INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS

OF RWANDA (CPA)

I 1.4: AUDITING

COMPILED BY: OTIENO KENNEDY

CHAPTER TOPIC
1 Introduction
2 The Auditor and the Audit Environment
3 Auditors Legal, Ethical & Professional Responsibilities – Part 1
4 Auditors Legal, Ethical & Professional Responsibilities – Part 2
5 Audit Planning and Supervision
6 Internal Control – Assessing Control Risk & Tests of Control
7 Financial Statement items – Substantive Procedures
8 Audit Execution – Other Considerations
9 Computer Information Systems
10 Audit Reporting
11 Public Sector Auditing
Learning Outcomes
On successful completion of this subject students should be able to:
• Interpret and discuss the legal, regulatory and ethical framework within which the auditor
operates.
• Differentiate and explain the respective responsibilities of directors and auditors.
• Explain the nature, purpose and scope of an audit and discuss and defend the role of the auditor.
• Apply and explain the process relating to the acceptance and retention of professional
appointments, to include the purpose and content of engagement letters.
• Devise an overall audit strategy and develop an audit plan.
• Supervise and review the various stages of the audit process.
• Outline the nature of internal controls and the procedures required to evaluate control risk
relating to specific accounting systems, in order to identify internal controls and weakness within
the systems.
• Distinguish between Tests of Control and Substantive Procedures.
• Design and apply the appropriate audit tests to include in the audit programme.
• Carry out analytical procedures and assess the implications of the outcome.
• Explain the significance, purpose and content of management letters and management representations.
• Explain the distinction between an internal and external audit.
• Apply and discuss audit sampling.
• Demonstrate the outcome and implications of subsequent event reviews.
• Plan and describe the audit of computer information systems.
• Draw appropriate conclusions leading to the formulation of the auditor’s opinion.
• Apply and explain the basic component elements of the Auditor’s Report
• Identify and analyse matters that impact on the wording of Modified
• Reports differentiating between matters that do not affect the auditor’s opinion and matters that do affect
the auditor’s opinion.
• Recognise ethical issues, discuss, escalate or resolve these as appropriate within the Institute’s ethical
framework, demonstrating integrity, objectivity, independence and professional scepticism.
STUDY UNIT 1
INTRODUCTION TO AUDITING
A. ASSURANCE
• The International Standards on Auditing (ISA) defines an assurance engagement as “one in which a practitioner expresses a
conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the
outcome of the evaluation or measurement of a subject matter against a suitable criteria.”
• In practice, this could be an auditor expressing an opinion to the shareholders of a company on a set of financial statements
prepared by management as to whether they have been prepared in a true and fair manner in accordance with accounting
standards and relevant company law.
Elements of an assurance engagement
1) A three party relationship involving the responsible party, the intended user and the professional accountant.
2) The subject matter e.g. Financial statements, forecast, activities of the firm procedures, systems and processes, behaviour e.g.
social environment or corporate governance etc.
3) A suitable criterion which may include IASs, IFRS, companies act disclosure requirements, ISA etc.
4) Evidence
5) Audit Report
• An audit is a type of assurance engagement.
B. LEVELS OF ASSURANCE
• Various levels of assurance may be given but this depends very much on:
(1) The individual engagement,
(2) The criteria applied and
(3) The subject matter.
• i. Reasonable level of assurance – subject matter materially conforms to criteria; i.e.
accounts give a true and fair view having regard to the accounting standards and law,
such as carried out in an audit. This can also be known as a positive expression.
• ii. Limited level of assurance – no reason to believe that subject matter does not
conform to criteria. Essentially, a negative form of expression. Expect to see this in a
review engagement. A review engagement is another type of assurance engagement.
• iii. Absolute assurance - Can never be given. There are inherent limitations of an audit
that affect the auditor’s ability to detect material misstatements in a set of financial
statements
C. THE AUDIT FUNCTION
What is an audit?
• An audit is an exercise, of which the objective is to enable an independent auditor to
express an opinion on whether a set of financial statements has been prepared in a true
and fair manner and in accordance with an identified financial reporting framework.
Audit objective
• The objective of an audit is to enable an independent auditor to express an opinion, on
whether a set of financial statements, are prepared, in a true and fair manner, in
accordance with an identified financial reporting framework.
D. TYPES OF AUDITS
• 1. Statutory audits as required by companies’ legislation.
• 2. Non-statutory audits preferred by interested parties rather than being required by law.
Types of Audits
Audits can be classified into two broadways.
• According to terms of engagement i.e. nature of work done.
o Statutory audits
o Private audits
• According to the approach to the work to be done/ timing.
o Continuous audits
o Interim audits
o Final audits
• Other types of audits
o Procedural audits.
o Management audits.
o Balance sheet audits.
• Not all companies however, are required to have an audit. Audit
exemption guidelines exist within certain jurisdictions. Small
companies depending on the jurisdiction could possibly avail of the
audit exemption because:
i. The cost may outweigh the benefit.
ii. Small companies are generally owner managers, so no distinction between
shareholders and managers.
iii. Many small companies lack a system of internal controls.
iv. Their use of basic books of record.
• However, small companies can opt to have an audit carried out
specifically where the potential users of financial statements may
expect it.
There are arguments for and against small company audits
E. THE LIMITATIONS OF AN AUDIT
a. Not every item is checked. In fact, only test checks are carried out by auditors. It would be impractical to
examine all items within a class of transactions or account balance. Hence, it is not really possible to give
absolute assurance.
b. Auditors depend on representations from management and staff. Collusion can mitigate some good
controls such as division of duties. There is always the possibility of collusion or misrepresentation for
fraudulent purposes.
c. Evidence gathered is persuasive rather than conclusive. It often indicates what is probable rather than
what is certain. Take for example vouching a bank statement. It only shows you that one account. Are
there others?
d. Auditing is not purely an objective exercise. Judgements have to be made in a number of areas. The view
in financial statements is itself based on a combination of fact and judgement. For example, valuing stock
in a grain silo or valuing jewellery.
e. The timing of an audit. Significant credit notes after the year-end can alter a true and fair view. Problems
arise whether you audit too early or too late.
f. An unqualified audit opinion is not a guarantee of a company’s future viability, the effectiveness and
efficiency of management, nor that fraud has not occurred in the company. Profit margins can differ from
firm to firm yet both could have a clean audit report.
Benefits of an audit
1. The shareholders of a company are given an independent opinion as to the
true and fair view of the accounts that have been prepared by management.
2. The use made by third parties such as suppliers and banks of the accounts as
confidence in the performance of a company.
3. Auditors themselves can use the knowledge accumulated during the course of
the audit to provide additional services to the company such as the provision of
consultancy services or a management letter showing weaknesses in the
business and recommendations to alleviate such weaknesses in the future.
4. While not responsible for detecting fraud, the very fact that an audit is carried
out and may uncover evidence of fraud, can help to mitigate against such risks.
5. Managers in some firms may be removed from day to day transactions
especially regarding remote locations and an audit can allay fears of fraud or
simple bad book- keeping.
F. THE NEED FOR REGULATION
• The conduct of audits is covered by:
1. A code of ethics
2. International Standards on Auditing
3. Company Law.
• In addition, Auditors are regulated by a number of different bodies, for example:
a. The International Auditing and assurance standards board (IAASB)
b. The Government
c. Professional Accountancy bodies such as ICPAR
G. METHODOLOGY OF AN AUDIT
1. Determine the scope and the audit approach.
2. Ascertain the system and controls.
3. Assess the system and internal controls.
4. Test the system and internal controls.
5. Test the financial statements.
6. Review the financial statements.
7. Express an opinion.
H. ISA 200
• International standards on auditing 200 (ISA 200): Overall objectives of the
independent auditor and the conduct of an audit in accordance with
International Standards on Auditing.
a. The auditor should comply with the code of ethics for professional accountants issued by
the International Federation of Accountants (IFAC) and the ethical pronouncements issued
by the auditor’s relevant professional body.
b. The auditor should conduct an audit in accordance with International Standards of Auditing
and should plan and perform an audit with an attitude of professional scepticism.
c. ISA 200 also makes a very important point in that while the auditor is responsible for
forming and expressing an opinion on the financial statements, the responsibility for
preparing and presenting those financial statements lies with the management.
d. Furthermore, the auditor does not have any responsibility with regard to the prevention
and detection of fraud. Again, that lies with the management.
May 2024 Q1, Feb 2024 Q2
Study Unit 2
The Auditor and the Audit Environment
A. AUDIT OPINION
• The objective of an audit is for an independent auditor to express an opinion on a set of financial
statements.
• The key opinion is whether the accounts give a true and fair view. Unfortunately, there is no formal
definition as it is not laid out in Company law. However, it is generally accepted that a set of accounts can
only give a true and fair view if they are not factually incorrect and present information in an impartial way
that is clearly understood by the reader.
• Aside from the key opinion, there are a number of other issues that the auditor needs to report on and
these should be laid out by the companies’ acts.
• These are matters of opinion and matters of fact.
Matters of opinion:
1. Have proper accounting records been kept?
2. Is the information in the directors’ report consistent with that given in the financial statements?
3. Does a financial situation exist which may require an Special Meeting?
4. Have the accounts been prepared in accordance with the provisions of the companies’ acts?
Matters of fact:
1. Has the auditor received all the information and explanations he deems necessary for the purposes of his
audit?
2. Do the financial statements agree with the books of account?
• The statutory audit opinion is given by way of a written standard audit report addressed to the shareholders
of a company. The report should be signed and dated by the auditor.
B. THE ROLE OF THE AUDITOR
• The auditor is the independent person that gives his opinion on a set of financial statements. He does not
provide absolute assurance. In other words he does not say the “accounts are correct” due to the Audit
limitations.
• However, this is often misunderstood by users of accounts who seem to wrongly accuse the auditor of
shortcomings especially where there are infamous business failures or perceived wrong doing. This is known
as the “expectation gap”.
• The expectation gap exists because the role and duties of the auditor which are recommended to be laid out
by the companies acts, codes of ethics and auditing standard could be different from the perceived role of
the auditor by the general public and even company directors themselves. For example, it is believed that
the auditor should find all errors whether unintentional or intentional such as fraud.
C. RELATIONSHIPS AND RESPONSIBILITIES
• There are a number of stakeholders interested in financial statements from the shareholders to
management, customers to suppliers, revenue authorities to bank managers, and even future
investors.
• The audit report is prepared by the auditor for the shareholders on the actions of the
management (directors).
• The auditor has no legal duty to report to management or anyone else in respect of the financial
statements. However, in practice other parties do read the audit report and often rely on the
assurance given by the auditors.
Key issues:
• Management are responsible for the preparation and presentation of the accounts
• Management are responsible for the prevention and detection of fraud within a company
• Management are responsible for safeguarding the assets of a company
• The auditor is responsible for expressing an opinion on a set of accounts prepared by
management.
D. THE AUDIT PROFESSION
• Depending on the jurisdiction it would be recommended to set up an Accounting
Supervisory Authority together with an Auditing Authority. Its role would be to
supervise the practice of auditing and accounting in the relevant country.
• Previously, each professional accounting body supervised their own members,
however more recently Independent Supervisory Authorities are being
established in countries e.g. in Ireland (IAASA)
• The main functions of an Auditing and Accounting Supervisory Authority would
be:
i. To supervise how each body regulates its own members
ii. To promote adherence to the highest possible professional standards
iii. To monitor the accounts of companies to ensure compliance with companies legislation.
• Each professional body will regulate and monitor its own members. Each body
will issue its own code of ethics. By and large the codes of ethics are very similar.
• Persons carrying out audits must have the permission of the relevant authorities. It is strongly recommended
that all auditors have to be registered. Members of recognised bodies such as CPA, ACCA and Chartered
Accountants are registered auditors if they have practising and auditing certificates from their respective
bodies.
• The Institute of Certified Public Accountants of Rwanda (ICPAR) is the Professional Accountancy Organization
(PAO) mandated by law number 11/2008 to regulate the Accounting profession in the Republic of Rwanda.
ICPAR is the only authorized by law to register and grant practising certificates to Certified Public
Accountants (CPAs) in Rwanda. Certified Public Accountant Certificate holders that are registered as
members of ICPAR are entitled to the CPA (R ) designation.
• The Institute operates in the public interest including promotion of financial reporting, auditing and ethical
standards.
• The practising audit firms in Rwanda are very small in size and need capacity building with respect to quality
of audit.
E. INTERNATIONAL STANDARDS ON AUDITING
• There is a need then for auditors to be regulated so that all auditors follow the same standards. One of the
main points of IAS200 (objective and general principles governing an audit of financial statements) is that
auditors must follow the international standards of auditing in the exercise of an audit.
• The International standards of auditing (ISAs) are produced by the International Auditing and
Assurance Standards Board (IAASB), which is part of the International Federation of Accountants
(IFAC). The IFAC is a global organisation for the accounting profession.
• The intention is that the standards issued will improve the degree of uniformity of auditing
practices, both in a standardised approach to the audit and a standard reporting format.
• Only in exceptional circumstances, can an auditor judge if it is necessary to depart from an
auditing standard in order to achieve the objective of an audit. The auditor would need to be able
to justify his actions.
• ISAs need only be applied to material matters. What is material is not defined in law but it is
generally accepted that something is material if its omission or misstatement could influence the
economic decisions of users of financial statements. Materiality can be based on value, e.g. large
amounts are more likely to be material than small ones, though sometimes they may also be
material by nature, for example if it exposes inappropriate decision-making within an organisation
possibly based on favouritism or personal bias.
• ISAs are mandatory in some jurisdictions for the audit of company’s accounts.
Setting Standards - The Process:
1. The IAASB identifies new developments,
2. The IAASB appoints a task force to draft a standard,
3. Consultation takes place,
4. An “exposure draft” is produced, essentially a draft standard issued welcoming comments from
the profession and any other interested party,
5. The taskforce considers comments and may make amendments,
6. The Standard is finalised and formally approved by the IAASB.
International Accounting Standards, International Financial Reporting Standards and International
Public Sector Accounting Standards)
• The auditor needs to express an opinion on a set of accounts as to whether they give a true and
fair view. In order to give a true and fair view, a set of accounts should have regard for the
provisions of company law and international accounting standards. Private sector standards are
known as International Financial Reporting Standards (IFRSs). There are public sector equivalents,
largely based on the IFRSs, known as International Public Sector Accounting Standards (IPSASs).
F. CORPORATE GOVERNANCE
• The Cadbury report defines Corporate Governance as: “The system by which companies are directed and
controlled”.
• There are mainly four fundamental pillars of corporate governance which include Accountability,
Transparency, Responsibility and Fairness. All these are critical for successfully running of an organization
and forming better relationship with different stakeholders.
o Accountability: Accountability embraces ownership of strategy and task required to attain organisational goals. This also
means owing reward and risk in clear context of predetermined value proposition. When the idea of accountability is
approached with this positive outlook, people will be more open to it as a means to improve their performance. This applies
from the staff all the way up to top leadership embracing Risk management within defined formal appetite for risk.
o Fairness: Fairness means “equal treatment of all stakeholders”. Establishing effective communication mechanism is
important in ensuring just and timely protection of resources .
o Transparency: Transparency “means having nothing to hide” that allows its processes and transactions observable to
outsiders. It also makes necessary disclosures, informs all stakeholders affected about its decisions and how they are likely to
be affected by those decisions. Transparency is a critical component of corporate governance because it ensures that all of
entity’s actions can be checked at any given time by an outside observer.
o Responsibility: Those charged with governance are given authority to act on behalf of the entity. They should therefore
accept full responsibility for the powers that is given to them and the authority that it exercises. Those charged with
governance are responsible for overseeing the management of the business, affairs of the company, appointing the chief
executive and monitoring the performance of the company. In doing so, it is required to act in the best interests of the entity
putting aside their own interests.
Why is corporate governance important?
• Shareholders and managers are usually separate in a company and it is important that the management of a
company deals fairly with the investment made by the owners.
• Corporate governance is about ensuring that public companies are managed effectively for the benefit of
the company and its shareholders.
• In smaller companies, generally, shareholders are fully informed about the management of the business as
they are the directors themselves. However, in large companies the day to day running of a company is the
responsibility of the directors. Shareholders only get a look- in at the Annual Meeting.
• In addition, auditors only report on the truth and fairness of financial statements. They do not report on how
the shareholders’ investment is being managed and whether their investment is subject to fraud.
How does corporate governance come about?
a. Unscrupulous management ignoring distinction between company’s money and their own,
b. Management manipulating share price for personal gain,
c. Management disguising poor results and mismanagement,
d. Management extracting funds from company and raising finance fraudulently.
e. Management inefficiencies in decision-making and internal control systems (these might not be deliberate but are still
problematic for shareholders)
Authority
• Good corporate governance can be enforced by law (Sarbanes Oxley in the US) and/or by agreement
through codes of best practice.
So what does good corporate governance entail?
1. Effective management
2. Support /oversight of management by non-exec directors with sufficient experience
3. Fair appraisal of performance
4. Fair remuneration and benefits
5. Fair financial reporting
6. Sound systems of internal control
7. Constructive relationship with directors
G. CODES OF BEST PRACTICE
• Two prominent codes have been formed in the UK and are considered best practice in modern times and
could be applied internationally.
• In Rwanda these codes could be applied as “Codes of Best Practice”
o The Cadbury report
o The Combined code
The Cadbury Report
• The Cadbury report was issued in 1992. Its terms of reference considered:
1. The responsibilities of executive and non-executive directors and the frequency, clarity and form in which information should
be provided to shareholders.
2. The case for audit committees, their composition and role.
3. The responsibilities of auditors and the extent and value of the audit.
4. The links between auditors, shareholders and the directors.
• The Cadbury report was aimed at directors of all UK PLCs; however directors of all companies are
encouraged to apply the code. Directors should state in the financial statements, normally through the
director’s report, whether they comply with the code and must give any reasons for non-compliance.
• The Cadbury report covered a number of areas including the board of directors, non- executive directors,
executive directors and the audit function. Some of the provisions include:
Board of Directors
i. They should meet on a regular basis.
ii. They should have clearly accepted divisions of responsibilities, so no one person has complete power.
iii. The posts of chairman and CEO should be separate.
iv. Decisions which require a single signature or several signatures need to be laid out in a formal schedule and
procedures must be put in place to ensure that the schedule is followed.
Non-executive directors
• They are not involved in the day to day running of the company and should bring their independent
judgment to bear in the affairs of the company. Such affairs may include key appointments and standards of
conduct.
• There should be no business or financial connection between the company and the non- executive directors
other than fees and a shareholding.
• Their fees should reflect the time they spend on the business.
• They should not participate in share option schemes or pension schemes.
• Appointments of non-executive directors should be for a specific term and automatic re-appointment is
discouraged.
• Procedures should exist whereby they may take independent advice.
• A remuneration committee consisting of non-executive directors should decide on the level of pay for
executive directors.
Executive directors
• They run the company on a day to day basis and should have service contracts in place of not more than
three years in length, unless approved by the shareholders.
• Directors’ emoluments should be fully disclosed in the accounts and should be analysed between salary and
performance based pay.
Audit
• The code states that the audit is the cornerstone of corporate governance. It is an objective and external
check on the stewardship of management.
• Some flaws exist in the framework for auditing, such as choices in accounting treatments, poor links
between shareholders and auditors, price competition between audit firms and the “expectations gap”
between auditors and the public.
• Disclosing fees for audit in the financial statements should safeguard against the threat of objectivity where
auditors offer other services to their audit clients.
• Formal guidelines concerning audit rotation should be drawn up by the accounting profession.
• The accountancy profession should be involved in setting criteria for the evaluation of internal control.
• There is a need for auditors to report on going concern. This is now reflected in auditing standards.
The Combined Code
• For example the UK stock exchange issues guidance on a regular basis. In 1998 it
issued the combined code. This combined key guidance from various reports
including the Cadbury report into the one code.
• Some of its principles included which can be adopted globally are:
i. Every company should have an effective board.
ii. There should be clear divisions of responsibilities at board level.
iii. There should be an appropriate balance of executive and non-executive directors.
iv. A formal procedure for appointments to the board should exist.
v. The board should receive timely information in order to discharge its duties.
vi. All directors should maintain and upgrade their skills and knowledge.
vii. There should be an annual evaluation of its own performance.
viii. All directors should be submitted to re-election at appropriate time intervals.
ix. There should be appropriate levels of remuneration that are sufficient to attract, retain and
motivate individuals of the necessary quality required.
x. A significant portion of pay should be performance related.
xi. A formal procedure for the fixing of pay levels should exist and no director should have a
hand in fixing his/her own pay.
xii. The board should present a balanced assessment of the company’s performance.
xiii. The board should implement a good system of internal control.
xiv. The board should have meaningful communication with the shareholders and should use
the Annual Meeting to communicate with investors.
Audit Committees
• Audit committees are generally made up of non-executive directors. They are
perceived to increase confidence in financial reports.
• A number of recommendations contained in the combined code are:
i. Audit committee should comprise at least three non-executive directors (two for smaller
companies).
ii. Its main role and responsibilities should be clearly set out in written terms of reference.
iii. The committee should be provided with sufficient resources to undertake its duties.
Role and responsibilities
1) To monitor the integrity of the financial statements and other formal announcements.
2) To review the internal financial controls and the company’s control and risk management systems.
3) To monitor and review the effectiveness of the internal audit function.
4) To make recommendations regarding the appointment of external auditors and their remuneration.
5) To monitor and review the external auditor’s independence and objectivity.
6) To develop and implement policy on the engagement of the external auditor in other nonassurance services.
Advantages of an audit committee
1) Provides an independent point of contact for the external auditor, particularly in the event of
disagreements.
2) Can create a climate of discipline and control.
3) Increased confidence in the credibility and objectivity of financial reports, by increasing the quality of the
financial reporting and enabling the non-executive directors to contribute an independent judgment.
4) Internal auditors can report directly to the committee thereby providing a
greater degree of independence from management.
5) The existence of such a committee should make the executive directors more
aware of their duties and responsibilities.
6) Can act as a deterrent to fraud or illegal acts by executive directors.
Disadvantages of an audit committee
1) Can be difficult to source sufficient non-executive directors with the necessary
competence to be effective.
2) Auditors may not raise issues of judgment where there are formalised reporting
procedures.
3) Costs may increase.
4) Findings are generally not made public, so it is not always clear what they
actually do.
Internal control effectiveness
• Internal control is an essential tool in having good corporate governance and impacts significantly on the
audit approach that might be taken.
• The directors of a company are responsible for putting in place an effective system of internal control. An
effective system of internal control will help management safeguard the assets of a company, prevent and
detect fraud and therefore, safeguard the shareholders’ investment.
• In addition, it helps ensure reliability of reporting and compliance with laws. The use of the word ‘help’
denotes the fact that there are inherent limitations in any system of internal controls and as such there can
be no such thing as absolute assurance.
• The directors need to set up internal control procedures and need to monitor these to ensure that they are
operating effectively.
• The system of internal control will reflect the control environment which depends a lot on the attitude of the
directors towards risk.
• The combined code recommends that the board of directors report on their review of internal controls. This
assessment should cover the changes in risks which the company faces and its ability to respond to these
changes, the scope and quality of management’s monitoring of risk and internal control and the extent and
frequency of reports to the board. It should also assess the significant controls, failings and weaknesses that
might have a material impact on the accounts.
• Auditors should assess the review carried out by the directors. They should assess
whether the company’s summary of the process of review is supported by
documentation prepared by the directors and that it reflects that process.
• This review is not as defined as an audit. Therefore, it is only possible to give
limited assurance. For this reason, the auditors are not expected to assess
whether the director’s review covers all risks and controls and whether the risks
are satisfactorily addressed by the internal controls.
• In order to avoid any misunderstandings, a paragraph is inserted into the audit
report setting out the scope of the auditor’s role.
• Auditors should bring to the attention of directors any material weaknesses they
find in the system of internal control.
• In order to monitor and assess the system of internal controls as to their
reliability and effective operation, a company may set up an internal audit
department to carry out the internal audit function.
Differences between the external audit and internal audit functions.
1. An internal auditor is an employee of the company. Therefore, under applicable company law, the
internal auditor is precluded from acting as the external auditor of a company.
2. External auditors are required by appropriate laws to belong to a recognised body, which
guarantees their appropriate qualification, adherence to technical standards and overall
competence. The internal auditor on the other hand requires no formal training.
3. Unlike the external auditors, who are appointed at the Annual Meeting by the shareholders of a
company, the internal auditor is hired by the management of the company. In turn this means he
can be dismissed by the directors or other senior managers, subject only to normal employment
rights.
4. The primary objective of the external auditor is laid down by the applicable companies’ acts,
whereas the internal auditor’s objectives are dictated by the management of the company. As a
result, management can place limitations on the scope of the internal auditor’s work. While some of
his work may be similar to that of the external auditor, more of it could relate to areas such as value
for money
May 2024 Q2a, Dec 2023 Q1, Aug 2023 Q6
Study Unit 3
Auditors Legal, Ethical & Professional Responsibilities –
Part 1
A. PROFESSIONAL AND ETHICAL RESPONSIBILTIES
• ISA 200 sets out the general principles of an audit. The auditor should comply with the
code of ethics for professional accountants issued by the International Federation of
Accountants.
• Accountants require ethics because people rely on them for their expertise in specific
areas. Both the International Federation of Accountants (IFAC) and the Institute of
Certified Public Accountants of Rwanda (ICPAR) have issued a code of ethics of which the
fundamental principles of both associations are very similar.
• Both identify-
o Fundamental principles of ethical behaviour
o Potential threats to those principles
o Possible safeguards to counter those threats.
• If the code of ethics is contravened, members may face disciplinary proceedings which
could result in a fine, censorship, suspension or withdrawal of membership and with it
possibly the right to practice.
• The fundamental principles are as follows:
o Integrity
o Objectivity
o Professional competence and due care.
o Confidentiality
o Professional behaviour.
ETHICAL STANDARDS
• 1. Integrity, Objectivity and Independence
• 2. Financial, business, employment and personal relationships
• 3. Long association with the audit engagement
• 4. Fees, remuneration and evaluation policies, litigation, gifts and hospitality
• 5. Non-Assurance Services provided to an Assurance Client
What are the possible threats to independence?
• Self- interest
• Self -review.
• Management threat.
• Advocacy.
• Familiarity.
• Intimidation.
Possible Safeguards to independence
• Safeguards that may eliminate or reduce threats to an acceptable level fall into two general categories:
1. Safeguards created by the profession, legislation or regulation and
2. Safeguards in the work environment whether within the auditor’s own systems and procedures or within the client company.
The first category includes:
1) Educational, training and experience requirements for entry into the profession.
2) The existence of a clear and robust Code of Ethics
3) Continuing professional development requirements.
4) Corporate governance regulations and Professional standards.
5) Professional or regulatory monitoring and disciplinary procedures.
The second category would include for example: Firm wide safeguards
i. Documented policies and procedures to implement and monitor quality control of
engagements.
ii. Documented policies regarding identification of threats, their evaluation and application of
safeguards.
iii. Policies and procedures to enable identification of interests and relationships between auditor
and client.
iv. Monitoring the fee income received.
v. Timely communication of a firm’s policies and procedures to all staff and appropriate training
thereof.
vi. A suitable disciplinary mechanism to promote compliance with policies.
Possible Engagement specific safeguards
a. Involving an additional professional accountant to review the work done.
b. Consulting independent third parties.
c. Disclosing the nature of services provided and extent of fees charged to those charged with client
governance.
d. Rotating senior audit team personnel.
Possible Safeguards within client systems and procedures
a. Persons other than management ratify auditor appointment.
b. Client has competent employees with experience to make decisions.
c. The client has a corporate governance structure that provides appropriate oversight and communications
regarding the firm’s service.
• International standard on quality control (ISQC 1) sets out the standards and provides guidance regarding a
firm’s responsibilities for its system of quality control for audits.
i. The firm should establish a system of quality control designed to provide it with reasonable assurance that
the firm and its personnel comply with professional standards and regulatory and legal requirements.
• ii. The firm’s system of quality control should include policies and
procedures addressing elements such as leadership responsibilities,
ethical requirements, acceptance and continuance of client
engagements, human resources, engagement performance and
monitoring.
• iii. The quality control policies and procedures should be documented
and communicated to the firm’s personnel.
B. STATUTORY RESPONSIBILITIES AND RIGHTS
• Statutory responsibilities and rights are laid out under companies and other related
legislation such as Companies Acts
• We have already seen that company law - depending on the applicable jurisdiction -
produces a requirement that companies’ financial statements are audited.
• Company Law should recommend dealing with a number of other auditor related issues
depending on the applicable jurisdiction, such as:
1. Appointment of auditors
2. Auditors’ remuneration
3. Resignation or removal of auditors
4. Auditors’ duties
5. Auditors’ rights
C. APPOINTMENT OF AUDITORS
• Auditors are appointed by members of a company at the Annual Meeting. The term lasts
from the end of one Annual Meeting until the next Annual Meeting unless of course the
auditor has resigned or has been removed during the year.
• Where at the annual meeting, the company fails to appoint an auditor during that annual
meeting or the post continues to fall vacant for a one month period, the Registrar
General shall have the powers to have the company appoint its auditor within thirty (30)
days.
Companies Acts – Article 238
Auditor’s remuneration
• The auditor’s remuneration should be fixed at the Annual Meeting and should be
disclosed in the financial statements. It should be disclosed separately from those fees
earned from non- assurance services.
Companies Acts – Article 239
D. RESIGNATION & REMOVAL OF AUDITORS
An auditor who does not wish to be reappointed or wishes to resign
• Where an auditor gives the Board of Directors of a company written notice that he/she does not wish to be reappointed, the Board
shall, if requested to do so by that auditor: distribute to all shareholders and to the Registrar General, at the expense of the
company, a written statement of the auditor’s reasons for his/her wish not to be reappointed; permit the auditor or his/her
representative to explain at a shareholder’ meeting the reasons for his/her wish not to be reappointed.
An auditor may resign prior to the Annual Meeting of the company.
• This shall, after receiving the notification thereof, call on the Board of Directors to a special meeting to receive the auditor’s notice
of resignation. The auditor shall provide a written report which gives to him/her representative the opportunity to give an
explanation why he/she does not wish to be reappointed as auditor. Also during that meeting, the Board of Directors or the
meeting of shareholders shall appoint a new auditor.
• The auditor has the right to require that the directors call a Special Meeting to discuss his resignation and the auditor can attend
and speak at this meeting on any matter that concerns him as the retiring auditor. Directors should send out notice of this meeting
within a 30 day period.
• The auditor also has the right to receive all notices that relate to a general meeting at which their term of office would have
expired.
Companies Acts Articles 244 and 245
Removal
• An auditor of a company shall be automatically reappointed at an annual meeting of the company
unless the company passes a resolution at the annual meeting appointing another person to
replace the auditor; Companies Acts Article 243.
• The directors of a company should give at least 30 days’ notice to all those entitled to receive a
set of accounts if a motion to remove the auditors is to be put to the members at an Annual
Meeting. The auditors also have the right to receive a copy of such notice.
• The motion to remove the auditor can be passed by a simple majority.
• The auditor should have a right to make representations as to why they should retain their office
and they can require that a copy of these representations be sent to all the members.
• The company should notify the registrar on the removal of the auditors and the auditor should
forward the statement of circumstances to the company within a period of at least 14 days of
ceasing to hold that office. A copy of this statement should be forwarded by the company to the
Registrar General.
• The auditor has a right to receive notice of and speak at such an Annual Meeting where their
term of office would have expired.
Communication between auditors
• The new auditor is likely to request authorisation from the company to contact the previous auditor in order
to ascertain if there are any circumstances which should be brought to their attention before accepting the
appointment as auditors.
• The previous auditor will forward copies of previous audited accounts together with sufficient information
relating to lead schedules of all the major areas of the audit. The previous audit files remain in the
ownership of the previous auditor.
E. AUDITORS DUTIES & RIGHTS
Auditors’ duties
• We have already covered the fundamental duties as to issuing an auditor’s report on forming an opinion on
the financial statements as well as looking at a number of other areas which were matters of opinion and
matters of fact.
• Compliance with legislation: Whether the financial statements have been prepared in accordance with the
relevant legislation;
• Truth and fairness of accounts: Whether the statement of financial position shows a true and fair view of the
company's affairs at the end of the period and the statement of profit or loss and other comprehensive
income (and statement of cash flows) show a true and fair view of the results for that period;
• Adequate accounting records and returns: Whether adequate accounting records have been kept and returns adequate for the
audit received from branches not visited by the auditor;
• Agreement of accounts to records: Whether the accounts are in agreement with the accounting records and returns;
• Consistency of other information: Whether the information in the directors' report is consistent with the financial statements;
• Directors' benefits: Whether disclosure of directors' benefits has been made in accordance with the Law Governing Companies.
Auditors’ rights
• Auditors have the following rights:
1. Access to all relevant documents and books and any information and explanations that they require from the directors of a
company which they deem necessary in the conduct of the audit.
2. Attendance at any general meeting and to receive all notices and written resolutions which any member of the company is
entitled to receive.
3. To be heard at any general meeting on any matters that concern them as auditors
4. To give written notice requiring that an Annual Meeting be held for the reason of laying the accounts and reports before the
members of a company.
Companies Acts Articles 248 and 249
• Possible Company Law offences could include:
1) Non-filing of annual returns
2) Directors’ loan infringements
3) Non-holding of Special Meetings
4) Failure to keep proper books of accounts
5) No director resident in state
6) Acting as an auditor while not qualified to do so
• It would be considered the auditor’s duty to report any offences outlined above to the Police or the Revenue
Authorities.
• The main offence an auditor should be aware of is money laundering activities. Money laundering is the
process by which criminals attempt to conceal the true origin and ownership of the proceeds of their
criminal activity, allowing them to maintain control over the proceeds and ultimately, providing a legitimate
cover for the source of their income.
• Audit firms are required to report suspicions that a criminal offence has been committed, regardless of
whether the offence has been committed by a client or by a third party. In addition, they need to be alert to
the danger of making disclosures that are likely to tip off a money launderer, as this is a criminal offence
• There is no legal right not to make a report and the auditor is not
constrained by his professional duty of confidence, although in all
cases any such reporting must be made in good faith. In this case, he
is protected by law from having the client take a civil case against him.
However, if he did not have reasonable grounds on which to make a
report to a third party, he may be sued by his client for breach of
confidentiality.
• Dec 2023 Q3, May 2024 Q2b, Q5a
Study Unit 4
Auditors Legal, Ethical & Professional Responsibilities –
Part 2
A. AUDITOR’S RESPONSIBILITY IN RELATION TO FRAUD AND FOR THE ENTITIES
COMPLIANCE WITH LAWS AND REGULATIONS
Fraud
• An auditor’s main concern in an audit is the risk of a material misstatement in the
financial statements. These material misstatements can arise from fraud or error.
• An error is an unintentional misstatement in the financial statements, whether an
omission of an amount or a disclosure. It can be a mistake in gathering or processing data
for the accounts, an incorrect accounting estimate or a mistake in the application of
accounting principles.
• Fraud is an intentional act by one or more individuals among management, employees or
third parties, involving the use of deception to obtain an unjust or illegal advantage.
• Auditors do not make legal determination of whether fraud has actually occurred; the
auditor is concerned to the extent that fraud has caused a material misstatement in the
financial statements.
Responsibility
• ISA 240 the auditor’s responsibility to consider fraud in an audit of financial statements,
states quite clearly in paragraph 240.13 that the primary responsibility for the prevention
and detection of fraud rests with the management and those charged with governance
of the entity. It is their responsibility to establish a control environment to assist in
achieving the orderly and efficient conduct of the entity’s operations. It is up to them to
put a strong emphasis on fraud prevention.
• The auditor does not have a specific responsibility to prevent or detect fraud, but he
must consider whether it has caused a material misstatement in the financial
statements.
Types of fraud
• There are two types of intentional misstatement:
1. Fraudulent financial reporting
2. Misappropriation of assets
Fraudulent financial reporting
• This may be accomplished by the following:
1) Manipulation, falsification, or alteration of accounting records or supporting documentation from which the accounts are
prepared
2) Misrepresentation in, or intentional omission from, the accounts of events, transactions or other significant information
3) Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation or disclosure.
Misappropriation of assets
• This involves the theft of a company’s assets. While management are in a position to be able to disguise or conceal
misappropriations in ways that are difficult to detect, small and immaterial amounts misappropriated are often perpetrated by
employees.
• Misappropriations can be accomplished in a number of ways:
1) Embezzling receipts
2) Stealing physical assets or intellectual property
3) Causing an entity to pay for something they never received
4) Using an entity’s assets for own personal use.
• The misappropriation of assets is often accompanied by false or misleading records or
documents in order to conceal the fact that the assets are missing.
Why is there fraud
• Fraud occurs because:
1) There is an incentive or pressure to commit fraud
2) A perceived opportunity to do so
3) Rationalisation of the act.
4) Individuals may be living beyond their means
5) Management is under pressure to reach targets
6) An individual may believe internal controls can be over-ridden.
• The auditor identifies the risks of fraud, relates the identified risks to what can go wrong
at the assertion level and considers the likely magnitude of a potential misstatement.
Finally, he should respond to those risks.
Reporting
• The auditor should communicate to the appropriate level of management any identified fraud. Where the
fraud involves management or key employees in internal control operations, the auditor should
communicate as soon as possible any such fraud to those charged with governance.
• The auditor may have a statutory duty to report fraudulent behaviour to a regulator outside the entity for
example the police authorities.
Law and Regulation
• Companies are statutorily bound to comply with laws and regulations. Some of the laws and regulations
affecting companies are:
1) Company law
2) Health and safety regulations
3) Employment law
4) Civil law, both tort and contract
5) Environmental law and regulation
What to do when non-compliance is discovered
• When the auditor becomes aware of non-compliance, the auditor should obtain an understanding of the
nature of the act and the circumstances in which it has occurred, and sufficient other information to
evaluate the possible effect on the financial statements.
• The auditor must consider:
a. The potential financial consequences such as fines, penalties and/or litigation.
b. Whether the potential financial consequences require disclosure.
c. Whether these consequences are so serious they call into question the truth and fairness of the accounts.
Reporting of non-compliance
1) As soon as possible, the auditor should communicate with management, or obtain audit evidence that
management are appropriately informed, regarding non-compliance that comes to the auditor’s
attention. If in the auditor’s judgment, the non-compliance is intentional and/or material, the auditor
should communicate without delay.
2) If the auditor suspects senior management, then he should communicate to the next higher level, such as
the audit committee. Failing that, he should seek legal advice.
3) In the case of money laundering it may be appropriate to report the matter directly to the appropriate
authority.
Audit report implications
a. If the auditor concludes that the non-compliance has a material effect on the accounts
and has not been properly reflected, he should express a qualified or adverse opinion.
b. If the auditor has not been able to obtain sufficient evidence to evaluate whether a
material non-compliance has occurred, he should qualify his report or issue a
disclaimer of opinion on the basis of a scope limitation.
Third party reporting
• Although the auditor has a duty of confidentiality, where non-compliance gives rise to a
statutory duty to report, the auditor should do so without undue delay.
B. AUDITOR’S RESPONSIBILITIES DEFINED BY CASE LAW ARISING FROM NEGLIENCE AND
RELATED EXPOSURE AND CONSEQUENCES
Professional Liability
• Auditors may have professional liability under statute law and in the tort of negligence.
Statute law
• There are occasions when auditors have professional liability under statute law:
a. In insolvency legislation, the auditor could be found to be an officer of the company and thus could be
charged with a criminal offence in connection with the winding up of the company.
b. An auditor could be found to be guilty of insider dealing, which is a criminal offence.
c. Auditors could be found guilty of a criminal offence in respect of money laundering issues as to their
failure to report any known suspicions to the proper authority.
d. Failure to report issues that are required under company law such as those mentioned on the audit report.
Tort of negligence
• Negligence is based on common/customary law. It seeks to provide compensation to loss suffered
by one due to another’s wrongful neglect.
• To succeed, an injured party must prove:
1) A duty of care existed
2) The duty of care was breached
3) The actual breach caused the loss.
Who would take an action against an Auditor
• If an auditor gave an incorrect audit opinion the following parties might take an action:
1) The company
2) The shareholders
3) The bank
4) Other lenders
5) Other interested third parties
• The key difference between all the above mentioned parties is the nature and duty of care owed to them by
the auditor.
Litigation avoidance
• One way of dealing with litigation is to try and avoid it. How?
a. Have clear client acceptance procedures, screen new clients, use an engagement letter.
b. Perform all audit work in accordance with standards and best practice.
c. Have sensible and effective quality control procedures in place.
d. Issue appropriate disclaimers. Auditors may attempt to limit their liability by issuing disclaimers, although
this may not always be effective in law.
C. PRE-APPOINTMENT PROCEDURES
Advertising
• ISA 200 sets out the ethical principles governing the auditor’s professional responsibilities. One of them is professional behaviour.
A member is expected to comply with relevant laws and regulations and should avoid any action that discredits the profession.
• Auditors are like anyone else in business and in business it is necessary to advertise. But this advertising should be aimed at
informing the public in an objective manner and should be in good taste.
• The code of ethics goes on to say that in promoting themselves and their work, members should be honest and truthful and
should not make any exaggerated claims for the services they are able to offer, the qualifications they possess or the experience
they have gained. In addition, they should not make any disparaging references or unsubstantiated comparisons to the work of
others.
Use of logos
• Persons can only use the designated letters of a profession after their name such as in advertisements when they are members of
the said profession. A firm should hold a practicing/auditing certificate to describe themselves as registered auditors.
Tendering
• Client companies can change auditors. In this regard a firm may be approached to submit a tender for an audit. When approached
to tender, an audit firm must consider whether they want to do the work and they must have regard for the ethical considerations,
such as independence and professional competence. In addition, they need to consider fees and other practical issues
Fees
• A member may quote whatever fee is deemed to be appropriate. The fact that one may quote a lower fee
than another auditor is not in itself unethical. However, it does raise the risk of a threat to the principles of
professional competence and due care in that the fee quoted may be so low as to make it appear to be
difficult to perform the audit to the expected standards.
• Therefore, it is wise to set out the basis of the calculation of the fee. The following factors should be
considered when setting out a fee:
a. What does the job involve. Is it audit and/or tax or is there some other complicated work involved.
b. Which staff will need to be involved, numbers and quality. How long will they be required. Is the nature of the business
complex.
c. What charge out rates are to be applied.
• The practice of undercutting fees has been called lowballing and can be seen in action generally where large
audits are concerned. We have seen that having a lower fee may seem to have a negative impact on an
auditor’s perceived independence but there are other factors to be considered:
1. Auditors operate in a market like any other business where supply and demand very often dictate the price.
2. Fees may be lower due to reasons such as better internal audit functions and simplified group structures within client
companies.
3. Auditing firms have increased productivity, whether through the use of more sophisticated IT or experience gained
through understanding the clients business.
Practical issues
• It is important that the auditor also considers a number of other issues:
a. Can the audit assignment be fitted in to the audit firms current work plan?
b. Is suitable audit staff available?
c. Will any specialist skills be required?
d. What are the future plans for the company?
e. Is there any training required for current staff and what will be the cost of that
training?
f. What work does the client actually want - Audit and/or tax?
g. Is this the first time the company has been audited?
h. Whether the client is seeking to change its auditors and if so what is the reason
behind it?
Submitting an audit proposal
• There is no set format. In fact, the client may dictate the format whether it be a written
submission or a presentation to the board of directors.
• Whatever the form of the tender submission, the following matters should be included in the
proposal:
1) The audit fee and the basis for its calculation
2) An assessment of the needs of the client
3) How the firm means to meet the needs of the client
4) Any assumptions made to support the proposal
5) The audit approach to be adopted by the firm
6) A brief outline of the firm as seen by the proposer
7) Details and background of the key audit staff on the proposed engagement.
Evaluating the tender
• Different clients will have different ways of evaluating a tender. Some of the more general points
are listed below. It is important to bear these in mind when preparing a proposal:
1. Fee. This can be the most vital point. Some clients go straight to this figure and don’t even bother with the rest of the
document.
2. Professionalism. Auditors are expected to be professional. Remember, first impressions count and the audit team and the
tender documents are often the first factors.
3. Proposed audit approach. Clients are always looking for the least amount of disruption to their already busy schedules,
so the shortest number of days on-site may be the key to winning a tender.
4. Personal service. Fostering relationships is vital. Client should always feel he is getting value for money.
Acceptance
Before accepting the assignment
1. Make sure there are no ethical issues which would prevent you from accepting this assignment.
2. Make sure that you are professionally qualified to carry out the work requested and that your firm has the resources
available in terms of staff, expertise and time.
3. Check out references for the directors of the client firm especially if they are unknown to the audit firm.
4. Consult previous auditors as a matter of professional courtesy and establish from them whether there is anything that
you ought to know about this vacancy.
After accepting the assignment
1. Make sure the resignation of the previous auditors has been properly carried out and that the new appointment is valid.
A board resolution of the company is required.
2. Submit a letter of engagement to the directors of the client company and ensure it is signed before any audit work is
carried out.
• ISQC 1 states that a firm should establish policies and procedures for the acceptance and continuance of client relationships and
specific engagements, designed to provide it with reasonable assurance that it will only undertake or continue relationships and
engagements where it:
o Has considered the integrity of the client and does not have any information that would lead it to conclude that the client lacks integrity,
o Is competent to perform the engagement and has the capabilities, time and resources to do so and
o Can comply with the ethical requirements.
• Where issues have been identified and the firm decides to accept or continue the relationship or a specific engagement, it should
document how the issues were resolved.
Integrity of client
• Matters to be considered:
a. Identity and business reputation of owners, key management and those charged with governance.
b. Nature of the clients operations and its business practices.
c. Attitude of the owners, key management and those charged with governance towards matters such as aggressive interpretation of
accounting standards and the internal control environment.
d. Client’s attitude to fees.
e. Indications of inappropriate limitation in the scope of work.
f. Indications that client may be involved in money laundering or other criminal activities.
g. Reasons given for non-reappointment of previous auditors.
• Information can be gathered through communications with previous auditors or other professionals who may have provided
services and through other third parties such as bankers, legal counsel and industry peers.
Competence of the firm
• Matters to be considered:
a. Has the firm got sufficient knowledge of the relevant industry and the relevant regulatory environment?
b. Are there sufficient personnel within the firm having the necessary capabilities and competence and are
experts/specialists available when needed?
c. Are competent individuals available to perform quality control reviews?
d. Will the firm be able to complete the engagement within the reporting deadline?
• Other issues
1) Where a potential conflict of interest is identified, the firm should consider whether it is appropriate to
accept the engagement.
2) Need to consider any significant matters that may have arisen during the current or previous engagements
of whatever description.
Agreeing the terms
• ISA 210 terms of audit engagements establishes standards and provides guidance on:
1. Agreeing the terms of an engagement with the client and
2. The auditor’s response to a request by a client to change those terms to one that provides a lower level of
assurance.
• It states that the auditor and the client should agree on the terms of the engagement. The agreed
terms would need to be recorded in an audit engagement letter or other suitable form of
contract. The terms should be recorded in writing.
• The objective and scope of an audit and the auditor’s obligations may be established by law, but
the auditor may still find that an audit engagement letter will be informative for their clients.
• The main points to be clarified in the letter of engagement would include:
a. Confirmation of the auditor’s acceptance of the appointment.
b. The auditor is responsible for reporting on the accounts to the shareholders
c. The directors of the company have a statutory duty to maintain the books of the company and are
responsible for the preparation of the financial statements.
d. The directors are responsible for the prevention and detection of fraud.
e. The fact that because of the test nature and other inherent limitations of an audit, there is the
unavoidable risk that some material misstatements may remain undiscovered.
f. The scope of the audit including reference to appropriate legislation and standards.
g. There should be unrestricted access to whatever books and records the auditor needs in the performance
of his duties.
• Other points to be included:
a. Arrangements regarding the planning and performance of the audit.
b. The expectation of receiving from management written confirmation regarding representations made in connection with
the audit.
c. Request for the client to confirm in writing the terms of the letter.
d. The fee to be charged and the credit terms.
e. The form of any reports or other communication of results of the engagement.
Other issues
• a. On recurring audits, the auditor should consider whether circumstances require the terms of the
engagement to be revised and whether there is a need to remind the client of the existing terms of the
engagement.
• b. An auditor who, before the completion of the engagement, is requested to change the engagement to
one which provides a lower level of assurance, should consider the appropriateness of doing so. Where the
terms are changed, both parties should agree on the new terms. Note, the auditor should not agree to a
change of engagement where there is no reasonable justification for doing so.
Dec 2023 Q3, May 2024 Q2b
Study Unit 5
Audit Planning and Supervision
AUDIT PLANNING
• ISA 300 planning an audit of financial statements establishes standards and guidance on the considerations and activities
applicable to planning an audit.
1. Plan the audit so that the engagement will be performed in an effective and efficient manner
2. Perform certain procedures at the beginning of the audit:
a) the continuance of the client relationship,
b) evaluation of compliance with ethical requirements including independence and
c) establish an understanding of the terms of the engagement.
3. Establish the overall audit strategy, setting out the scope, timing and direction of the audit.
4. Develop an audit plan in order to reduce audit risk to an acceptably low level.
5. Update and change the audit strategy and plan as necessary during the course of the audit.
6. Plan the nature, timing and extent of the direction and supervision of the audit team and a review of their work.
7. Document the overall audit strategy and the audit plan, including any significant changes made during the audit engagement.
8. Prior to starting an initial audit, perform procedures regarding the acceptance of the client relationship and the specific audit
engagement, and communicate with the previous auditor in compliance with relevant ethical requirements.
Benefits of audit planning
Adequate planning helps to ensure that:
1) Appropriate attention is devoted to the most important areas,
2) Potential problems are identified and resolved on a timely basis,
3) The audit engagement is properly organised and managed,
4) There is proper assignment of work to engagement members,
5) There is direction and supervision of team members and review of their work,
6) There is proper co-ordination of work done by experts.
• The nature and extent of planning activities will vary according to the size and
complexity of the entity, the auditor’s previous experience with the entity and
changes in circumstances that occur during the audit engagement.
• The establishing of the overall strategy involves considering the important factors that will determine the
focus of the audit team’s effort, such as the:
1. The determination of appropriate materiality levels,
2. Preliminary identification of areas where there may be higher risks of material misstatement,
3. Preliminary identification of material components and account balances,
4. Evaluation of whether the auditor may plan to obtain evidence regarding the effectiveness of internal
control,
5. The identification of recent significant entity-specific, industry, financial reporting or other relevant
developments.
• ISA 300 matters the auditor may consider in establishing the overall audit strategy.
1) The scope of the audit engagement,
2) The reporting objectives
3) Timing of the audit and communications required
4) The direction of the audit.
A. MATERIALITY (ISA 320)
• Information is material if its omission or misstatement could influence the economic decisions of
users taken on the basis of the financial statements.
• Materiality needs to be considered by an auditor in evaluating the effect of misstatements on the
financial statements and when determining the nature, timing and extent of audit procedures.
• In designing the audit plan, the auditor should set an acceptable materiality level. He should
consider this materiality at both the overall financial statement level and in relation to classes of
transactions, account balances and disclosures.
• Factors to be considered are both quantitative and qualitative. An item might be material due to
its nature, value or impact on users of accounts.
1. Nature: Transactions involving directors generally affect users of accounts.
2. Value: Inventory stocks in a manufacturing company may represent a high percentage of
current assets.
3. Impact: An end of year journal could convert a loss into a profit, thus affecting the users of
accounts.
• The auditor’s assessment of materiality helps the auditor to decide:
o What items and how many to examine
o Whether to use sampling and/or analytical procedures
o What audit procedures can be expected to reduce audit risk to an acceptably low level.
• An auditor should consider materiality and its relationship with audit risk when conducting an
audit. The higher the material figure is set, the higher the audit risk. The auditor could
compensate for this by either
o Reducing the risk, where this is possible, and supporting this by carrying out extended or additional tests of
control or
o Reducing detection risk by modifying the nature, timing and extent of planned substantive tests.
Problems with Materiality
• Materiality is a matter of judgement.
• Some matters could fall outside the criteria, although they could affect users of the accounts.
• Percentage guidelines need to be used carefully. What figure do you select to base the
percentage? Gross profit, profit before director’s salaries, assets, costs.
Materiality and the audit process
• Materiality needs to be tailored to the business and the anticipated user. An auditor should plan
materiality based on draft figures and any other recent available financial information. These
should be applied to individual balances at the assertion level. All items greater than the set
materiality figure should be tested, with a sample selected from the remaining items. The actual
errors detected should be extrapolated out for the entire population of transactions. A final
materiality should then be based on the results obtained and the actual financial statements
produced.
• To set a materiality level, an auditor needs to decide what level of misstatement (error) would
distort the view given by a set of financial statements.
• The materiality level must be reviewed constantly throughout the audit process as changes may
be required due to changes in the draft accounts, any external factors that may alter the risk
profile of the entity and any actual misstatements uncovered during the audit testing phase.
• The materiality level is often set a percentage of profits as it is generally the figure that most
interested parties check out first. However, there are other figures that are also used.
• A range of those values is as follows:

B. AUDIT RISK AND ITS COMPONENTS

• Auditors should assess the risk of material misstatements arising in the financial statements and
carry out procedures in response to assessed risks.
• Risk can be analysed as follows:

• .
• Overall risk is split into audit risk and business risk. Audit risk is sometimes known as assignment or
engagement risk. It is focused on the financial statements of the business. This is the auditor’s main focus.
• Inherent risk is the susceptibility of an account balance or class of transactions to material misstatement,
irrespective of related internal controls. It may be due to the characteristics of those items such as the fact
they are estimates, complex calculations or that they are important items in the accounts. Auditors use their
professional judgment and their understanding of the client company to assess the inherent risk.
• Control risk is such that the client’s controls fail to prevent, detect and/or correct material misstatements.
There will always be an element of control risk due to the inherent limitations of internal controls.
• Detection risk is such that the audit procedures applied by the auditor will fail to detect material
misstatements. There are limitations to the audit process and detection risk relates to the inability of
auditors to examine all evidence. As a result, some detection risk always exists. Auditors may fail to detect
misstatements for a number of reasons including selecting inappropriate audit procedures, incorrectly
applying an appropriate procedure or simply misinterpreting the results of testing.
• The auditor’s assessment of inherent and control risk will influence the nature, timing and extent of the
substantive procedures which are required to reduce the detection risk and hence, audit risk.
• Business risk arises in the operations of a business. It is split into three distinct types:
o Financial risk - arising from financial activities or financial consequences such as cash flow issues, overtrading, going
concern, breakdown of accounting systems, credit risk and currency risk.
o Operational risks arise with regard to the operations of the business such as risk of losing a major supplier, physical disasters,
loss of key personnel and poor brand management.
o Compliance risks arise from non-compliance with laws and regulations within which the company operates or environmental
issues.
Relationship between risks
• Initially, it would appear that audit risk and business risk are unrelated, as audit risks are limited only to the
financial statements. However, business risks include all risks facing the business and this includes inherent
risks and control risks, which form part of the audit risk.
• Although audit risk is very financial statement focused, business risk does form part of the inherent risk
associated with the financial statements, because if such risks materialise, then the whole going concern
basis of the business could be affected and this has major implications for the financial statements.
IMPACT OF RISK
• AR=IR*CR*DR
C. AUDIT STRATEGIES
The risk based audit approach
• Risk is a key issue in any audit and the most common approach to carrying out an audit
incorporates recognition of those risks. This is called the risk-based approach.
• There are other approaches and other techniques and the risk based approach is used in
conjunction with these other approaches.
Why is the risk-based auditing used more increasingly?
i. Growing complexity of the business environment, such as advanced computer
systems and the globalisation of business, increases the risk of fraud or misstatement.
ii. Pressure on auditors to keep fees down but improve the level of service.
• ISA 315 requires that auditors consider the entity’s process for assessing its own business
risks. They must consider the factors that lead to the problems which may cause material
misstatements and what can the audit contribute to the business pursuing its goals.
• The risk analysis stage is a very important part of the planning of an audit as it allows the auditor
to:
i. Identify the main areas where possible errors might occur,
ii. Plan the work to address any of these possible errors,
iii. Uncover errors as early as possible during the audit process,
iv. Carry out the audit as efficiently as possible,
v. Reduce the risk of an incorrect audit opinion,
vi. Reduce the risk of litigation.
• The risk based approach will affect:
i. How the audits are planned,
ii. The nature of the audit evidence to be gathered by the auditor,
iii. The nature of the procedures that need to be carried out by the auditor,
iv. The amount of evidence that needs to be gathered.
The business risk approach
• The business risk approach was developed because it was believed that in some instances the risk
of misstatement arises mainly from the business risks of the company.
• This business approach tries to mirror the risk management steps that have been taken by the
directors.
• It is also known as the top down approach in that it starts at the objectives of the company and
works down to the financial statements, rather than working up from the financial statements
which has been the historical approach to auditing.
• The business risk approach was developed because it was believed that in some instances the risk
of misstatement arises mainly from the business risks of the company.
• This business approach tries to mirror the risk management steps that have been taken by the
directors.
• It is also known as the top down approach in that it starts at the objectives of the company and
works down to the financial statements, rather than working up from the financial statements
which has been the historical approach to auditing.
Principal risks include:
i. Economic pressures causing reduced sales and eroding margins,
ii. Demands for extended credit,
iii. Product quality issues re inadequate control over supply chain etc.,
iv. Customer dissatisfaction re order requirements and invoicing errors etc.,
v. Unacceptable service response calls,
vi. Out of date IT systems.
Business risk approach advantages:
i. There is added value given to clients as the approach focuses on the business as a whole rather than just the financial
statements.
ii. Where audit attention is focused on high levels of controls and use of analytical procedures, there is increased audit efficiency.
iii. There is no need to focus on routine processes where technological developments have rendered them less prone to error
than in previous times.
iv. The approach responds to corporate governance issues in recent years.
v. There is a lower engagement risk through a better understanding of the clients business.
Systems and controls
• This approach is always used in conjunction with other approaches as substantive testing can
never be eliminated completely.
• Management is required to institute a system of controls which is capable of safeguarding the
assets of the shareholders. Auditors assess the controls put in place by directors and ascertain
whether they are effective and can be relied on for the purposes of the audit. They carry out tests
to ensure that the systems operate as they are supposed to. If the controls are ineffective, the
control risk is high and it is important to undertake higher levels of substantive testing.
Cycles and transactions
• An auditor may choose to carry out substantive tests on the transactions of the business in the
relevant period. Cycles’ testing is closely linked to systems testing, as it is based on the same
systems. However, with the cycles approach, the auditors test the transactions which have
occurred, resulting in the entries in the books, such as sales transactions, purchases, expenses
etc. The auditor substantiates the transactions which appear in the financial statements.
• A sample of transactions is selected and each transaction is tested to ensure that the transaction
is complete and is processed correctly through the complete cycle.
Balance Sheet approach
• An auditor may choose to carry out substantive tests on the year end balances.
• This is the most common approach to substantive testing after controls have been tested.
• The balance sheet shows a snapshot of the financial position. If it is fairly stated and the previous
years’ figures were also fairly stated, then it is reasonable to undertake lower level testing on the
profit and loss transactions e.g. analytical review.
Directional testing
• Directional testing is a method of discovering errors and omissions in the financial statements
through undertaking detailed substantive testing. It can be broken down into two categories, tests
to discover errors and tests to discover omissions.
• Checking entries from the books back to supporting documentation should help to detect errors
causing an overstatement or an understatement. For example, selecting sales transactions from
the sales ledger and tracing them back to sales invoices and price lists to ensure that sales are
priced correctly.
• To discover omissions the auditor must start from outside the accounting records and
trace through to the records in the books. For example, to check the completeness of
purchases, select a number of GRNs and check through to the stock records and the
purchase ledger.
• Directional testing is appropriate when testing the financial statement assertions of
existence, completeness, rights & obligations, and valuation.
Auditing around the computer
• The auditor is primarily interested in verifying that the data are being correctly input and
processed by the computer.
• Audit activity is focused on ensuring that the source documentation is processed
correctly and the auditor would verify this by checking the output documentation.
• What happens within the computer itself is ignored.
• However, there are issues with a lack of a paper trail and it is not practical for large
company audits.
Auditing through the computer system
• The auditor performs tests on the computer and its software to evaluate if they are both effective.
• If the auditor finds that the computerised controls and systems are effective, the auditor will perform
reduced substantive testing.
• This is likely to involve the use of computer assisted auditing techniques (CAATs).
• The use of a computer as an audit tool or the use of CAATs may improve the efficiency and effectiveness of
audit procedures.
• It is particularly of use in tests of numerous details of transactions and balances.
General
• When seeking to identify an appropriate strategy for a particular audit, it is important to remember that the
approaches are linked and in some cases it is wise to use two or more.
• Directional testing with balance sheet approach as they are both substantive testing issues.
• Risk and cycles based approach with low level of large transactions.
• Risk and balance sheet approach where substantial numbers of sales transactions with substantial
receivables.
D. KNOWLEDGE OF THE ENTITY AND ITS ENVIRONMENT
• ISA 315 (Revised) Understanding the entity and its environment and assessing the risks of material
misstatement establishes standards and guidance on obtaining an understanding of the entity and its
environment including its internal control, and on assessing the risks of material misstatement in a financial
statement audit.
Why do we need an understanding of an entity?
1. Helps identify risks of material misstatements.
2. Helps auditor to design and perform relevant audit procedures.
3. Helps auditor in the exercise of judgement where necessary.
How do we obtain understanding?
1. Performing risk assessment procedures such as inquiries of management and others within the entity,
analytical procedures, and observation and inspection.
2. Determining whether changes have occurred that may affect the relevance of information, obtained in
prior periods, in the current audit.
3. Ensuring that members of the engagement team discuss the susceptibility of the entity’s financial
statements to material misstatements.
What do we need to understand?
1. Obtain an understanding of the entity and its environment, including its internal control.
2. Obtain an understanding of relevant industry, regulatory and other external factors including the
applicable financial reporting framework.
3. Obtain an understanding of the nature of the entity, such as its operations, ownership, governance, types
of investments it is making, structure and financing.
4. Obtain an understanding of the entity’s selection and application of accounting policies and consider
whether they are appropriate for its business and consistent with the applicable financial reporting
framework and accounting policies used in the relevant industry.
5. Obtain an understanding of the entity’s objectives and strategies, and the related business risks that may
result in material misstatements of the financial statements.
6. Obtain an understanding of the measurement and review of the entity’s financial performance such as
internal management information (budgets, variance analysis, department reports) and external
information (analyst’s reports and credit rating agency reports).
7. Obtain an understanding of internal control relevant to the audit.
8. Obtain an understanding of the control environment.
9. Obtain an understanding of the entity’s process for identifying business risks relevant
to financial reporting objectives and deciding about actions to address those risks, and
the results thereof.
10. Obtain a sufficient understanding of control activities to assess the risks of material
misstatements and to design further audit procedures responsive to assessed risks.
Examples of specific control activities include authorisation, performance reviews,
information processing, physical controls and segregation of duties.
Risk assessment procedures
1. Observation of activities and operations,
2. Inspection of documents and records,
3. Reading reports prepared by management,
4. Visits to premises and plant facilities,
5. Carrying out walk-through tests.
Controls relevant to the audit
• Ordinarily, controls that are relevant to an audit pertain to the objective of preparing financial statements.
• Controls over the completeness and accuracy of information may also be relevant if the auditor intends to make use of the
information in designing and performing further procedures.
• Controls relating to operations and compliance objectives may be relevant if they pertain to data the auditor evaluates or uses in
applying audit procedures.
Information systems
• The auditor should obtain an understanding of the information systems, including the business processes relevant to financial
reporting and in the following areas:
1. The classes of transactions in the entity’s operations that are significant to the financial statements;
2. The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed and
reported in the financial statements;
3. The related accounting records, whether electronic or manual, supporting information, and specific accounts in the financial
statements, in respect of initiating, recording, processing and reporting transactions;
4. How the information systems capture events and conditions, other than classes of transactions, that are significant to the
financial statements;
5. The financial reporting processes used to prepare the entity’s financial statements, including significant accounting estimates
and disclosures.
Assessing the risks of material misstatement
• The auditor should:
1. Identify risks throughout the process,
2. Relate the risk to what can go wrong at the assertion level,
3. Consider whether the risks are of a magnitude that could result in a material misstatement in the financial statements,
4. Consider the likelihood that the risks could result in a material misstatement of the financial statements.
E. RESPONSE TO ASSESSED RISKS OF MATERIAL MISSTATEMENT
• ISA 330 The auditor’s procedures in response to assessed risks establishes standards and provides guidance on determining overall
responses and designing and performing further audit procedures to respond to the assessed risks of material misstatements.
Overall responses may include:
1) Emphasising to the audit team the need to maintain professional scepticism,
2) Assigning more experienced staff or hiring expert help when needed,
3) Providing more supervision,
4) Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed,
5) Making changes to the nature, timing, or extent of audit procedures.
• The assessment of the risk of material misstatement is affected by the auditor’s understanding of the control
environment. An effective control environment may allow an auditor to have more confidence in internal
control and the reliability of audit evidence generated internally within the entity.
• If there are weaknesses in the control environment, the auditor:
a) Conducts more procedures as of the period end rather than an interim date,
b) Seeks more extensive audit evidence from substantive procedures,
c) Modifies the nature of procedures to obtain more persuasive audit evidence,
d) Increases the number of locations to be included in the audit scope.
• The evaluation of the control environment will help the auditor determine whether there should be a
substantive or a combined approach (tests of controls and substantive procedures).
• In designing further audit procedures, the auditor should consider:
1. The significance of the risk,
2. The likelihood that a material misstatement will occur,
3. The characteristics of the class of transactions or account balances,
4. The nature of specific controls and whether they are manual or automated,
5. Whether the auditor expects to obtain evidence to determine if controls are effective in preventing, or detecting and
correcting material misstatements.
• The nature of further audit procedures refers to their:
o Purpose - Tests of controls or substantive procedures;
o Type - Inspection, observation, inquiry, confirmation, recalculation, re-performance, analytical procedures.
General planning matters
• When planning an audit you also need to consider some admin matters:
o Staffing: Have the staff got the correct level of qualifications and experience. Do they have specialist skills that may be
required? What about the staff’s relationship amongst themselves and with client staff. Are staff available and what about
travel arrangements.
o Client management: Continuity of staff is often important to client companies. Also, consistency of staff may help audit
efficiency.
o Location of audit: Need to consider the distance for audit staff to travel, the staff’s mobility and the location of the review by
the manager. Multiple locations often require a decision as to which locations should be visited, the allocation of your staff
to these locations and managing the visits to each selected sites.
o Deadlines: Key deadlines are stock-counts, date of draft accounts available, main audit visit, audit manager review, partner
review, audit clearance meeting, audit report to be signed and date of the Annual Meeting. It is important to plan the work
so that these deadlines can be achieved.
o Use of IT: Need to consider whether the client has a computerised system and whether the auditor will use CAATs. Will the
auditor use computers to complete the working papers and communicate with the partner?
o Time budgets: These are an important part of planning. Times should be estimated accurately and communicated to the
audit team. The audit team should record variances from the budget for planning purposes for the next audit.
Audit Evidence
• The purpose of ISA 500 is to establish standards and provide guidance on what constitutes audit
evidence in an audit of financial statements, the quantity and quality of audit evidence to be
obtained, and the audit procedures that auditors use for obtaining that audit evidence.
• In order to form an opinion, an auditor must obtain evidence. This evidence should be sufficient,
relevant and reliable. The auditor designs substantive procedures to obtain this evidence about
the financial statement assertions.
• By approving the financial statements, the directors are making representations about the
information therein. These assertions may fall into the following categories:
(a) Assertions about classes of transactions and events for the period under audit:
1. Occurrence—transactions and events that have been recorded have occurred and pertain to the entity.
2. Completeness—all transactions and events that should have been recorded have been recorded.
3. Accuracy—amounts and other data relating to recorded transactions and events have been recorded
appropriately.
4. Cut-off—transactions and events have been recorded in the correct accounting period.
5. Classification—transactions and events have been recorded in the proper accounts.
(b) Assertions about account balances at the period end:
1. Existence—assets and liabilities exist.
2. Completeness—all assets and liabilities that should have been recorded have been recorded.
3. Rights and obligations—the entity holds or controls the rights to assets, and liabilities are the
obligations of the entity.
4. Valuation and allocation —assets and liabilities are included in the financial statements at
appropriate amounts.
(c) Assertions about presentation and disclosure:
1. Occurrence and rights and obligations—disclosed events, transactions, and other matters have
occurred and pertain to the entity.
2. Completeness—all disclosures that should have been included in the financial statements have
been included.
3. Classification and disclosures —financial information is appropriately presented and described,
and disclosures are clearly expressed.
4. Accuracy and valuation—financial and other information are disclosed fairly and at appropriate
amounts.
Procedures used by auditors to obtain evidence
1. Inspection of tangible assets: Inspection confirms existence and valuation and gives evidence
of completion. It does not however confirm rights and obligations.
2. Inspection of documents and records: Confirmation of documentation confirms existence of
an asset or that a transaction has occurred. Confirmation that items are in the books shows
completeness. Also helps testing cut-off. It provides evidence of valuation, measurement,
rights and obligations and presentation and disclosure.
3. Observation: This procedure is of limited use in that it only confirms that a procedure took
place when it was observed.
4. Inquiry and confirmation: Information sought from client or external sources. The strength of
the evidence depends on knowledge and integrity of the source of the information.
5. Recalculation and Re-Performance: Checking calculations of client records.
6. Audit automation tools: Such as computer assisted auditing techniques.
7. Analytical procedures
QUALITIES OF A GOOD AUDIT EVIDENCE
a) Sufficient and appropriate
• Sufficiency is the measure of the quantity of the evidence, while the appropriateness is the measure of the quality (reliability &
relevance) of the evidence. This applies to both tests of controls and substantive procedures.
b) Appropriate- relevance
• The relevance of audit evidence should be considered in relation to the overall objective of forming an audit opinion and reporting
on the financial statements. The evidence should allow the auditor to conclude on the following:
o Balance sheet items: Are there suitable completeness, existence, ownership, valuation and disclosure issues?
o Profit and loss items: Are there suitable completeness, occurrence, valuation and disclosure issues?
c) Appropriate – reliable
• Reliability of audit evidence depends on the particular circumstances of each case. However, the following should be considered:
i. Documentary evidence is more reliable that oral evidence,
ii. Evidence from external independent sources is generally more reliable than that within an entity,
iii. Evidence from the auditor by such means as analysis and physical inspection is more reliable than evidence obtained by others.
F. DOCUMENTATION
Audit planning memo
• An audit plan is the formulation of the general strategy for the audit, which sets out the direction
for the audit, describes the expected scope and conduct of the audit and provides guidance for
the development of the audit programme. This plan is in the form of a written document.
Audit programme
• An audit programme is a set of written instructions to the audit team that sets out the audit
procedures the auditor intends to adopt and may include references to other matters such as the
audit objectives, timing, sample size and basis of selection for each area. It also serves as a means
to control and record the proper execution of the work.
Working Papers
• All evidence obtained during an audit should be documented. Working papers are the property of
the auditor. The auditor’s working papers are the evidence of all the work done which supports
his audit opinion. In addition, it provides evidence that the audit was carried out in accordance
with the standards and other regulatory requirements. Furthermore, it helps in the planning,
performance, supervision and subsequent review of the audit.
• Working papers should be reviewed by more senior members of staff
before an audit conclusion is reached.
• The review should consider whether:
i. The work has been performed in line with the detailed audit programmes,
ii. The work performed and the results thereof have been adequately documented,
iii. Any significant matters have been resolved or are reflected in the audit opinion,
iv. The objectives of the audit procedures have been achieved,
v. The conclusions expressed are consistent with the results of the work performed
and support the opinion of the auditor.
• For recurring audits, working papers may be split into a permanent audit
file and a current audit file.
• Audit working papers should be retained for a period of at least 7 years.
G. AUDIT SUPERVISION AND REVIEW

• .
• ISQC1 Quality Control for firms that perform audits and reviews of historical financial information, and other
assurance and related services engagements helps audit firms establish quality standards for their own
business, while ISA 220 Quality Control for audits of historical financial information requires firms to
implement quality control procedures over individual audit assignments.
Quality control at audit engagement level
Engagement performance
• ISA 220.21 states that the engagement partner should take responsibility for the direction, supervision and
performance of the audit engagement in compliance with professional standards and regulatory and legal
requirement, and for the auditor’s report that is issued to be appropriate in the circumstances.
• The audit engagement can be directed by informing members of the team of:
i. Their responsibilities such as maintaining an objective state of mind, an appropriate level of professional scepticism and
performing the work in accordance with due care;,
ii. The nature of the entity’s business,
iii. Risk related issues,
iv. Problems that may arise,
v. The detailed approach to the performance of the engagement.
Supervision includes:
i. Tracking the progress of the engagement,
ii. Considering the capabilities and competence of members of the team, whether they have sufficient
time, that they understand their instructions, and whether the work is been carried in accordance with
the planned approach;
iii. Addressing significant issues as they arise, considering their significance and modifying the planned
approach appropriately;
iv. Identifying matters for consultation by more experienced engagement team members during the
engagement. Not just partner doing this, but all members of staff at different levels.
Review
Review responsibilities are determined on the basis that the more experienced members of the audit
engagement, review work performed by less experienced persons. The reviewers consider whether:
i. The work has been performed in accordance with professional standards,
ii. Significant matters have been raised for further consultation,
iii. Appropriate consultations have taken place and the consultations have been documented and
implemented,
iv. There is a need to revise the nature, timing and extent of the work performed,
v. The work performed supports the conclusions reached and is appropriately documented,
vi. The evidence obtained is sufficient and appropriate to support the auditor’s report,
vii. The objectives of the audit engagement procedures have been achieved.
• Before the auditor’s report is issued, the engagement partner, through review of the audit documentation
and discussion with the engagement team, should be satisfied that sufficient appropriate audit evidence has
been obtained to support the conclusions reached and for the audit report to be issued.
Quality control review
For audits of financial statements of listed companies, the engagement partner should:
• Appoint a quality control reviewer,
• Discuss significant matters with the reviewer which have arisen,
• Not issue the audit report until completion of the review
May 2024 Q3bc, Feb 2024 Q3,Q5, Aug 2023 Q1,Q3, April 2023 Q4,Q6
Study Unit 6
Internal Control – Assessing Control Risk & Tests of
Control
A. INTERNAL CONTROL
Definition and components
• ISA 315 defines internal control as the process designed and implemented by those charged with
governance to provide reasonable assurance about the achievement of the entity’s objectives.
• Internal control consists of the following components:
1. The control environment,
2. The entity’s risk assessment process,
3. The information system,
4. Control activities,
5. Monitoring of controls.
Responsibilities-Management
• The management team of a company is responsible for achieving an entity’s objectives such as:
1. The reliability of financial reporting,
2. The effectiveness and efficiency of operations and
3. Compliance with applicable laws and regulation.
Responsibilities - Auditors
• Control risk is an element of audit risk. Control risk exists where the client’s controls fail to prevent, detect
and/or correct material misstatements.
• Therefore, auditors need to assess the controls put in place by management and ascertain whether they are
effective and can be relied upon for the purposes of the audit. The auditor’s primary consideration is
whether a specific control prevents detects or corrects material misstatements. The auditor carries out tests
to ensure that the systems operate as they are supposed to. If the controls are ineffective, the control risk is
high and it is likely that it will be necessary to undertake higher levels of substantive testing.
Gaining an understanding of internal control
• ISA 315 states that the auditor should obtain an understanding of internal controls relevant to the audit.
• In obtaining an understanding of internal control, the auditor must gain an understanding of the:
i. Design of the internal control:
ii. It should be capable of preventing, detecting or correcting material misstatements,;
iii. Implementation of that control:
iv. It should be operating correctly throughout the period in question.
• Risk assessment procedures to obtain audit evidence about the design and implementation of
relevant controls may include:
1. Inquiring of personnel,
2. Observing the application of specific controls,
3. Inspecting documents and reports,
4. Tracing transactions through the information system.
Control environment
• The control environment consists of the governance and management functions and the
attitudes, awareness and actions of the management about the internal control. Auditors may
obtain an understanding of the control environments through the following elements.
1. Communication and enforcement of integrity and ethical values
2. Commitment to competence
3. Participation by those charged with governance
4. Management’s philosophy and operating style
5. Organisational structure
6. Assignment of authority and responsibility
7. Human resources policies and practices
Entity’s risk assessment process
• Auditors should assess whether the entity has a process to identify the business risks relevant to financial
reporting objectives, estimate the significance of them, assess the likelihood of the risks occurrence, and
decide actions to address the risks. If auditors have identified such risks, then auditors should evaluate the
reasons why the risk assessment process failed to identify the risks, determine whether there is significant
deficiency in internal controls in identifying the risks, and discuss with the management.
The Information system, including the relevant business processes, relevant to financial reporting and
communication
• Auditors should also obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following areas:
o The classes of transactions in the entity’s operations that are significant to the financial statements. The procedures that
transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the
financial statements.
o How the information system captures events and conditions that are significant to the financial statements.
o The financial reporting process used to prepare the entity’s financial statements.
o Controls surrounding journal entries.
o Understand how the entity communicates financial reporting roles, responsibilities and significant matters to those charged
with governance and external – regulatory authorities.
Control activities relevant to the audit
• Auditors should obtain a sufficient understanding of control activities relevant to the audit in order to assess
the risks of material misstatement at the assertion level, and to design further audit procedures to respond
to those risks. Control activities, such as proper authorisation of transactions and activities, performance
reviews, information processing, physical control over assets and records, and segregation of duties, are
policies and procedures that address the risks to achieve the management directives are carried out.
Monitoring of controls
• In addition, auditors should obtain an understanding of major types of activities that the entity uses to
monitor internal controls relevant to financial reporting and how the entity initiates corrective actions to its
controls. For instance, auditors should obtain an understanding of the sources and reliability of the
information that the entity used in monitoring the activities. Sources of information include internal auditor
report, and report from regulators.
Limitations of internal control systems
• Effective internal control systems can only provide reasonable, not absolute, assurance to achieve the
entity’s financial reporting objective due to the inherent limitations of internal control – for example,
management override of internal controls. Therefore, auditors should identify and assess the risks of
material misstatement at the financial statement level and assertion level for classes of transactions, account
balances and disclosures.
• Additionally, controls can be circumvented by the collusion of two or more people or
inappropriate override by management of internal control. Smaller entities often have
fewer employees which may limit the extent to which segregation of duties is
practicable. However, for key areas, even in a very small entity, it can be practicable to
implement some degree of segregation of duties or other form of unsophisticated but
effective controls.
• The potential for override of controls by the owner-manager depends to a great extent
on the control environment and in particular, the owner-manager’s attitudes about the
importance of internal control.
• The costs of control may outweigh their benefits.
• Many controls are designed to deal with routine transactions and as such may fail to
detect non-routine transactions. The existence of these limitations is the reason why the
auditor just doesn’t check the system of internal control. Irrespective of the assessed risk
of material misstatements, the auditor should design and perform substantive tests for
each material class of transaction, account balance and disclosure. An auditor’s
assessment of risk is judgemental and there are inherent limitations to internal control.
Small companies
• Due to the size of small companies, many of the controls that would be relevant may not exist or be even practical. In addition,
their cost may severely outweigh their benefit. These means many small companies rely on the close involvement of the
owner/managers. This can be a good thing. However, it also gives rise to the risk of override of existing controls and the omission
of transactions.
• Lack of operating controls and insufficient records can cause the auditor great difficulty in carrying out an audit.
• Specific controls such as segregation of duties are likely to suffer in small companies. Auditors will be faced with additional
difficulties in the event that a small company is managed by a person other than the owner. It would be important to assess the
controls exercised by the owner over the management of the company.
D. ASSESSING THE RISK OF MATERIAL MISSTATEMENT
• Misstatements can arise through inherent risks and control risks.
• So the auditor is concerned with assessing policies and procedures of the entity which are relevant to the financial statements. The
auditor should:
1. Assess the accounting information system as to its adequacy in producing a set of accounts for the entity,
2. Seek to identify any potential misstatements that could occur,
3. Consider all factors that might affect the risk of misstatements,
4. Design appropriate audit procedures whose nature, timing and extent are responsive to the risks.
• The assessment of controls will have a big impact on risk assessment.
• Where good controls are identified, the auditors should perform work in that area to provide the
necessary audit evidence.
• Where there are weak controls identified the auditor needs to consider:
1. What errors could be possible,
2. Could such errors be material to the accounts,
3. What substantive procedures will enable such errors to be detected and quantified?
Outcomes
• The existence of a satisfactory control environment can be a positive factor when the auditor
assesses the risks of material misstatement and influences the nature, timing, and extent of the
auditor’s further procedures. In particular, it may help reduce the risk of fraud, although a
satisfactory control environment is not an absolute deterrent to fraud.
• Conversely, weaknesses in the control environment may undermine the effectiveness of controls
and therefore become negative factors in the auditor’s assessment of the risks of material
misstatement, in particular in relation to fraud.
• In some extreme cases, the control environment may be so poor as to raise questions as to whether the accounts are capable of
being audited. The control risk may be so high that audit risk cannot be reduced to an acceptable level.
• Where substantive procedures alone do not provide the auditor with sufficient evidence and risks remain, the auditor should
evaluate the design and determine the operational effectiveness of controls. This is particularly important where systems are
highly computerised with little or no manual intervention.
E. TESTS OF CONTROLS
• Tests of controls may include the following:
1. Inspection of documents such as: have transactions been authorised,
2. Inquiries as to who carried out the controls rather than who is supposed to carry out the control,
3. Re-performance of controls such as reconciling a bank account as distinct from reviewing the bank reconciliation prepared by someone else,
4. Examination of evidence such as minutes of meetings of management team or board of directors,
5. Observation of controls in action.
• When assessing the evidence, the auditors need to consider:
o How the controls were applied,
o The consistency with which they were applied throughout the period,
o By whom they were applied.
• The use of computer assisted auditing techniques (CAATs) may be appropriate particularly where there is a huge amount of data or
complex computer systems in use by the entity.
Assessment of Control Risk
• Poor controls or non-existent controls relevant to the financial statement assertions could lead to a higher
degree of control risk. The auditor will need to consider how to respond to this.
• Furthermore, the auditors may find that the evidence they obtain suggests that controls did not operate as
expected. If the evidence contradicts the original risk assessment the auditors will have to amend the further
audit procedures they had planned to carry out. In particular, if control testing reveals that controls have not
operated effectively throughout the period the auditor may have to extend his substantive testing.
Management Letter Reporting
• At the “gaining an understanding” stage of the audit you could draw up a letter to management
recommending any improvements you consider from your findings, even at this early stage. Perhaps you
have noted weaknesses in the design of a control or the actual absent of a vital control. In addition, what
you have learned here may influence the type of further audit testing you may carry out later on.
• Furthermore, during your test of the operating effectiveness of controls you may uncover significant
weaknesses in internal controls and these should also be communicated in writing to those charged with
governance.
F. ASSESSMENT OF IMPACT ON AUDIT STRATEGY
• An effective internal control system may allow an auditor to have more confidence in the
reliability of audit evidence generated internally within the entity.
• If there are weaknesses in the control environment, the auditor needs to:
conduct more procedures as of the period end rather than an interim date, seek more extensive
audit evidence from substantive procedures, modify the nature of procedures to obtain more
persuasive audit evidence.
• The evaluation of the control environment will help the auditor determine whether there should
be a substantive or a combined approach (tests of controls and substantive procedures).
• In designing further audit procedures, the auditor should consider:
o the significance of the risk,
o the likelihood that a material misstatement will occur,
o the characteristics of the class of transactions or account balances,
o the nature of specific controls and whether they are manual or automated,
o the evidence gathered in determining if controls are effective in preventing, or detecting and correcting
material misstatements.
G. THE RECORDING OF CONTROL SYSTEMS
• There are several techniques for recording the assessment of control risk. One or more may be
used depending on the complexity of the system.
1. Narrative notes These are written descriptions of the processes and procedures. They are easy to prepare
but can become longwinded and time - consuming.
2. Flowcharts Diagrams setting out the flow of the process and the procedures. Great visually but can be
difficult to prepare.
3. Questionnaires ICQ or ICEQ: Internal Control Questionnaire or Internal Control Evaluation Questionnaire
4. Checklists
• Whatever method is used the data should be retained on the permanent audit file and updated
each year where relevant.
ICQs (Internal control questionnaires)
• They comprise a list of questions designed to determine whether desirable controls are present
within an entity. They are designed to ensure that each of the major transaction cycles is covered.
• Their primary purpose is to evaluate the system rather than describe it. Therefore, a yes/no
answer will suffice.
Advantages of ICQs
• They can ensure that all controls are
• Considered
• Quick to prepare Easy to use and control
Disadvantages of ICQs
• Client may be able to overstate controls
• May be a large number of irrelevant controls
• May not include unusual controls
• Can give impression that all controls are of equal weight
ICEQs (Internal control evaluation questionnaires)
• These are used to determine whether there are controls which prevent or detect specified errors or
omissions. These are more concerned with assessing whether specific errors are possible rather than
establishing whether certain desirable controls are present. These questions concentrate on significant
errors or omissions that could occur at each phase of a cycle if controls were weak
ADVANTAGES AND DISADVANTAGES OF ICQ’S AND ICEQ’S
ADVANTAGES
• If drafted thoroughly, they can ensure all controls are considered.
• They are quick to prepare
• They are easy to use and control.
• Because they are drafted in terms of objectives rather than specific controls, ICEQs are easier to apply to a
variety of systems than ICQs.
• Answering ICEQs should enable auditors to identify the key controls which they are most likely to test during
control testing.
• ICEQs can highlight deficiencies where extensive substantive testing will be required.
DISADVANTAGES
• The principal disadvantage is that they can be drafted vaguely, hence misunderstood and important controls
not identified.
• They may contain a large number of irrelevant controls.
• They may not include unusual controls, which are nevertheless effective in particular
circumstances.
• They can give the impression that all controls are of equal weight. In many systems one NO
answer (for example lack of segregation of duties) will cancel out a string of YES answers.
• The client may be able to overstate controls.

• .
H. AUDIT PROGRAMMES SALES

• .
PURCHASES
Control Objectives
1. Ordering • All orders are authorised, received and are actually for the entity.
• All orders are to authorised suppliers.
• Orders are at a fair price.

2. Receipts and invoices • All receipts are for the entity and not for personal use.
• Receipts are only accepted if proper authorised orders exist.
• All receipts are recorded accurately.
• Liabilities are recognised for all receipts.
• All credits due are claimed and received.
3. Accounting • All invoices are for orders received.
• All invoices are authorised.
• All invoices are recorded in appropriate ledgers and daybooks.
• All credits are recorded in appropriate ledgers and daybooks.
• All entries are in the correct purchase ledger account.
• . • Cut-off is applied correctly.
Control Activities
1. Ordering • Segregation of duties
• Evidence of re-order quantities and levels
• Orders prepared from pre-numbered requisitions
• • Orders authorised
• Pre-numbered order books and safe custody of such books

• Review orders not received

• Regular monitoring of supplier terms and conditions

2. Receipts and invoices • Examine goods received. Checking quality and quantity

• Record receipt in goods inwards records

• Match receipts with order details
• Appropriate referencing of invoices
• Examine invoice and check price, quantity and calculations. Match to receipts and order documents

• Record all goods returned and ensure credit is claimed

3. Accounting • Segregation of duties

• Record all purchases and returns in daybooks and appropriate ledgers

• Review purchase ledger and reconcile accounts to supplier statements

• Payments should be authorised only after all checking procedures complete

• . • Reconcile creditors control account to a list of purchase ledger accounts

• Cut-off is appropriate
Tests of controls
Ordering
1. Check that all new suppliers are authorised.
2. Check that authorisation by senior staff has been obtained for all new orders and is within limits set.
3. Review order books for orders not completed and enquire of same.

Receipts and invoicing

1. Check invoices are supported by a goods received note and order, are entered in stock records, priced correctly, calculations are checked and are appropriately referenced.
2. Check all returns are matched to a received credit note and this credit note should be traced to the stock records.
3. Check all invoices and credit notes have been entered to the purchase ledger and the appropriate daybooks.
4. Check all credit notes received for relevant supporting documentation.
5. Review numerical sequence of order books, goods received notes and goods returned books and enquire of unmatched numbers or missing numbers.
6. Enquire of supplier invoices not matched with goods received notes or orders.

Processing purchases
1. Check all invoices and credit notes in the daybooks are evidenced as having been checked re prices, calculations, matched to orders and goods received notes and authorised for payment.
2. Check down totals and cross totals in the daybooks.
3. Match totals in the daybooks to the control accounts.
4. Check postings from the daybook to the appropriate purchase ledger accounts.
5. Check a sample of purchase ledger accounts and agree transactions back to the appropriate daybooks. Check the totals of the balances.
6. Review purchase ledger accounts for contras and enquire of same.
7. Review supplier reconciliations and trace balances and reconciling items to the appropriate books.
8. Confirm creditors control account agrees to list of balances of purchase ledger accounts.
9. Review creditors control for unusual transactions.

• .
PAYROLL
Control Objectives
1. Setting of wages and salaries • Employees only paid for work they have done
• Gross pay calculated correctly and properly authorised

2. Recording • Gross pay, net pay and all deductions are recorded correctly

• Payments are recorded correctly in the bank account

• Full cost is recorded in the nominal ledger

3. Payment • Employees are paid exactly what they are owed

4. Deductions • All deductions correctly calculated and appropriately authorised

• Revenue get paid what they are owed

.
Control Activities
1. Setting of wages and salaries • Segregation of duties
• Personnel records should be maintained with proper employment letters etc.

• Authorisation of rates of pay, deductions

• Maintain details of holiday entitlement, advance of pay etc.

• Procedures for dealing with queries

2. Recording • Records maintained of timesheets, clock cards etc.

• Review of hours worked
• Review of wages cost against budgets
• Review by senior staff of data input and calculation work by other staff including checking procedures

• Appropriate analysis codes

• Maintenance and reconciliation of wages bank account

3. Payment • Custody of cash procedures

• Segregation of duties
• Verification of identity
• Preparation of pay packets, cash, cheque, payslip etc.
• Records of amounts distributed
• Authorisation of cheques and bank transfers
• Dealing with queries

4. Deductions • Maintenance of separate records for each employee

. •
•
Review deductions as between differing periods
Review control accounts for deductions
Tests of controls
Setting of wages and salaries
1. Check that wages summary is approved for payment.
2. Review details for changes from previous period and check for authorisation for differences.
3. Check letters of employment exist for all new employees and relevant forms are prepared for all leavers.
4. Check calculation of gross pay and agree rate of pay to authorised pay, hours worked
etc.
1. Check a sample of names on payroll lists to phone records, floor plans etc.

Recording
1. Reconcile wages to previous weeks payroll, timesheets, changes in pay rates etc., looking for unusual or explained variances.
2. Re-perform key calculations and seek evidence of controls checking.
3. Check down totals and cross totals on payroll sheets and trace to the appropriate ledger accounts.
4. Review all payroll control accounts.
5. Enquire as to payroll queries from staff.

Payment
1. If cash payments made, attend such an event and note procedures.
2. Compare pay packets with list of payments to be made.
3. Ensure signatures for all packets collected and enquire about uncollected packets.
4. Review list of cheques/ bank transfer list and agree back to payroll details.

Deductions
1. Check calculations on payroll details and that authorisation does exist.
2. Check down totals on payroll summaries and match to entries in appropriate ledger accounts.
3. Examine third party documentation.
. 4. Review the deduction control accounts and compare against previous periods.
CASH RECEIPTS AND DISBURSEMENTS
Control Objectives
1. All monies received are recorded, processed to the appropriate ledger accounts and banked where necessary

2. Cash and cheques are safeguarded from loss through theft or otherwise

3. All payments are authorised, properly recorded and made to the correct person

4. Duplicate payments are avoided

• Completeness of income (recording of all cash receipts) is extremely important. If there are inadequate
controls, these may cause limitations in the scope of your audit.
• Segregation of duties is vital when dealing with cash. The receiving, recording, banking and reconciling
functions should ideally be done by separate persons within an entity.
Control Activities
1. Cash at bank and in hand- receipts • • Segregation of duties
Post opening procedures. Safeguards over security, supervision, listing of items when opened, cheques crossed, remittance stamped.

• Policy over who can receive cash, pre-numbered company receipts books. Ensure safe custody.
• Regular clearance of cash registers and matching to till rolls.
• Reconcile cash collection with sales records.
• Investigation of shortages/surpluses.
• Prompt recording of receipts in daybooks and ledger accounts.
• Daily bankings, matching cash records with bank lodgement receipt slip.
• Authorisation to open bank accounts.
• Set limits on cash floats. Regular review and authorisation.
• Restrictions on payment out of cash receipts.
• Access controls over cash.
• Surprise cash counts.
• Bank reconciliation process. Follow up of un-reconciled transactions.

2. Payments - cash and cheques • Custody over supply and issue of cheques, especially ones with printed signatures.

• Restrictions on issue of incomplete cheques or signing blank cheques.

• Cheque requisitions with appropriate supporting documentation and approval.
• Authority limits to sign cheques. Keep separate from approval process. No signatures without full documentation.

• Prompt despatch of signed cheques and recording in daybooks and ledgers.

• Authorisation and suitable backup documentation for cash payments.
• Separate cashier listing payments to person recording in daybooks and ledgers.
. • Limits on cash disbursements.
Tests of controls

.
INVENTORY
Control Objectives
1. Recording of stock • All movements are recorded and authorised
• Record only items that belong to entity
• Records show all inventory that exists and is in stock
• All quantities are recorded correctly
• Proper cut-off procedures apply

2. Safeguarding of stock • Loss, theft or damage is guarded against

3. Valuation of stock • Stock is priced correctly

4. Holding of stock • Levels of stock are reasonable

.
Control Activities
1. Recording of stock • Segregation of duties between custody and recording of stock

• Checking receipt and recording of goods received

• Checking appropriate documentation of movement
• Maintenance of stock records. Ledger cards, bin cards etc.

2. Protection of stock • Access rights to stock

• Controls over environment
• Security over third party stock on-site and stock on third party property

• Stock takes - Procedures, supervision, control, cut-off, recording.

• Reconciliation of book stock to physical.

3. Valuation of stock • Checking calculations

• Compliance with accounting standards, company law etc.
• Examine condition of stock and provide for slow moving, obsolete or damaged stock

• Authorisation for any write offs and appropriate accounting for such

.
4. Holding of stock • Agreed levels, regular review
• Max/min levels and re-order levels
Tests of controls
Recording movement of stock
1. Select a sample of stock movements and trace back to either goods received notes or despatch notes.
2. Confirm all movements were authorised.
3. Select a sample of items from the goods received notes and the despatches and agree to the stock movement records.
4. Check the sequence of records and enquire about potential missing items.

Safeguarding of stock
1. Test check counts carried out and ascertain whether all discrepancies between book stock and actual physical stock levels have been investigated.
2. All variances should be signed off by a senior member of staff.
3. Slow moving, obsolete or damaged stock should be marked as such and should be written down in value. Trace a sample of these items through to the stock valuation
reports.
4. Note the security arrangements.

Valuation of stock
1. Tests are generally of a substantive nature rather than testing controls but you should review stock sheets prepared at stock take, taking note of slow moving, obsolete items
etc.

.
Holding of stock
1. Examine stock records to check whether max/min levels are observed and whether reorder levels are applied.
May 2024 Q3a; Feb 2024 Q6; Dec 2023 Q2ab; Aug 2023 Q2; April 2023 Q1a, Q3,Q5