acting as a body; it cannot be represented by one
shareholder alone.
The standard of work of the auditor is generally defined by legislation. A number of
judgements exist which have gauged the level of care as specific legislation does not exist
which states clearly how an auditor should discharge his duty of care.
For Example: Re Kingston cotton mills 1896 Court of Appeal, England
“.it is the duty of the auditor to bring to bear on the work he has performed that skill, care and
caution which a reasonably competent, careful and cautious auditor would use. What is
reasonable skill, care and caution, must depend on the particular circumstances of the case.”
For Example: Re Thomas Gerrard & son Ltd 1967 Chancery Division, England
“…the real ground on which re Kingston cotton mills….is, I think, capable of being
distinguished is that the standards of reasonable care and skill are, upon the expert evidence,
more exacting today than those which prevailed in 1896.”
For Example: Re Fomento(sterling area) Ltd v Selsdon fountain pen co ltd 1958
“…they must come to it with an inquiring mind, not suspicious of dishonesty…..but
suspecting that someone may have made a mistake somewhere and that a check must be
made to ensure that there has been none.”
Auditors have to be careful in forming an opinion and they must give consideration to all
relevant matters.
Page 57
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
If an opinion reached by an auditor is one that no reasonably competent auditor would be
likely to reach, then the auditor would possibly be held for negligence.
Third parties
The auditor can only owe a duty of care to parties other than the audit client, if one can be
established.
Third parties will include any individual shareholders, potential investors and the bank. In
these cases, there is no contract with the audit firm. Therefore, there is no implied duty of
care.
Case law seems to suggest that the courts have been reluctant to attribute a duty of care for
third parties to the auditor.
Caparo industries plc v Dickman and others 1990 England House of Lords - Tort
Caparo relied on a set of accounts to purchase shares in a company. Subsequently, they
alleged that the accounts were misleading. They argued the auditors owed a duty of care.
The House of Lords found that there was no duty of care. The audit complied with the
company’s legislation and there was no mention in that legislation to suggest that auditors
should protect the interests of investors.
James McNaughton paper group ltd v Hicks Anderson 1990
The position held that a restrictive approach was now adopted to any extension of the scope
of the duty of care beyond the person directly intended by the auditor. In addition, all
circumstances should now be taken into account in deciding on a duty of care.
However, in 1995, a high court judge made an award against BDO as their joint audit of a
company in which ADT were investing was held to be a contractual relationship with ADT.
Problems however still arise after this case law. The reality is that third parties do rely on
audited accounts. The perception is, if you are required to file your accounts with the Office
of the Registrar General, then this information must be credible and independent.
It seems unfair that auditors should bear full responsibility for something for which they do
not have the primary responsibility.
In recent times, directors of companies are required by company law not to make misleading
statements to auditors.
Banks and other major lenders appear to have a more special relationship than other third
parties.
Page 58
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Loan facilities will often contain clauses requiring audited accounts and up to date financial
information on a regular basis. This may be seen to document a relationship with the auditor
that establishes a duty of care.
For Example: Royal bank of Scotland v Bannerman, Johnstone Maclay and other 2002
The bank provided an overdraft facility to the company, who it is claimed misstated its
position due to a fraud. It was argued that the auditors neglected to find the fraud.
The judge found that the auditors had a duty of care. They knew that the bank need audited
accounts as part of the overdraft arrangement and could have issued a disclaimer to the bank.
But they didn’t and this was an important factor in deciding that they did owe a duty of care.
Litigation avoidance
One way of dealing with litigation is to try and avoid it.
How?
Have clear client acceptance procedures, screen new clients, use an engagement letter.
Perform all audit work in accordance with standards and best practice.
Have sensible and effective quality control procedures in place.
Issue appropriate disclaimers. Auditors may attempt to limit their liability by issuing
disclaimers, although this may not always be effective in law.
C. PRE-APPOINTMENT PROCEDURES
Advertising
ISA 200 sets out the ethical principles governing the auditor’s professional responsibilities.
One of them is professional behaviour. A member is expected to comply with relevant laws
and regulations and should avoid any action that discredits the profession.
Now, auditors are like anyone else in business and in business it is necessary to advertise.
But this advertising should be aimed at informing the public in an objective manner and
should be in good taste.
The code of ethics goes on to say that in promoting themselves and their work, members
should be honest and truthful and should not make any exaggerated claims for the
services they are able to offer, the qualifications they possess or the experience they have
gained. In addition, they should not make any disparaging references or unsubstantiated
comparisons to the work of others.
If reference is made in promotional material to fees, the basis on which the fees are
calculated should be stated. The greatest care should be taken to ensure that any reference
does not mislead as to the precise range of services and time commitment that the reference is
Page 59
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
intended to cover. The danger of giving a misleading impression is great when there are
constraints in respect of space limits for advertisements. It is for this reason that it is
generally inappropriate to advertise fees. It is probably better to advertise free
consultations to discuss fee issues.
Use of logos
Persons can only use the designated letters of a profession after their name such as in
advertisements when they are members of the said profession. A firm should hold a
practicing/auditing certificate to describe themselves as registered auditors.
Tendering
Client companies can change auditors. In this regard a firm may be approached to submit a
tender for an audit. When approached to tender, an audit firm must consider whether they
want to do the work and they must have regard for the ethical considerations, such as
independence and professional competence. In addition, they need to consider fees and other
practical issues.
Fees
A member may quote whatever fee is deemed to be appropriate. The fact that one may
quote a lower fee than another auditor is not in itself unethical. However, it does raise the
risk of a threat to the principles of professional competence and due care in that the fee
quoted may be so low as to make it appear to be difficult to perform the audit to the expected
standards.
Therefore, it is wise to set out the basis of the calculation of the fee. The following factors
should be considered when setting out a fee:
What does the job involve. Is it audit and/or tax or is there some other complicated
work involved.
Which staff will need to be involved, numbers and quality. How long will they be
required. Is the nature of the business complex.
What charge out rates are to be applied.
The practice of undercutting fees has been called lowballing and can be seen in action
generally where large audits are concerned. We have seen that having a lower fee may
seem to have a negative impact on an auditor’s perceived independence but there are other
factors to be considered:
Auditors operate in a market like any other business where supply and demand very
often dictate the price.
Page 60
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Fees may be lower due to reasons such as better internal audit functions and
simplified group structures within client companies.
Auditing firms have increased productivity, whether through the use of more
sophisticated IT or experience gained through understanding the clients business.
Practical issues
It is important that the auditor also considers a number of other issues:
Can the audit assignment be fitted in to the audit firms current work plan?
Is suitable audit staff available?
Will any specialist skills be required?
What are the future plans for the company?
Is there any training required for current staff and what will be the cost of that
training?
What work does the client actually want - Audit and/or tax?
Is this the first time the company has been audited?
Whether the client is seeking to change its auditors and if so what is the reason behind
it?
Submitting an audit proposal
There is no set format. In fact, the client may dictate the format whether it be a written
submission or a presentation to the board of directors.
Whatever the form of the tender submission, the following matters should be included in the
proposal:
The audit fee and the basis for its calculation
An assessment of the needs of the client
How the firm means to meet the needs of the client
Any assumptions made to support the proposal
The audit approach to be adopted by the firm
A brief outline of the firm as seen by the proposer
Details and background of the key audit staff on the proposed engagement.
Evaluating the tender
Different clients will have different ways of evaluating a tender. Some of the more general
points are listed below. It is important to bear these in mind when preparing a proposal:
Fee. This can be the most vital point. Some clients go straight to this figure and don’t
even bother with the rest of the document.
Page 61
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Professionalism. Auditors are expected to be professional. Remember, first
impressions count and the audit team and the tender documents are often the first
factors.
Proposed audit approach. Clients are always looking for the least amount of
disruption to their already busy schedules, so the shortest number of days on-site may
be the key to winning a tender.
Personal service. Fostering relationships is vital. Client should always feel he is
getting value for money.
Acceptance
You have submitted a tender. You have been successful and the client has offered you the
audit. Before you accept and commence the audit you should carry out a number of
procedures in order to comply with the provisions in ISQC 1 quality control (section 26 to
28).
Before accepting the assignment
Make sure there are no ethical issues which would prevent you from accepting this
assignment.
Make sure that you are professionally qualified to carry out the work requested and
that your firm has the resources available in terms of staff, expertise and time.
Check out references for the directors of the client firm especially if they are unknown
to the audit firm.
Consult previous auditors as a matter of professional courtesy and establish from them
whether there is anything that you ought to know about this vacancy.
After accepting the assignment
Make sure the resignation of the previous auditors has been properly carried out and
that the new appointment is valid. A board resolution of the company is required.
Submit a letter of engagement to the directors of the client company and ensure it is
signed before any audit work is carried out.
ISQC 1 states that a firm should establish policies and procedures for the acceptance and
continuance of client relationships and specific engagements, designed to provide it with
reasonable assurance that it will only undertake or continue relationships and engagements
where it:
Has considered the integrity of the client and does not have any information that would
lead it to conclude that the client lacks integrity,
Page 62
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Is competent to perform the engagement and has the capabilities, time and resources to
do so and
Can comply with the ethical requirements.
The firm should obtain such information as it considers necessary in the circumstances before
accepting an engagement with a new client, when deciding whether to continue an existing
engagement, and when considering acceptance of a new engagement with an existing
client.
Where issues have been identified and the firm decides to accept or continue the relationship
or a specific engagement, it should document how the issues were resolved.
Integrity of client
Matters to be considered:
Identity and business reputation of owners, key management and those charged with
governance.
Nature of the clients operations and its business practices.
Attitude of the owners, key management and those charged with governance towards
matters such as aggressive interpretation of accounting standards and the internal
control environment.
Client’s attitude to fees.
Indications of inappropriate limitation in the scope of work.
Indications that client may be involved in money laundering or other criminal
activities.
Reasons given for non-reappointment of previous auditors.
Information can be gathered through communications with previous auditors or other
professionals who may have provided services and through other third parties such as
bankers, legal counsel and industry peers.
Competence of the firm
Matters to be considered:
Has the firm got sufficient knowledge of the relevant industry and the relevant
regulatory environment?
Are there sufficient personnel within the firm having the necessary capabilities and
competence and are experts/specialists available when needed?
Are competent individuals available to perform quality control reviews?
Will the firm be able to complete the engagement within the reporting deadline?
Page 63
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Other issues
Where a potential conflict of interest is identified, the firm should consider whether it
is appropriate to accept the engagement.
Need to consider any significant matters that may have arisen during the current or
previous engagements of whatever description.
Agreeing the terms
Once an engagement has been accepted it is important to agree the terms. It is essential that
both parties fully understand what the agreed services are. Any misunderstanding could lead
to a breakdown in the relationship and could result in legal action, loss of business and
reputation
ISA 210 terms of audit engagements establishes standards and provides guidance on:
Agreeing the terms of an engagement with the client and
The auditor’s response to a request by a client to change those terms to one that
provides a lower level of assurance.
It states that the auditor and the client should agree on the terms of the engagement. The
agreed terms would need to be recorded in an audit engagement letter or other suitable form
of contract. The terms should be recorded in writing.
The objective and scope of an audit and the auditor’s obligations may be established by law,
but the auditor may still find that an audit engagement letter will be informative for their
clients.
The main points to be clarified in the letter of engagement would include:
Confirmation of the auditor’s acceptance of the appointment.
The auditor is responsible for reporting on the accounts to the shareholders
The directors of the company have a statutory duty to maintain the books of the
company and are responsible for the preparation of the financial statements.
The directors are responsible for the prevention and detection of fraud.
The fact that because of the test nature and other inherent limitations of an audit, there
is the unavoidable risk that some material misstatements may remain undiscovered.
The scope of the audit including reference to appropriate legislation and standards.
There should be unrestricted access to whatever books and records the auditor needs
in the performance of his duties.
Page 64
UNIT 4 AUDITORS LEGAL, ETHICAL & PROFESSIONAL RESPONSIBILITIES Part 2
Other points to be included:
Arrangements regarding the planning and performance of the audit.
The expectation of receiving from management written confirmation regarding
representations made in connection with the audit.
Request for the client to confirm in writing the terms of the letter.
The fee to be charged and the credit terms.
The form of any reports or other communication of results of the engagement.
Other issues
On recurring audits, the auditor should consider whether circumstances require the
terms of the engagement to be revised and whether there is a need to remind the client
of the existing terms of the engagement.
An auditor who, before the completion of the engagement, is requested to change the
engagement to one which provides a lower level of assurance, should consider the
appropriateness of doing so. Where the terms are changed, both parties should agree on
the new terms. Note, the auditor should not agree to a change of engagement where
there is no reasonable justification for doing so.
Page 65
UNIT 5 AUDIT PLANNING AND SUPERVISION
Study Unit 5
Audit Planning and Supervision
Contents
A. Materiality
B. Audit Risk and its Components
C. Audit Strategies
D. Knowledge of the entity and its environment
E. Response to assessed risks of material misstatement
F. Documentation
Page 66
UNIT 5 AUDIT PLANNING AND SUPERVISION
AUDIT PLANNING AND SUPERVISION
AUDIT PLANNING
ISA 300 planning an audit of financial statements establishes standards and guidance on the
considerations and activities applicable to planning an audit.
The auditor should:
Plan the audit so that the engagement will be performed in an effective and efficient
manner.
Perform certain procedures at the beginning of the audit:
- the continuance of the client relationship,
- evaluation of compliance with ethical requirements including independence
and
- establish an understanding of the terms of the engagement.
Establish the overall audit strategy, setting out the scope, timing and direction of the
audit.
Develop an audit plan in order to reduce audit risk to an acceptably low level.
Update and change the audit strategy and plan as necessary during the course of the
audit.
Plan the nature, timing and extent of the direction and supervision of the audit team and
a review of their work.
Document the overall audit strategy and the audit plan, including any significant
changes made during the audit engagement.
Prior to starting an initial audit, perform procedures regarding the acceptance of the
client relationship and the specific audit engagement, and communicate with the
previous auditor in compliance with relevant ethical requirements.
Adequate planning helps to ensure that:
Appropriate attention is devoted to the most important areas,
Potential problems are identified and resolved on a timely basis,
The audit engagement is properly organised and managed,
There is proper assignment of work to engagement members,
There is direction and supervision of team members and review of their work,
There is proper co-ordination of work done by experts.
The nature and extent of planning activities will vary according to the size and complexity of
the entity, the auditor’s previous experience with the entity and changes in circumstances that
occur during the audit engagement.
Page 67
UNIT 5 AUDIT PLANNING AND SUPERVISION
The establishing of the overall strategy involves considering the important factors that will
determine the focus of the audit team’s effort, such as the:
The determination of appropriate materiality levels,
Preliminary identification of areas where there may be higher risks of material
misstatement,
Preliminary identification of material components and account balances,
Evaluation of whether the auditor may plan to obtain evidence regarding the
effectiveness of internal control,
The identification of recent significant entity-specific, industry, financial reporting or
other relevant developments.
The appendix of ISA 300 sets out examples of matters the auditor may consider in
establishing the overall audit strategy. It is split between the scope of the audit engagement,
the reporting objectives, timing of the audit and communications required and the direction of
the audit.
A. MATERIALITY (ISA 320)
Materiality needs to be considered by an auditor in evaluating the effect of misstatements on
the financial statements and when determining the nature, timing and extent of audit
procedures.
In designing the audit plan, the auditor should set an acceptable materiality level. He should
consider this materiality at both the overall financial statement level and in relation to classes
of transactions, account balances and disclosures.
Information is material if its omission or misstatement could influence the economic
decisions of users taken on the basis of the financial statements.
Factors to be considered are both quantitative and qualitative. An item might be material
due to its nature, value or impact on users of accounts.
Nature
Transactions involving directors generally affect users of accounts.
Value
Inventory stocks in a manufacturing company may represent a high percentage of
current assets.
Impact
An end of year journal could convert a loss into a profit, thus affecting the users of
accounts.
Page 68
UNIT 5 AUDIT PLANNING AND SUPERVISION
The auditor’s assessment of materiality helps the auditor to decide:
What items and how many to examine
Whether to use sampling and/or analytical procedures
What audit procedures can be expected to reduce audit risk to an acceptably low level.
An auditor should consider materiality and its relationship with audit risk when conducting
an audit. The higher the material figure is set, the higher the audit risk. The auditor could
compensate for this by either
Reducing the risk, where this is possible, and supporting this by carrying out extended
or additional tests of control or
Reducing detection risk by modifying the nature, timing and extent of planned
substantive tests.
Problems with Materiality
Materiality is a matter of judgement.
Some matters could fall outside the criteria, although they could affect users of the
accounts.
Percentage guidelines need to be used carefully. What figure do you select to base the
percentage? Gross profit, profit before director’s salaries, assets, costs.
Materiality and the audit process
Materiality needs to be tailored to the business and the anticipated user. An auditor should
plan materiality based on draft figures and any other recent available financial information.
These should be applied to individual balances at the assertion level. All items greater than
the set materiality figure should be tested, with a sample selected from the remaining items.
The actual errors detected should be extrapolated out for the entire population of transactions.
A final materiality should then be based on the results obtained and the actual financial
statements produced.
To set a materiality level, an auditor needs to decide what level of misstatement (error) would
distort the view given by a set of financial statements.
The materiality level must be reviewed constantly throughout the audit process as changes
may be required due to changes in the draft accounts, any external factors that may alter the
risk profile of the entity and any actual misstatements uncovered during the audit testing
phase.
Page 69
UNIT 5 AUDIT PLANNING AND SUPERVISION
The materiality level is often set a percentage of profits as it is generally the figure that most
interested parties check out first. However, there are other figures that are also used. A range
of those values is as follows:
Value
%
Profit before tax
5
Gross profit
½-1
Turnover
½-1
Total assets
1-2
Net assets
2-5
Profit after tax
5-10
B. AUDIT RISK AND ITS COMPONENTS
Auditors should assess the risk of material misstatements arising in the financial statements
and carry out procedures in response to assessed risks.
Risk can be analysed as follows:
Audit
risk
Detection
risk
Control
risk
Risk of
material
misstatement
Business
risk
Financial
risk
Compliance
risk
Overall
risk
Operational
risk
Inherent
risk
Page 70
UNIT 5 AUDIT PLANNING AND SUPERVISION
Overall risk is split into audit risk and business risk. Audit risk is sometimes known as
assignment or engagement risk. It is focused on the financial statements of the business.
This is the auditor’s main focus.
Inherent risk is the susceptibility of an account balance or class of transactions to material
misstatement, irrespective of related internal controls. It may be due to the characteristics of
those items such as the fact they are estimates, complex calculations or that they are
important items in the accounts. Auditors use their professional judgment and their
understanding of the client company to assess the inherent risk.
Control risk is such that the clients controls fail to prevent, detect and/or correct material
misstatements. There will always be an element of control risk due to the inherent limitations
of internal controls.
Detection risk is such that the audit procedures applied by the auditor will fail to detect
material misstatements. There are limitations to the audit process and detection risk relates to
the inability of auditors to examine all evidence. As a result, some detection risk always
exists. Auditors may fail to detect misstatements for a number of reasons including selecting
inappropriate audit procedures, incorrectly applying an appropriate procedure or simply
misinterpreting the results of testing.
The auditor’s assessment of inherent and control risk will influence the nature, timing and
extent of the substantive procedures which are required to reduce the detection risk and
hence, audit risk.
Examples of risk factors affecting client:
Integrity and attitude to risk of management - Problems can be caused where there is
domination by a single individual.
A lack of management experience and knowledge can affect the quality of financial
management.
Unusual pressures on management can lead to tight reporting deadlines or market or
financing expectations.
The nature of the business can lead to potential problems such as technological
obsolescence or over-dependence on single products.
Industry factors such as competitive conditions, regulatory requirements, technology
developments.
IT problems include lack of supporting documentation, expertise heavily dependent on
a few people and potential risk of unauthorised access to systems.
Examples of risk factors affecting account balances or transactions:
Areas which require prior year adjustments or require high level of estimation,
Where expert valuations are required due to complex issues,
Account balances such as cash, stock, portable assets which are prone to fraud,
Page 71
UNIT 5 AUDIT PLANNING AND SUPERVISION
The existence of high volume transactions where systems may be unable to cope,
Unusual transactions,
Major changes in staff or low morale issues.
Business risk arises in the operations of a business. It is split into three distinct types:
Financial risk - arising from financial activities or financial consequences such as cash
flow issues, overtrading, going concern, breakdown of accounting systems, credit risk and
currency risk.
Operational risks arise with regard to the operations of the business such as risk of losing
a major supplier, physical disasters, loss of key personnel and poor brand management.
Compliance risks arise from non-compliance with laws and regulations within which the
company operates or environmental issues.
Relationship between risks
Initially, it would appear that audit risk and business risk are unrelated, as audit risks are
limited only to the financial statements. However, business risks include all risks facing the
business and this includes inherent risks and control risks, which form part of the audit risk.
Although audit risk is very financial statement focused, business risk does form part of the
inherent risk associated with the financial statements, because if such risks materialise, then
the whole going concern basis of the business could be affected and this has major
implications for the financial statements.
IMPACT OF RISK
AR=IR*CR*DR
C. AUDIT STRATEGIES
The risk approach
Risk is a key issue in any audit and the most common approach to carrying out an audit
incorporates recognition of those risks. This is called the risk-based approach.
There are other approaches and other techniques and the risk based approach is used in
conjunction with these other approaches.
Auditors apply judgment to determine what level of risk pertains to different areas of a
client’s system and devise appropriate audit tests. Risk-based auditing ensures that the
greatest effort is directed at those areas of the financial statements that are most likely to be
Page 72
UNIT 5 AUDIT PLANNING AND SUPERVISION
misstated. The chance of detecting errors is therefore improved and time is not wasted on
testing safe areas.
For example, in a small manufacturing company, an auditor will need to do more work on
inventory than say land & buildings. Inventory can be a complex area, with probably a
significant number of line items and there is the risk of obsolete stock.
Why is the risk-based auditing used more increasingly?
Growing complexity of the business environment, such as advanced computer systems
and the globalisation of business, increases the risk of fraud or misstatement.
Pressure on auditors to keep fees down but improve the level of service.
ISA 315 requires that auditors consider the entity’s process for assessing its own business
risks. They must consider the factors that lead to the problems which may cause material
misstatements and what can the audit contribute to the business pursuing its goals.
The risk analysis stage is a very important part of the planning of an audit as it allows the
auditor to:
Identify the main areas where possible errors might occur,
Plan the work to address any of these possible errors,
Uncover errors as early as possible during the audit process,
Carry out the audit as efficiently as possible,
Reduce the risk of an incorrect audit opinion,
Reduce the risk of litigation.
The risk based approach will affect:
How the audits are planned,
The nature of the audit evidence to be gathered by the auditor,
The nature of the procedures that need to be carried out by the auditor,
The amount of evidence that needs to be gathered.
The business risk approach was developed because it was believed that in some instances
the risk of misstatement arises mainly from the business risks of the company.
This business approach tries to mirror the risk management steps that have been taken by the
directors. It is also known as the top down approach in that it starts at the objectives of the
company and works down to the financial statements, rather than working up from the
financial statements which has been the historical approach to auditing.
Controls’ testing is aimed at high level controls and substantive testing is reduced.
Page 73
UNIT 5 AUDIT PLANNING AND SUPERVISION
Principal risks include:
Economic pressures causing reduced sales and eroding margins,
Demands for extended credit,
Product quality issues re inadequate control over supply chain etc.,
Customer dissatisfaction re order requirements and invoicing errors etc.,
Unacceptable service response calls,
Out of date IT systems.
These risks can impact on inventory values, receivables recoverable, provisions and
contingencies and going concern.
The effect of the top down approach is that the auditor pays more attention to high level
controls such as the control environment and corporate governance than the traditional
approaches. In addition, analytical review procedures are used more extensively as the
auditor is keen to understand the business more clearly. The combination of the above two
factors will result in reduced substantive detailed testing, although it is not eliminated
completely.
Business risk approach advantages:
There is added value given to clients as the approach focuses on the business as a
whole rather than just the financial statements.
Where audit attention is focused on high levels of controls and use of analytical
procedures, there is increased audit efficiency.
There is no need to focus on routine processes where technological developments
have rendered them less prone to error than in previous times.
The approach responds to corporate governance issues in recent years.
There is a lower engagement risk through a better understanding of the clients
business.
Systems and controls
This approach is always used in conjunction with other approaches as substantive testing can
never be eliminated completely.
Management is required to institute a system of controls which is capable of safeguarding the
assets of the shareholders. Auditors assess the controls put in place by directors and ascertain
whether they are effective and can be relied on for the purposes of the audit. They carry out
tests to ensure that the systems operate as they are supposed to. If the controls are
ineffective, the control risk is high and it is important to undertake higher levels of
substantive testing.
Page 74
UNIT 5 AUDIT PLANNING AND SUPERVISION
Cycles and transactions
An auditor may choose to carry out substantive tests on the transactions of the business in the
relevant period. Cycles’ testing is closely linked to systems testing, as it is based on the same
systems. However, with the cycles approach, the auditors test the transactions which have
occurred, resulting in the entries in the books, such as sales transactions, purchases, expenses
etc. The auditor substantiates the transactions which appear in the financial statements.
A sample of transactions is selected and each transaction is tested to ensure that the
transaction is complete and is processed correctly through the complete cycle.
Balance Sheet approach
An auditor may choose to carry out substantive tests on the year end balances. This is the
most common approach to substantive testing after controls have been tested.
The balance sheet shows a snapshot of the financial position. If it is fairly stated and the
previous yearsfigures were also fairly stated, then it is reasonable to undertake lower level
testing on the profit and loss transactions e.g. analytical review.
There is a relationship with the business risk approach. The element of substantive testing
which remains in a business risk approach can be undertaken in this approach.
In some cases, most notably small companies, the business risks may be strongly linked to
management concentration in one person, and/or balance sheets may be uncomplicated. In
these cases, it is probable more cost effective to undertake a highly substantive balance sheet
audit rather than to undertake a business risk assessment.
It should be noted though, that when not undertaken in conjunction with a risk based
approach or systems testing, the level of detailed testing required can be high in a balance
sheet approach making it very costly.
Directional testing
Directional testing is a method of discovering errors and omissions in the financial statements
through undertaking detailed substantive testing. It can be broken down into two categories,
tests to discover errors and tests to discover omissions.
Checking entries from the books back to supporting documentation should help to detect
errors causing an overstatement or an understatement. For example, selecting sales
transactions from the sales ledger and tracing them back to sales invoices and price lists to
ensure that sales are priced correctly.
To discover omissions the auditor must start from outside the accounting records and trace
through to the records in the books. For example, to check the completeness of purchases,
select a number of GRNs and check through to the stock records and the purchase ledger.
Page 75
UNIT 5 AUDIT PLANNING AND SUPERVISION
Directional testing is appropriate when testing the financial statement assertions of existence,
completeness, rights & obligations, and valuation.
The concept of directional testing derives from the principle of double entry bookkeeping.
Therefore any misstatement of a debit entry will result in either a corresponding misstatement
of a credit entry or a misstatement in the opposite direction of another debit entry.
A test for an overstatement of an asset also gives comfort on understatement of other assets,
overstatement of liabilities, overstatement of income and understatement of expenses. In
other words by performing tests, the auditor obtains audit assurance in other audit areas.
A major advantage of this approach is its cost-effectiveness. Assets and expenses are tested
for overstatement only, while liabilities and income for understatement only. Directional
testing is particularly useful when there is a high level of detailed testing to be carried out,
such as when the auditors have assessed the controls and accounting systems and have found
them to be ineffective.
Auditing around the computer
The auditor is primarily interested in verifying that the data are being correctly input and
processed by the computer.
Audit activity is focused on ensuring that the source documentation is processed correctly
and the auditor would verify this by checking the output documentation.
What happens within the computer itself is ignored.
However, there are issues with a lack of a paper trail and it is not practical for large company
audits.
Auditing through the computer system
The auditor performs tests on the computer and its software to evaluate if they are both
effective.
If the auditor finds that the computerised controls and systems are effective, the auditor will
perform reduced substantive testing.
This is likely to involve the use of computer assisted auditing techniques (CAATs).
The use of a computer as an audit tool or the use of CAATs may improve the efficiency and
effectiveness of audit procedures.
It is particularly of use in tests of numerous details of transactions and balances.
Page 76
UNIT 5 AUDIT PLANNING AND SUPERVISION
General
When seeking to identify an appropriate strategy for a particular audit, it is important to
remember that the approaches are linked and in some cases it is wise to use two or more.
Directional testing with balance sheet approach as they are both substantive testing
issues.
Risk and cycles based approach with low level of large transactions.
Risk and balance sheet approach where substantial numbers of sales transactions with
substantial receivables.
D. KNOWLEDGE OF THE ENTITY AND ITS ENVIRONMENT
ISA 315 Understanding the entity and its environment and assessing the risks of material
misstatement establishes standards and guidance on obtaining an understanding of the entity
and its environment including its internal control, and on assessing the risks of material
misstatement in a financial statement audit.
Why do we need an understanding of an entity?
Helps identify risks of material misstatements.
Helps auditor to design and perform relevant audit procedures.
Helps auditor in the exercise of judgement where necessary.
How do we obtain understanding?
Performing risk assessment procedures such as inquiries of management and others
within the entity, analytical procedures, and observation and inspection.
Determining whether changes have occurred that may affect the relevance of
information, obtained in prior periods, in the current audit.
Ensuring that members of the engagement team discuss the susceptibility of the
entity’s financial statements to material misstatements.
What do we need to understand?
Obtain an understanding of the entity and its environment, including its internal
control. This understanding should be sufficient to identify and assess the risks of
material misstatement of the financial statements whether due to fraud or error, and it
should be sufficient to design and perform further audit procedures.
Obtain an understanding of relevant industry, regulatory and other external factors
including the applicable financial reporting framework.
Obtain an understanding of the nature of the entity, such as its operations, ownership,
governance, types of investments it is making, structure and financing.
Page 77
UNIT 5 AUDIT PLANNING AND SUPERVISION
Obtain an understanding of the entity’s selection and application of accounting policies
and consider whether they are appropriate for its business and consistent with the
applicable financial reporting framework and accounting policies used in the relevant
industry.
Obtain an understanding of the entity’s objectives and strategies, and the related
business risks that may result in material misstatements of the financial statements.
Obtain an understanding of the measurement and review of the entity’s financial
performance such as internal management information (budgets, variance analysis,
department reports) and external information (analyst’s reports and credit rating agency
reports). When the auditor intends to make use of the performance measures, he should
consider whether the information provides a reliable basis and is sufficiently precise for
such a purpose.
Obtain an understanding of internal control relevant to the audit. This involves
evaluating the design of a control and determining whether it has been implemented.
Not all controls are relevant to the auditor’s risk assessment.
Obtain an understanding of the control environment. The control environment sets
the tone of an organisation, influencing the control consciousness of its people. It is the
foundation for effective internal control, providing discipline and structure.
Obtain an understanding of the entity’s process for identifying business risks relevant to
financial reporting objectives and deciding about actions to address those risks, and the
results thereof.
Obtain a sufficient understanding of control activities to assess the risks of material
misstatements and to design further audit procedures responsive to assessed risks.
Examples of specific control activities include authorisation, performance reviews,
information processing, physical controls and segregation of duties.
Risk assessment procedures
The auditor may consider making inquiries of the entity’s legal counsel or of valuation
experts. Reviewing information obtained from external sources such as reports by analysts,
banks or other rating agencies, trade and economic journals may also be useful in obtaining
information about the entity.
Although much of the information can be obtained from management and those responsible
for financial reporting, inquiries of others such as production and internal audit personnel
may be useful in providing a different prospective in identifying risks of material
misstatements.
Observation and inspection may support inquiries of management. Such audit procedures
include:
Observation of activities and operations,
Inspection of documents and records,
Page 78
UNIT 5 AUDIT PLANNING AND SUPERVISION
Reading reports prepared by management,
Visits to premises and plant facilities,
Carrying out walk-through tests.
Controls relevant to the audit
Ordinarily, controls that are relevant to an audit pertain to the objective of preparing financial
statements. Controls over the completeness and accuracy of information may also be relevant
if the auditor intends to make use of the information in designing and performing further
procedures. Controls relating to operations and compliance objectives may be relevant if
they pertain to data the auditor evaluates or uses in applying audit procedures.
Information systems
The auditor should obtain an understanding of the information systems, including the
business processes relevant to financial reporting and in the following areas:
The classes of transactions in the entity’s operations that are significant to the financial
statements;
The procedures, within both IT and manual systems, by which those transactions are
initiated, recorded, processed and reported in the financial statements;
The related accounting records, whether electronic or manual, supporting information,
and specific accounts in the financial statements, in respect of initiating, recording,
processing and reporting transactions;
How the information systems capture events and conditions, other than classes of
transactions, that are significant to the financial statements;
The financial reporting processes used to prepare the entity’s financial statements,
including significant accounting estimates and disclosures.
Assessing the risks of material misstatement
The auditor should:
Identify risks throughout the process,
Relate the risk to what can go wrong at the assertion level,
Consider whether the risks are of a magnitude that could result in a material
misstatement in the financial statements,
Consider the likelihood that the risks could result in a material misstatement of the
financial statements.
Appendix 1 of ISA 315 provides additional guidance on understanding the entity and its
environment.
Appendix 2 lays out conditions and events that may indicate risks of material misstatement.
Page 79
UNIT 5 AUDIT PLANNING AND SUPERVISION
E. RESPONSE TO ASSESSED RISKS OF MATERIAL
MISSTATEMENT
ISA 330 The auditor’s procedures in response to assessed risks establishes standards and
provides guidance on determining overall responses and designing and performing further
audit procedures to respond to the assessed risks of material misstatements.
The standard requires the auditor to determine overall responses to address risks of material
misstatement at the financial statement level and provides guidance on the nature of those
responses.
The auditor is required to design and perform further audit procedures, including tests of
the operating effectiveness of controls, when relevant or required, and substantive
procedures, whose nature, timing, and extent are responsive to the assessed risks of material
misstatement at the assertion level. In addition, this section includes matters the auditor
considers in determining the nature, timing, and extent of such audit procedures.
The auditor is required to evaluate whether the risk assessment remains appropriate and to
conclude whether sufficient appropriate audit evidence has been obtained.
The standard establishes related documentation requirements.
In order to reduce the audit risk to an acceptably low level, the auditor should determine
overall responses to assessed risks at the financial statement level.
Overall responses may include:
Emphasising to the audit team the need to maintain professional scepticism,
Assigning more experienced staff or hiring expert help when needed,
Providing more supervision,
Incorporating additional elements of unpredictability in the selection of further audit
procedures to be performed,
Making changes to the nature, timing, or extent of audit procedures.
The assessment of the risk of material misstatement is affected by the auditor’s understanding
of the control environment. An effective control environment may allow an auditor to have
more confidence in internal control and the reliability of audit evidence generated internally
within the entity.
If there are weaknesses in the control environment, the auditor:
conducts more procedures as of the period end rather than an interim date ,
seeks more extensive audit evidence from substantive procedures,
modifies the nature of procedures to obtain more persuasive audit evidence,
Increases the number of locations to be included in the audit scope.
Page 80
UNIT 5 AUDIT PLANNING AND SUPERVISION
The evaluation of the control environment will help the auditor determine whether there
should be a substantive or a combined approach (tests of controls and substantive
procedures).
In designing further audit procedures, the auditor should consider:
the significance of the risk,
the likelihood that a material misstatement will occur,
the characteristics of the class of transactions or account balances,
the nature of specific controls and whether they are manual or automated,
Whether the auditor expects to obtain evidence to determine if controls are effective in
preventing, or detecting and correcting material misstatements.
The nature of further audit procedures refers to their:
Purpose -
Tests of controls or substantive procedures;
Type -
Inspection, observation, inquiry, confirmation, recalculation, re-performance, analytical
procedures.
Certain audit procedures may be more appropriate for some assertions. The selection of the
procedure is based on the assessment of risk. The higher the risk, the more reliable and
relevant must be the audit evidence from substantive tests.
The auditor may perform audit procedures at an interim date or at period end (timing). The
higher the risk, the more likely the auditor will perform substantive tests nearer to or at the
period end. Certain audit procedures can only be performed at or after the period end, such
as agreeing the financial statements to the accounting records and examining adjustments
made during the course of preparing the financial statements.
The extent (sample size or number of observations) is determined by the judgement of the
auditor after considering:
Materiality,
Assessed risk,
Degree of assurance required.
The auditor is required to perform tests of controls when the auditor relies on the
effectiveness of controls or when substantive tests alone do not provide sufficient appropriate
audit evidence.
Irrespective of the assessed risk of material misstatements, the auditor should design and
perform substantive tests for each material class of transaction, account balance and
Page 81
UNIT 5 AUDIT PLANNING AND SUPERVISION
disclosure. Remember, an auditor’s assessment of risk is judgemental and there are inherent
limitations to internal control.
The auditor’s substantive procedures should include the following related to the financial
statement closing process:
Agreeing the financial statements to the underlying accounting records and
Examining material journal entries and other adjustments made during the course of
preparing the financial statements.
Where an auditor determines that an assessed risk at the assertion level is a significant risk,
he should perform substantive procedures that are specific to that risk.
The auditor should perform audit procedures to evaluate whether the overall presentation of
the financial statements, including the related disclosures, is in accordance with the
applicable financial reporting framework.
Based on the audit procedures performed and the audit evidence obtained, the auditor should
evaluate whether the assessments of the risks at the assertion level remain appropriate.
He should conclude whether sufficient appropriate audit evidence has been obtained to
reduce to an acceptably low level the risk of material misstatement in the financial
statements.
Where it is not sufficient and the auditor is unable to obtain further evidence, he should
express a qualified opinion or a disclaimer of opinion.
Finally, the auditor should document the overall responses to address the risks and the
nature, timing and extent of the further audit procedures and the results thereof. In addition,
where there is reliance on controls, the auditor should document the conclusions reached with
regard to relying on such controls that were tested.
General planning matters
When planning an audit you also need to consider some admin. matters:
Staffing
Have the staff got the correct level of qualifications and experience. Do they have specialist
skills that may be required? What about the staff’s relationship amongst themselves and with
client staff. Are staff available and what about travel arrangements.
Client management
Continuity of staff is often important to client companies. Also, consistency of staff may
help audit efficiency.
Page 82
UNIT 5 AUDIT PLANNING AND SUPERVISION
Location of audit
Need to consider the distance for audit staff to travel, the staff’s mobility and the location of
the review by the manager. Multiple locations often require a decision as to which locations
should be visited, the allocation of your staff to these locations and managing the visits to
each selected sites.
Deadlines
Key deadlines are stock-counts, date of draft accounts available, main audit visit, audit
manager review, partner review, audit clearance meeting, audit report to be signed and date
of the Annual Meeting. It is important to plan the work so that these deadlines can be
achieved.
Use of IT
Need to consider whether the client has a computerised system and whether the auditor will
use CAATs. Will the auditor use computers to complete the working papers and
communicate with the partner?
Time budgets
These are an important part of planning. Times should be estimated accurately and
communicated to the audit team. The audit team should record variances from the budget for
planning purposes for the next audit.
Audit Evidence
The purpose of ISA 500 is to establish standards and provide guidance on what constitutes
audit evidence in an audit of financial statements, the quantity and quality of audit evidence
to be obtained, and the audit procedures that auditors use for obtaining that audit evidence.
In order to form an opinion, an auditor must obtain evidence. This evidence should be
sufficient, relevant and reliable. The auditor designs substantive procedures to obtain this
evidence about the financial statement assertions.
By approving the financial statements, the directors are making representations about the
information therein. These assertions may fall into the following categories:
(a) Assertions about classes of transactions and events for the period under audit:
Occurrencetransactions and events that have been recorded have occurred and
pertain to the entity.
Completenessall transactions and events that should have been recorded have
been recorded.
Page 83
UNIT 5 AUDIT PLANNING AND SUPERVISION
Accuracyamounts and other data relating to recorded transactions and events
have been recorded appropriately.
Cut-offtransactions and events have been recorded in the correct accounting
period.
Classification—transactions and events have been recorded in the proper accounts.
(b) Assertions about account balances at the period end:
Existenceassets and liabilities exist.
Completenessall assets and liabilities that should have been recorded have been
recorded.
Rights and obligations—the entity holds or controls the rights to assets, and
liabilities are the obligations of the entity.
Valuation and allocation assets and liabilities are included in the financial
statements at appropriate amounts.
(c) Assertions about presentation and disclosure:
Occurrence and rights and obligations—disclosed events, transactions, and other
matters have occurred and pertain to the entity.
Completenessall disclosures that should have been included in the financial
statements have been included.
Classification and understanding—financial information is appropriately presented
and described, and disclosures are clearly expressed.
Accuracy and valuationfinancial and other information are disclosed fairly and
at appropriate amounts.
Procedures used by auditors to obtain evidence
Inspection of tangible assets
Inspection confirms existence and valuation and gives evidence of completion. It does
not however confirm rights and obligations.
Inspection of documents and records
Confirmation of documentation confirms existence of an asset or that a transaction has
occurred. Confirmation that items are in the books shows completeness. Also helps
testing cut-off. It provides evidence of valuation, measurement, rights and obligations
and presentation and disclosure.
Observation
This procedure is of limited use in that it only confirms that a procedure took place
when it was observed.
Page 84
UNIT 5 AUDIT PLANNING AND SUPERVISION
Inquiry and confirmation
Information sought from client or external sources. The strength of the evidence
depends on knowledge and integrity of the source of the information.
Recalculation and Re-Performance
Checking calculations of client records.
Audit automation tools
Such as computer assisted auditing techniques.
Analytical procedures
Sufficient and appropriate
Sufficiency is the measure of the quantity of the evidence, while the appropriateness is the
measure of the quality (reliability & relevance) of the evidence. This applies to both tests of
controls and substantive procedures.
An auditor’s judgment as to what is sufficient appropriate evidence is influenced by the
following factors:
Risk assessment, is it low or high?
The nature of the accounting and internal control systems,
The materiality of the item being examined,
The experience gained during previous audits,
The auditors’ knowledge of the business and industry,
The results of audit procedures,
The source and reliability of the information available.
Appropriate- relevance
The relevance of audit evidence should be considered in relation to the overall objective of
forming an audit opinion and reporting on the financial statements. The evidence should
allow the auditor to conclude on the following:
Balance sheet items
Are there suitable completeness, existence, ownership, valuation and disclosure issues?
Profit and loss items
Are there suitable completeness, occurrence, valuation and disclosure issues?
Page 85
UNIT 5 AUDIT PLANNING AND SUPERVISION
Appropriate reliable
Reliability of audit evidence depends on the particular circumstances of each case. However,
the following should be considered:
Documentary evidence is more reliable that oral evidence,
Evidence from external independent sources is generally more reliable than that within an
entity,
Evidence from the auditor by such means as analysis and physical inspection is more
reliable than evidence obtained by others.
Sufficiency
The auditor needs to obtain sufficient, relevant and reliable evidence to form a reasonable
basis for his opinion on the financial statements. His judgement of sufficiency will be
influenced by such factors as:
His knowledge of the business and its environment,
The risk of misstatement,
The quality of the evidence.
However, merely obtaining more audit evidence may not compensate for its poor quality.
F. DOCUMENTATION
Audit planning memo
An audit plan is the formulation of the general strategy for the audit, which sets out the
direction for the audit, describes the expected scope and conduct of the audit and provides
guidance for the development of the audit programme. This plan is in the form of a written
document. Included will be:
The discussion among the audit team concerning the susceptibility of the financial
statements to material misstatements including any key decisions reached;
Key elements of the understanding gained of the entity;
The identified and assessed risks of material misstatement;
Significant risks identified and related controls evaluated;
The overall responses to address the risks of material misstatements;
The nature, extent and timing of further audit procedures linked to the assessed risks
at the assertion level;
If the auditors have relied on evidence about the effectiveness of controls from
previous audits, conclusions about how this is appropriate.
Page 86
UNIT 5 AUDIT PLANNING AND SUPERVISION
Example of an outline audit plan
Initial visit
This visit is essential in building up a background about the client company in order to assist
in the detailed planning of the audit.
The auditor will use techniques such as inquiry, observation and review of documentation in
order to understand details about the company such as:
The development and past history,
The nature of the environment in which it operates,
Products and processes,
Organisational plans,
Accounting and internal controls in operation,
The maintenance of accounting records.
In respect of the internal controls, it would be expected to carry out walkthrough tests to
confirm the operation of the controls as described. If this is an existing client, the visit may
simply take the form of a phone call or brief meeting to establish any changes since the
previous audit in respect of the company’s operations or environment.
Interim Visit
Ideally this visit should take place close to the year end. The purpose of this visit is to carry
out detailed tests on the client’s accounting and internal controls with a view to establishing
those controls on which you can rely. Where controls are operating effectively, restricted
substantive procedures need only be carried out. Where controls are ineffective in practice,
more extensive substantive tests will need to be carried out. At this stage, if any weaknesses
in controls have been noted, it may be appropriate to draft a letter to the client management.
Final Visit
This visit will take place after the accounting year end. On this visit, the detailed substantive
procedures will be carried out in order to substantiate the figures in the accounting records
and subsequently, the financial statements. After an overall review of the financial
statements, the auditor will be able to assess whether sufficient and appropriate evidence has
been obtained in order to draw reasonable conclusions so that an opinion can be expressed on
the financial statements.
Examples of the work to be carried out would include:
Discussion with management of known risk areas,
Attendance at stock count,
Verification of assets/liabilities and income/expenditure,
Page 87
UNIT 5 AUDIT PLANNING AND SUPERVISION
Follow up on outstanding interim audit issues,
Review of post balance sheet events,
Seek and obtain representations from management,
Review financial statements,
Draft an audit report.
Audit programme
An audit programme is a set of written instructions to the audit team that sets out the audit
procedures the auditor intends to adopt and may include references to other matters such as
the audit objectives, timing, sample size and basis of selection for each area. It also serves as
a means to control and record the proper execution of the work.
Working Papers
All evidence obtained during an audit should be documented. Working papers are the
property of the auditor. The auditor’s working papers are the evidence of all the work done
which supports his audit opinion. In addition, it provides evidence that the audit was carried
out in accordance with the standards and other regulatory requirements. Furthermore, it helps
in the planning, performance, supervision and subsequent review of the audit.
Working papers should be reviewed by more senior members of staff before an audit
conclusion is reached. The review should consider whether:
The work has been performed in line with the detailed audit programmes,
The work performed and the results thereof have been adequately documented,
Any significant matters have been resolved or are reflected in the audit opinion,
The objectives of the audit procedures have been achieved,
The conclusions expressed are consistent with the results of the work performed and
support the opinion of the auditor.
For recurring audits, working papers may be split into a permanent audit file and a current
audit file.
Audit working papers should be retained for a period of at least 7 years.
Page 88
UNIT 5 AUDIT PLANNING AND SUPERVISION
G. AUDIT SUPERVISION AND REVIEW
Auditing standards stress the importance of quality control, both at the audit firm level and
the audit engagement level.
ISA220
ISQC1
QUALITY CONTROL
Human resources
Leadership
ENGAGEMENTS
Ethics
Engagement performance
Client relationships
FIRM
Monitoring
Planning
Supervision
Review
Page 89
UNIT 5 AUDIT PLANNING AND SUPERVISION
ISQC1 Quality Control for firms that perform audits and reviews of historical financial
information, and other assurance and related services engagements helps audit firms
establish quality standards for their own business, while ISA 220 Quality Control for audits
of historical financial information requires firms to implement quality control procedures
over individual audit assignments.
Quality control at audit engagement level
Engagement performance
ISA 220.21 states that the engagement partner should take responsibility for the direction,
supervision and performance of the audit engagement in compliance with professional
standards and regulatory and legal requirement, and for the auditor’s report that is issued to
be appropriate in the circumstances.
The audit engagement can be directed by informing members of the team of:
Their responsibilities such as maintaining an objective state of mind, an appropriate
level of professional scepticism and performing the work in accordance with due care;,
The nature of the entity’s business,
Risk related issues,
Problems that may arise,
The detailed approach to the performance of the engagement.
Supervision includes:
Tracking the progress of the engagement,
Considering the capabilities and competence of members of the team, whether they
have sufficient time, that they understand their instructions, and whether the work is
been carried in accordance with the planned approach;
Addressing significant issues as they arise, considering their significance and
modifying the planned approach appropriately;
Identifying matters for consultation by more experienced engagement team members
during the engagement. Not just partner doing this, but all members of staff at different
levels.
Review responsibilities are determined on the basis that the more experienced members of
the audit engagement, review work performed by less experienced persons. The reviewers
consider whether:
The work has been performed in accordance with professional standards,
Significant matters have been raised for further consultation,
Appropriate consultations have taken place and the consultations have been
documented and implemented,
There is a need to revise the nature, timing and extent of the work performed,
Page 90
UNIT 5 AUDIT PLANNING AND SUPERVISION
The work performed supports the conclusions reached and is appropriately
documented,
The evidence obtained is sufficient and appropriate to support the auditor’s report,
The objectives of the audit engagement procedures have been achieved.
Before the auditor’s report is issued, the engagement partner, through review of the audit
documentation and discussion with the engagement team, should be satisfied that sufficient
appropriate audit evidence has been obtained to support the conclusions reached and for the
audit report to be issued.
Quality control review
For audits of financial statements of listed companies, the engagement partner should:
Appoint a quality control reviewer,
Discuss significant matters with the reviewer which have arisen,
Not issue the audit report until completion of the review.
Page 91
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Study Unit 6
Internal Control Assessing Control Risk & Tests of
Control
Contents
A. Internal Control
B. Information Systems. Including the Related Business Process
relevant to Financial reporting and communication
C. Control Activities
D. Assessing the Risk of material Misstatement
E. Tests of Control
F. Assessment of impact on audit strategy
G. The recording of control systems
H. Audit Programmes
Page 92
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
INTERNAL CONTROL - ASSESSING CONTROL RISK AND TESTS
OF CONTROLS
A. INTERNAL CONTROL
Definition and components
ISA 315 defines internal control as the process designed and implemented by those charged
with governance to provide reasonable assurance about the achievement of the entity’s
objectives.
Internal control consists of the following components:
1. The control environment,
2. The entity’s risk assessment process,
3. The information system,
4. Control activities,
5. Monitoring of controls.
Responsibilities-Management
The management team of a company is responsible for achieving an entity’s objectives such
as:
The reliability of financial reporting,
The effectiveness and efficiency of operations and
Compliance with applicable laws and regulation.
Good corporate governance dictates the existence of a sound system of internal control. It
follows therefore that internal controls should be designed and implemented to address
business risks that threaten the achievement of an entity’s objectives.
An entity’s systems collect and summarise data that are used to produce financial
information. An effective system of internal control will help management manage the
business effectively, produce timely and accurate information, safeguard the assets of a
company and prevent and detect fraud.
Responsibilities - Auditors
Control risk is an element of audit risk. Control risk exists where the clients controls fail to
prevent, detect and/or correct material misstatements.
Therefore, auditors need to assess the controls put in place by management and ascertain
whether they are effective and can be relied upon for the purposes of the audit. The auditor’s
primary consideration is whether a specific control prevents detects or corrects material
misstatements. The auditor carries out tests to ensure that the systems operate as they are
Page 93
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
supposed to. If the controls are ineffective, the control risk is high and it is likely that it will
be necessary to undertake higher levels of substantive testing.
Gaining an understanding of internal control
ISA 315 states that the auditor should obtain an understanding of internal controls relevant to
the audit. The auditor uses this understanding to identify types of potential misstatements
and to help design the nature, timing and extent of further audit procedures.
The way in which internal control is designed and implemented will vary with an entity’s size
and complexity. Smaller entities may use less formal means and simpler processes and
procedures to achieve their objectives.
In obtaining an understanding of internal control, the auditor must gain an understanding of
the:
Design of the internal control:
It should be capable of preventing, detecting or correcting material misstatements,;
Implementation of that control:
It should be operating correctly throughout the period in question.
Risk assessment procedures to obtain audit evidence about the design and implementation of
relevant controls may include
Inquiring of personnel,
Observing the application of specific controls,
Inspecting documents and reports,
Tracing transactions through the information system.
Control environment
The control environment includes the governance and management functions and the
attitudes, awareness and actions of those charged with governance and management
concerning the entity’s internal control. The control environment sets the tone of an
organisation, influencing the control consciousness of its people. It is the foundation for
effective internal control, providing discipline and structure. The control environment is
heavily influenced by management.
In evaluating the design of the control environment the auditor considers the following
elements:
(a)
Communication and enforcement of integrity and ethical values essential elements
which influence the effectiveness of the design, administration and monitoring of
controls.
(b)
Commitment to competence management's consideration of the competence levels
Page 94
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
for particular jobs and how those levels translate into requisite skills and knowledge.
(c)
Participation by those charged with governance independence from management,
their
experience and stature, the extent of their involvement and scrutiny of activities, the
information they receive the degree to which difficult questions are raised and pursued
with management and their interaction with internal and external auditors.
(d)
Management's philosophy and operating style management's approach to taking and
managing business risks, and management's attitudes and actions toward financial
reporting, information processing and accounting functions and personnel.
(e)
Organisational structure the framework within which an entity's activities for
achieving its objectives are planned, executed, controlled and reviewed.
(f)
Assignment of authority and responsibility how authority and responsibility for
operating activities are assigned and how reporting relationships and authoris
ation
hierarchies are established.
(g)
Human resource policies and practices recruitment, orientation, training, evaluating,
counselling, promoting, compensating and remedial actions.
The existence of a satisfactory control environment can be a positive factor when the auditor
assesses the risks of material misstatement and influences the nature, timing, and extent of the
auditor's further procedures. Conversely, weaknesses in the control environment may
undermine the effectiveness of controls and, therefore, becomenegative factors in the
auditor's assessment of the risks of material misstatement, in particular in relation to fraud
The Entity's Risk Assessment Process
The auditor should
obtain an understanding of the entity's process for identifying business
risks relevant to financial reporting objectives and deciding about actions to address those
risks, and the results thereof.
The process forms the basis for how management determines
the risks to be managed.
In evaluating the design and implementation of the entity's risk assessment process, the
auditor determines how management:
Identifies business risks relevant to financial reporting,
Estimates the significance of the risks,
Assesses the likelihood of their occurrence and
Decides upon actions to manage them.
Page 95
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
If the entity's risk assessment process is appropriate to the circumstances, it assists the
auditor in identifying risks of material misstatement.
B. Information Systems, Including the Related Business Processes,
Relevant to Financial Reporting and Communication
The information system relevant to financial reporting objectives, which includes the
accounting system, consists of the procedures and records established to in
itiate, record,
process, and report entity transactions (as well as events and conditions) and to maintain
accountability for the related assets, liabilities, and equity.
The auditor should obtain an understanding of the information system, including the
following areas:
The classes of transactions in the entity's operations that are significant to the financial
statements.
The procedures, within both IT and manual systems, by which those transactions are
initiated, recorded, processed and reported in the financial statements.
The related accounting records, whether electronic or manual, supporting information,
and specific accounts in the financial statements, in respect of initiating, recording,
processing and reporting transactions.
How the information system captures events and conditions, other than classes of
transactions that are significant to the financial statements.
The financial reporting process used to prepare the entity's financial statements,
including significant accounting estimates and disclosures.
C. Control Activities
The auditor should obtain a sufficient understanding of control activities to assess the risks
of material misstatement at the assertion level and to design further audit procedures
responsive to assessed risks.
Control activities are the policies and procedures that help
ensure that management directives are carried out.
Examples of specific control activities include those relating to the following:
Authorisation.
Performance reviews, supervision.
Information processing.
Physical controls.
Segregation of duties.
Page 96
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Specific examples of controls would include:
Approval and control of documents through signing off or pre-numbering,
Checking the arithmetical accuracy of records,
Reviewing control accounts for large or unusual items,
Reconciling figures,
Matching figures or documents,
Limiting physical access to assets and records,
Matching physical existence to book records and other external data,
Segregating duties such as custody of assets from initiation of transactions to recording
of transactions to review of transactions.
Monitoring of Controls
The auditor should obtain an understanding of the major types of activities that the entity
uses to monitor internal control over financial reporting, including those related to those
control activities relevant to the audit, and how the entity initiates corrective actions to its
controls.
Monitoring of controls is a process to assess the effectiveness of internal control
performance over time. It involves assessing the design and operation of controls on a timely
basis and taking necessary corrective actions modified for changes in conditions.
Management accomplishes monitoring of controls thr
ough ongoing activities, separate
evaluations, or a combination of the two. Ongoing monitoring activities are often built into
the normal recurring activities of an entity and include regular management and supervisory
activities.
In many entities monitoring generally falls o
n the internal audit department. The external
auditor may make use of the work of internal audit when carrying out their own work.
Limitations of Internal Control
Internal control, no matter how well designed and operated, can provide an entity with only
reasonable assurance about achieving the entity's financial reporting objectives. The
likelihood of achievement is affected by limitations inherent to internal control.
These
include:
The realities that human judgment in decision-
making can be faulty and that
breakdown in internal control can occur because of human failures, such as simple
errors or mistakes.
Page 97
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Additionally, controls can be circumvented by the collusion of two or more people or
inappropriate override by management of internal control.
Smaller entities often have fewer employees which may limit the extent to which
segregation of duties is practicable. However, for key areas, even in a very small
entity, it can be pra
cticable to implement some degree of segregation of duties or
other form of unsophisticated but effective controls.
The potential for override of controls by the owner-
manager depends to a great extent
on the control environment and in particular, the owner-
manager's attitudes about the
importance of internal control.
The costs of control may outweigh their benefits.
Many controls are designed to deal with routine transactions and as such may fail to
detect non-routine transactions.
The existence of these limitations is the reason why the auditor just doesn’t check the system
of internal control. Irrespective of the assessed risk of material misstatements, the auditor
should design and perform substantive tests for each material class of transaction, account
balance and disclosure. An auditor’s assessment of risk is judgemental and there are
inherent limitations to internal control.
Small companies
Due to the size of small companies, many of the controls that would be relevant may not exist
or be even practical. In addition, their cost may severely outweigh their benefit. These
means many small companies rely on the close involvement of the owner/managers. This
can be a good thing. However, it also gives rise to the risk of override of existing controls
and the omission of transactions.
Lack of operating controls and insufficient records can cause the auditor great difficulty in
carrying out an audit.
Specific controls such as segregation of duties are likely to suffer in small companies.
Auditors will be faced with additional difficulties in the event that a small company is
managed by a person other than the owner. It would be important to assess the controls
exercised by the owner over the management of the company.
D. ASSESSING THE RISK OF MATERIAL MISSTATEMENT
The auditor is required to assess the risk of material misstatements. Misstatements can arise
through inherent risks and control risks.
So the auditor is concerned with assessing policies and procedures of the entity which are
relevant to the financial statements. The auditor should:
Page 98
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
1. Assess the accounting information system as to its adequacy in producing a set of
accounts for the entity,
2. Seek to identify any potential misstatements that could occur,
3. Consider all factors that might affect the risk of misstatements,
4. Design appropriate audit procedures whose nature, timing and extent are responsive to
the risks.
The assessment of controls will have a big impact on risk assessment.
Where good controls are identified, the auditors should perform work in that area to provide
the necessary audit evidence.
Where there are weak controls identified the auditor needs to consider:
1. What errors could be possible,
2. Could such errors be material to the accounts,
3. What substantive procedures will enable such errors to be detected and quantified?
Outcomes
The existence of a satisfactory control environment can be a positive factor when the auditor
assesses the risks of material misstatement and influences the nature, timing, and extent of the
auditor's further procedures. In particular, it may help reduce the risk of fraud, although a
satisfactory control environment is not an absolute deterrent to fraud.
Conversely, weaknesses in the control environment may undermine the effectiveness of
controls and therefore become negative factors in the auditor's assessment of the risks of
material misstatement, in particular in relation to fraud.
In some extreme cases, the control environment may be so poor as to raise questions as to
whether the accounts are capable of being audited. The control risk may be so high that audit
risk cannot be reduced to an acceptable level.
Where substantive procedures alone do not provide the auditor with sufficient evidence and
risks remain, the auditor should evaluate the design and determine the operational
effectiveness of controls. This is particularly important where systems are highly
computerised with little or no manual intervention.
E. TESTS OF CONTROLS
When the auditor's assessment of risks of material misstatement includes an expectation that
controls are operating effectively, the auditor should perform tests of controls to obtain
sufficient appropriate audit evidence that the controls were operating effectively at relevant
times during the period under audit.
Page 99
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Tests of controls may include the following:
1. Inspection of documents such as: have transactions been authorised,
2. Inquiries as to who carried out the controls rather than who is supposed to carry out
the control,
3. Re-performance of controls such as reconciling a bank account as distinct from
reviewing the bank reconciliation prepared by someone else,
4. Examination of evidence such as minutes of meetings of management team or board
of directors,
5. Observation of controls in action.
When assessing the evidence, the auditors need to consider:
How the controls were applied,
The consistency with which they were applied throughout the period,
By whom they were applied.
The use of computer assisted auditing techniques (CAATs) may be appropriate particularly
where there is a huge amount of data or complex computer systems in use by the entity.
Assessment of Control Risk
Poor controls or non-existent controls relevant to the financial statement assertions could lead
to a higher degree of control risk. The auditor will need to consider how to respond to this.
Furthermore, the auditors may find that the evidence they obtain suggests that controls did
not operate as expected. If the evidence contradicts the original risk assessment the auditors
will have to amend the further audit procedures they had planned to carry out. In particular,
if control testing reveals that controls have not operated effectively throughout the period the
auditor may have to extend his substantive testing.
Management Letter Reporting
At the “gaining an understanding” stage of the audit you could draw up a letter to
management recommending any improvements you consider from your findings, even at this
early stage. Perhaps you have noted weaknesses in the design of a control or the actual
absent of a vital control. In addition, what you have learned here may influence the type of
further audit testing you may carry out later on.
Furthermore, during your test of the operating effectiveness of controls you may uncover
significant weaknesses in internal controls and these should also be communicated in writing
to those charged with governance.
Page 100
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
F. ASSESSMENT OF IMPACT ON AUDIT STRATEGY
An effective internal control system may allow an auditor to have more confidence in the
reliability of audit evidence generated internally within the entity.
If there are weaknesses in the control environment, the auditor needs to:
conduct more procedures as of the period end rather than an interim date,
seek more extensive audit evidence from substantive procedures,
modify the nature of procedures to obtain more persuasive audit evidence.
The evaluation of the control environment will help the auditor determine whether there
should be a substantive or a combined approach (tests of controls and substantive
procedures).
In designing further audit procedures, the auditor should consider:
the significance of the risk,
the likelihood that a material misstatement will occur,
the characteristics of the class of transactions or account balances,
the nature of specific controls and whether they are manual or automated,
the evidence gathered in determining if controls are effective in preventing, or detecting
and correcting material misstatements.
G. THE RECORDING OF CONTROL SYSTEMS
There are several techniques for recording the assessment of control risk. One or more may
be used depending on the complexity of the system.
1.
Narrative notes
These are written descriptions of the processes and procedures.
They are easy to prepare but can become longwinded and time-
consuming.
2.
Flowcharts
Diagrams setting out the flow of the process and the
procedures.Great visually but can be difficult to prepare.
3.
Questionnaires
ICQ or ICEQ
Internal Control Questionnaire or
Internal Control Evaluation Questionnaire
4.
Checklists
Whatever method is used the data should be retained on the permanent audit file and updated
each year where relevant.
Page 101
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
ICQs (Internal control questionnaires)
They comprise a list of questions designed to determine whether desirable controls are
present within an entity. They are designed to ensure that each of the major transaction
cycles is covered. Their primary purpose is to evaluate the system rather than describe it.
Therefore, a yes/no answer will suffice.
Advantages
Disadvantages
They can ensure that all controls are
considered
Client may be able to overstate controls
Quick to prepare
May be a large number of irrelevant controls
Easy to use and control
May not include unusual controls
Can give impression that all controls are of
equal weight
ICEQs (Internal control evaluation questionnaires)
These are used to determine whether there are controls which prevent or detect specified
errors or omissions. These are more concerned with assessing whether specific errors are
possible rather than establishing whether certain desirable controls are present. These
questions concentrate on significant errors or omissions that could occur at each phase of a
cycle if controls were weak
Advantages
Disadvantages
Queries objectives rather than specific
controls
Can be drafted vaguely, hence misunderstood
Can identify key controls to be tested
Important control may not be identified
Can highlight areas of weakness
ICQ example- Goods inwards
YES
NO
1.
Are goods examined on arrival, checking quantity and quality?
2.
Are these checks evidenced by appropriate person?
3.
Is the receipt recorded on a goods received note/docket?
4.
Are GRNs prepared by a person other than someone who ordered the
goods and/or processes the invoice?
5.
Are the records controlled to ensure that all receipts are matched to
invoices?
Page 102
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
6.
Are records followed up for exceptions?
7.
Are these records reviewed by a responsible person?
ICEQ example-Purchases cycle
Is there reasonable assurance that:
Answer
Comment if yes
1.
Goods or services could not be received
without a liability being recorded?
2.
Receipt of goods is required in order to
establish a liability?
3.
A liability is recorded only for authorised
items and the proper amount?
4.
All payments are properly authorised?
5.
All credits due from suppliers are received?
6.
All transactions are properly accounted for?
7.
At the period end liabilities are neither
overstated nor understated by the system?
8.
The balance at the bank is properly recorded
at all times?
9.
Unauthorised cash payments could not be
made and that the balance of petty cash is
correctly recorded at all times?
H. AUDIT PROGRAMMES
SALES
Control Objectives
1. Ordering and granting of
credit
Goods and services should only be given to customers
with good credit background.
Customers should be encouraged to pay promptly.
All orders are recorded correctly.
All orders are filled.
2. Dispatch and invoicing
of goods
All despatches are recorded.
All goods and services are invoiced correctly.
All invoices raised relate to goods and services supplied.
Credit notes are only raised for valid reasons.
3. Transactions processing
and credit control
All invoices, credit notes and payments received are
recorded in sales ledger and nominal ledger.
Page 103
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
All transactions are recorded in the correct sales ledger
account.
Cut-off is applied correctly.
Potential bad debts are identified.
Control Activities
1. Ordering and credit
approval
Segregation of duties
Authorisation of credit terms and other data
Review of credit terms
Document numbering
Examination of correct pricing
Matching of orders with despatches
Dealing with customer queries
2. Dispatch and invoicing
Authorisation of despatches
Examination of despatches - quantity & condition
Matching of despatches to orders and invoices and review
of unmatched items
Checking number sequence on documents
Checking conditions of returns
Signatures on delivery notes
Checking pricing, quantity and details on invoices
Checking update of stock records
3. Transactions processing
and credit control
Segregation of duties
Review sequence of invoices
Match receipts to invoices
Review customer remittance advices
Cut-off procedures
Regular customer statements sent out
Review of customer statements
Authorisation of any adjustments to accounts
Reconcile sales ledger to debtors control account
Review of margins
Page 104
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Tests of controls
Ordering and granting of credit
1. Check that for all new customers credit references are obtained.
2. Check that authorisation by senior staff has been obtained for all new accounts.
3. Check that all new orders are only accepted for those customers adhering to the credit
terms and within agreed credit limits.
4. Check that orders match production and despatch notes.
Despatches and invoicing
1. Match despatch notes with sales invoices. Check quantity, price, calculations, VAT,
posting to sales ledger and if appropriate analysis details.
2. Match sales items with inventory movement records.
3. Check non-routine sales have appropriate authorisation, supporting evidence and entry to
fixed asset registers in the case of plant disposals.
4. Verify credit notes for approval, backup documentation, and
entry in stock, entry in
goods returned records, calculations, entry in daybook and posting to sales ledger.
5. Review sequence of despatch notes and enquire about missing numbers.
6. Review sequence of invoices and credits and enquire about missing numbers.
7. Review sequence of orders and enquire about missing numbers.
8. Review any items free of charge and check for authorisation.
Processing sales
1. Check entries in daybooks and match to invoices and credit notes.
2. Check down totals and cross totals of daybooks.
3. Check totals of daybooks match debtors control account.
4. Check individual transactions from daybooks to sales ledger accounts.
5. Check a sample of entries in sales ledger accounts back to daybooks.
6. Check calculations in sales ledger accounts.
7. Check that debtors control account is reconciled to a list of b
alances from the sales
ledger.
8. Review and enquire about contra entries in sales ledger accounts.
9. Examine specific sales ledger accounts to see if credit terms and limits are been adhered
to.
10. Enquire and examine evidence as the follow up on overdue accounts.
11. Check for authorisation re any write offs on an account.
Page 105
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
PURCHASES
Control Objectives
1. Ordering
All orders are authorised, received and are actually for the
entity.
All orders are to authorised suppliers.
Orders are at a fair price.
2. Receipts and invoices
All receipts are for the entity and not for personal use.
Receipts are only accepted if proper authorised orders
exist.
All receipts are recorded accurately.
Liabilities are recognised for all receipts.
All credits due are claimed and received.
3. Accounting
All invoices are for orders received.
All invoices are authorised.
All invoices are recorded in appropriate ledgers and
daybooks.
All credits are recorded in appropriate ledgers and
daybooks.
All entries are in the correct purchase ledger account.
Cut-off is applied correctly.
Page 106
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Control Activities
1. Ordering
Segregation of duties
Evidence of re-order quantities and levels
Orders prepared from pre-numbered requisitions
Orders authorised
Pre-
numbered order books and safe custody of such
books
Review orders not received
Regular monitoring of supplier terms and conditions
2. Receipts and invoices
Examine goods received. Checking quality and quantity
Record receipt in goods inwards records
Match receipts with order details
Appropriate referencing of invoices
Examine invoice and check price, quantity and
calculations. Match to receipts and order documents
Record all goods returned and ensure credit is claimed
3. Accounting
Segregation of duties
Record all purchases and returns in daybooks and
appropriate ledgers
Review purchase ledger and reconcile accounts to
supplier statements
Payments should be authorised only after all checking
procedures complete
Reconcile creditors control account to a list of purchase
ledger accounts
Cut-off is appropriate
Page 107
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Tests of controls
Ordering
1. Check that all new suppliers are authorised.
2.
Check that authorisation by senior staff has been obtained for all new orders and is
within limits set.
3. Review order books for orders not completed and enquire of same.
Receipts and invoicing
1. Check invoices are supported by a goods received note and order, are entered in stock
records, priced correctly, calculations are checked and are appropriately referenced.
2. Check all returns are matched to a received credit note and this credit note should be
traced to the stock records.
3. Check all invoices and credit notes have been entered to the purchase ledger and the
appropriate daybooks.
4. Check all credit notes received for relevant supporting documentation.
5. Review numerical sequence of order books, goods received notes and goods returned
books and enquire of unmatched numbers or missing numbers.
6. Enquire of supplier invoices not matched with goods received notes or orders.
Processing purchases
1. Check all invoices and credit notes in the daybooks are evidenced as having been
checked re prices, calculations, matched to orders and goods received notes and
authorised for payment.
2. Check down totals and cross totals in the daybooks.
3. Match totals in the daybooks to the control accounts.
4. Check postings from the daybook to the appropriate purchase ledger accounts.
5. Check a sample of purchase ledger accounts and agree transactions back
to the
appropriate daybooks. Check the totals of the balances.
6. Review purchase ledger accounts for contras and enquire of same.
7. Review supplier reconciliations and trace
balances and reconciling items to the
appropriate books.
8.
Confirm creditors control account agrees to list of balances of purchase ledger
accounts.
9. Review creditors control for unusual transactions.
Page 108
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
PAYROLL
Control Objectives
1. Setting of wages and
salaries
Employees only paid for work they have done
Gross pay calculated correctly and properly authorised
2. Recording
Gross pay, net pay and all deductions are recorded
correctly
Payments are recorded correctly in the bank account
Full cost is recorded in the nominal ledger
3. Payment
Employees are paid exactly what they are owed
4. Deductions
All deductions correctly calculated and appropriately
authorised
Revenue get paid what they are owed
Page 109
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Control Activities
1. Setting of wages and
salaries
Segregation of duties
Personnel records should be maintained with proper
employment letters etc.
Authorisation of rates of pay, deductions
Maintain details of holiday entitlement, advance of pay
etc.
Procedures for dealing with queries
2. Recording
Records maintained of timesheets, clock cards etc.
Review of hours worked
Review of wages cost against budgets
Review by senior staff of data input and calculation work
by other staff including checking procedures
Appropriate analysis codes
Maintenance and reconciliation of wages bank account
3. Payment
Custody of cash procedures
Segregation of duties
Verification of identity
Preparation of pay packets, cash, cheque, payslip etc.
Records of amounts distributed
Authorisation of cheques and bank transfers
Dealing with queries
4. Deductions
Maintenance of separate records for each employee
Review deductions as between differing periods
Review control accounts for deductions
Page 110
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Tests of controls
Setting of wages and salaries
1. Check that wages summary is approved for payment.
2.
Review details for changes from previous period and check for authorisation for
differences.
3. Check letters of employment exist for all new employees and relevant forms are
prepared for all leavers.
4. Check calculation of gross pay and agree rate of pay to authorised pay, hours worked
etc.
5. Check a sample of names on payroll lists to phone records, floor plans etc.
Recording
1. Reconcile wages to previous weeks payroll, timesheets, changes in pay rates etc.,
looking for unusual or explained variances.
2. Re-perform key calculations and seek evidence of controls checking.
3. Check down totals and cross totals on payroll sheets and trace to the appropriate
ledger accounts.
4. Review all payroll control accounts.
5. Enquire as to payroll queries from staff.
Payment
1. If cash payments made, attend such an event and note procedures.
2. Compare pay packets with list of payments to be made.
3. Ensure signatures for all packets collected and enquire about uncollected packets.
4. Review list of cheques/ bank transfer list and agree back to payroll details.
Deductions
1. Check calculations on payroll details and that authorisation does exist.
2. Check down totals on payroll summaries and match to entries in appropriate ledger
accounts.
3. Examine third party documentation.
4. Review the deduction control accounts and compare against previous periods.
CASH RECEIPTS AND DISBURSEMENTS
Control Objectives
1. All monies received are recorded, processed to the appropriate ledger accounts and
banked where necessary
2. Cash and cheques are safeguarded from loss through theft or otherwise
3. All payments are authorised, properly recorded and made to the correct person
4. Duplicate payments are avoided
Page 111
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Completeness of income (recording of all cash receipts) is extremely important. If there are
inadequate controls, these may cause limitations in the scope of your audit.
Segregation of duties is vital when dealing with cash. The receiving, recording, banking and
reconciling functions should ideally be done by separate persons within an entity.
Control Activities
1. Cash at bank and
in hand- receipts
Segregation of duties
Post opening procedures. Safeguards over security, supervision,
listing of items when opened, cheques crossed, remittance
stamped.
Policy over who can receive cash, pre-
numbered company
receipts books. Ensure safe custody.
Regular clearance of cash registers and matching to till rolls.
Reconcile cash collection with sales records.
Investigation of shortages/surpluses.
Prompt recording of receipts in daybooks and ledger accounts.
Daily bankings, matching
cash records with bank lodgement
receipt slip.
Authorisation to open bank accounts.
Set limits on cash floats. Regular review and authorisation.
Restrictions on payment out of cash receipts.
Access controls over cash.
Surprise cash counts.
Bank reconciliation process. Follow up of un-reconciled
transactions.
2. Payments - cash
and cheques
Custody over supply and issue of cheques, especially ones with
printed signatures.
Restrictions on issue of incomplete cheques
or signing blank
cheques.
Cheque requisitions with appropriate supporting documentation
and approval.
Authority limits to sign cheques. Keep separate from approval
process. No signatures without full documentation.
Prompt despatch of signed cheques and recording in daybooks
and ledgers.
Authorisation and suitable backup documentation for cash
payments.
Separate cashier listing payments to person recording in
daybooks and ledgers.
Limits on cash disbursements.
Page 112
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Tests of controls
Receipts received by post
1. Observe that post opening procedures are followed.
2. Observe that all cheques received are crossed for protection.
3. Trace items in the rough cash list to the cash book and appropriate ledgers.
4. Verify amounts received agree with remittances advices.
Cash sales
1. Verify takings against till rolls.
2. Check takings to bank slip when lodged.
Collections
1. Trace amounts to cash book from appropriate collection sheets.
2. Verify goods sent for collection have matching receipts.
3. Review numerical sequence of collection books.
Cash receipts book
1. Check a sample of entries in the daybook back to till rolls, collection sheets or rough
cash sheets.
2. Check entries in daybook to bank statement to ensure daily lodging.
3. Check down totals and cross totals of daybook and trace totals to the nominal ledger.
4. Check transactions in daybooks to appropriate sales ledger accounts.
5. Review the daybook and check for large or unusual items.
Cash payments book
1. Check a sample of payments recorded to supporting documentation. Suppliers
statements, copy paid cheques.
2. Ensure cheque amounts are within authority limits for signing.
3. Check that invoices to be paid have been verified and passed for payment and that a
“paid” stamp is inserted on such invoices.
4. Check the numerical sequence of cheque numbers and enquire as to missing numbers.
5. Trace transfers to other bank accounts, cash records etc.
6. Check additions and trace totals to the nominal ledger.
7. Check transactions in daybooks to appropriate purchase ledger accounts.
8. Review the daybook and check for large or unusual items.
9. Review bank reconciliations. Check balances and un-
reconciled items against
daybooks and other supporting information. Check done on a regular basis and review
for any unusual items.
Petty Cash
1. Check a sample of payments to supporting documentation and appropriate approval.
2. Ensure vouchers have been marked and signed off to prevent re-use.
3. Trace a sample of amounts received to cash books and to relevant ledgers.
4. Check additions of petty cash book and trace summary totals to the nominal ledger.
Page 113
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
INVENTORY
Control Objectives
1. Recording of stock
All movements are recorded and authorised
Record only items that belong to entity
Records show all inventory that exists and is in stock
All quantities are recorded correctly
Proper cut-off procedures apply
2. Safeguarding of stock
Loss, theft or damage is guarded against
3. Valuation of stock
Stock is priced correctly
4. Holding of stock
Levels of stock are reasonable
Control Activities
1. Recording of stock
Segregation of duties between custody and recording of
stock
Checking receipt and recording of goods received
Checking appropriate documentation of movement
Maintenance of stock records. Ledger cards, bin cards etc.
2. Protection of stock
Access rights to stock
Controls over environment
Security over third party stock on-
site and stock on third
party property
Stock takes - Procedures, supervision, control, cut-off,
recording.
Reconciliation of book stock to physical.
3. Valuation of stock
Checking calculations
Compliance with accounting standards, company law etc.
Examine condition of stock and provide for slow moving,
obsolete or damaged stock
Authorisation for any write offs and appropriate accounting
for such
4. Holding of stock
Agreed levels, regular review
Max/min levels and re-order levels
Page 114
UNIT 6 INTERNAL CONTROL ASSESSING CONTROL RISK & TESTS OF CONTROL
Tests of controls
Recording movement of stock
1. Select a sample of stock movements and trace back to either goods received notes or
despatch notes.
2. Confirm all movements were authorised.
3. Select a sample of items from the goods received notes and the despatches and agree to
the stock movement records.
4. Check the sequence of records and enquire about potential missing items.
Safeguarding of stock
1. Test check counts carried out and ascertain whether all discrepancies between book stock
and actual physical stock levels have been investigated.
2. All variances should be signed off by a senior member of staff.
3. Slow moving, obsolete or damaged stock should be marked as such and should be written
down in value. Trace a sample of these items through to the stock valuation reports.
4. Note the security arrangements.
Valuation o