Full Tute[1] PDF - Audit and Assurance by Sachith Tillekeratne

Summary

This document is a handout on audit and assurance, covering topics such as introduction to assurance, rules and regulations, corporate governance, and ethics and acceptance. It's aimed at students in a financial accounting or auditing course, and discusses key concepts in the field.

Full Transcript

Subject F8 – Audit and Assurance

Lecturer Sachith Tillekeratne

Handout Number

Lesson Audit Framework and Regulation

Handout Code

Achievers ®

No. 39, Bauddhaloka Mw, Col-04 Tel: 011 759 0001 | 077 789 5900
 INDEX

Page

01. Introduction to Assurance 02-04

02. Rules and Regulation 05-06

03. Corporate Governance 07-09 (Second most Q)

04. Ethics and Acceptance 10-15 (most Q)

“All our dreams can come true, if we have the
courage to pursue them.”
-Walt Disney

1
 Introduction to Assurance

What is Assurance?

An engagement in which a practitioner obtains sufficient appropriate evidence in order to
express a conclusion designed to enhance the degree of confidence of the intended users other
than the responsible party about the outcome of the evaluation or measurement of a subject
matter against criteria.

Practitioner - auditor
Intended users - shareholders
Responsible party – management
Subject matter – financial statements
Criteria – accounting standards

What is Audit?

An audit is defined as, the independent examination of an expression of opinion on the financial
statements of an entity by a duly appointed auditor in pursuit of that appointment

Independence is essential and underlies the value of auditing

Opinion really means that one auditor could look at a set of financial statements and disagree
with the opinion of another auditor

Elements of an Assurance Engagement

The following are the five elements of an assurance engagement.

(1) A three-party relationship involving a,
Practitioner
The practitioner (an auditor) is responsible for determining the nature, timing and extent
of procedures and is required to pursue anything that leads the practitioner to question
whether the subject matter information should be changed in some material respect

Responsible party
The person responsible for the information and assertions

Intended users
The person(s) for whom the practitioner prepares the assurance report. (Shareholders,
government, suppliers etc...) The responsible party can be one of the intended users

(2) Appropriate subject matter
Financial performance
Non-financial performance, for example the key indicators of efficiency and effectiveness.
Systems and processes, for example, an entity’s internal control or IT system.
Behavior, for example, corporate governance, compliance with regulation

2
 For AA, financial statements are considered as the subject matter

(3) Suitable criteria
Criteria are the benchmarks used to evaluate or measure the subject matter

Standards – IASs and IFRSs

Guidance

Laws and regulations

(4) Sufficient appropriate evidence

Sufficiency – the quantity of evidence
Appropriateness
1. Reliability – is the source of evidence trustworthy
2. Relevance – is the evidence relevant to the assertion (e.g.: valuation, existence)
which is under audit

(5) A written assurance report in the form appropriate to a reasonable assurance engagement or a
limited assurance engagement

Reasonable assurance engagement
Opinion – In our opinion, the financial statements give a true and fair view in
accordance with IFRS
Wording – gives a positively worded assurance opinion
Level of assurance – gives a high level of assurance
Procedures – performs very thorough procedures to obtain sufficient appropriate
evidence including test of controls and substantive procedures

Limited assurance engagement
Opinion – Nothing has come to our attention that causes us to believe that financial
statements are not prepared in accordance with IFRS
Wording – gives a negatively worded assurance conclusion
Level of assurance – gives a moderate or lower-level assurance than that of an
audit
Procedures – performs significantly fewer procedures, mainly inquiries and
analytical procedures

External Audit Engagements

This is an example of a reasonable assurance engagement

ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with
International Standards on Auditing, states the purpose of an external audit engagement is to ‘enhance
the degree of confidence of intended users in the financial statements’

3
In accordance with ISA 200, the objectives of an auditor are to,
Obtain reasonable assurance about whether the financial statements as a whole are free from
material misstatements, whether due to fraud or error.

Express an opinion on whether the financial statements are prepared, in all material respects, in
accordance with an applicable financial reporting framework.

Report on the financial statements and communicate as required by ISAs, in accordance with the
auditor’s findings.

Need for External Audit

Shareholders provide the finance for a company and may or may not be involved in the day to day
running of the company and the directors might have incentives to manipulate the financial statements
to show a different level of performance.

Hence the need for an independent review of the financial statements to ensure they give a true and fair
view

Benefits of an Audit

Higher quality information which is more reliable, improving the reputation of the market.
Independent scrutiny and verification may be valuable to management.
Reduces the risk of management bias and fraud and error by acting as a deterrent. An audit may
also detect bias, fraud and error.
Enhances the credibility of the financial statements, e.g. for tax authorities or lenders.
Deficiencies in the internal control system may be highlighted by the auditor

Limitations of an Audit

Financial statements include subjective estimates and other judgmental matters.
Internal controls may be relied on which have their own inherent limitations.
Representations from management may have to be relied upon as the only source of evidence in
some areas.
Evidence is often persuasive not conclusive.
Do not test all transactions and balances. Auditors test on a sample basis

Review Engagements

A review engagement is an example of a limited assurance engagement.

A company which is not legally required to have an audit may choose to have a review of its financial
statements instead. The review will still provide some assurance to users but is likely to cost less and be
less disruptive than an audit.

4
 Rules and Regulation

The Need for Regulation

Due to high profile scandals (Enron & Arthur Anderson), there was a need to regain the trust in the audit
profession, hence three initiatives were introduced as follows

1. Harmonization – This ensures that users of audit services are confident in the nature of audits
being conducted around the world.

2. Audit Quality – This ensures the expectations of users are met.

3. Ethical Code – This will improve the perception of auditors as independent, unbiased service
providers.

In order to achieve the above the practitioners have to follow,
National corporate law
Auditing Standards (ISA’s)
Code of Ethics

Eligibility of an Auditor

To be eligible to act as auditor, a person must be:
A member of a Recognized Supervisory Body (RSB), e.g. ACCA, and allowed by the rules of that
body to be an auditor or

Someone directly authorized by the state

An auditor can be appointed by the Shareholders of a company, Directors or by the Secretary of
State

An auditor can be removed if there are doubts about their continuing abilities to carry out their
duties effectively and usually can be done by a simple majority of the company

Auditor’s Rights – During Appointment

Access to the company’s books and records at any reasonable time.
To receive information and explanations necessary for the audit.
To receive notice of and attend any general meeting of members of the company.
To be heard at such meetings on matters of concern to the auditor.
To receive copies of any written resolutions of the company

Auditor’s Rights – On Resignation

To request a General Meeting of the company to explain the circumstances of the resignation.
To require the company to circulate the notice of circumstances relating to the resignation.

5
International Regulation

IFAC – This is the global organization for the
accountancy profession. IFAC propose international
regulation of the accountancy profession, by
ensuring minimum requirements per accountancy
qualifications. Post qualifications experience and
guidance on accounting and assurance for
accountants around the world.

ISAs – These are professional guidance that the
auditor must follow to ensure each audit is
performed consistently and to a required standard
of quality.

The Role of Professional Bodies

Rigorous qualifications to acquire the knowledge and skills needed to provide a competent service
Support to members to demonstrate high professional and ethical values
Technical expertise to governments on accounting and business matters.
This input may help shape the introduction of new laws and regulations affecting the profession

6
 Corporate Governance

Corporate governance may be defined as "the system by which companies are directed and
controlled".

The objectives of corporate governance are,

To ensure that the company’s assets are used efficiently and productively and in the best
interests of its shareholders and other stakeholders
To eliminate or mitigate conflicts of interest, particularly those between management and
shareholders

Principles of Corporate Governance

The Organization of Economic Cooperation Development (OECD) promotes six Principles of a
corporate governance framework,

It should promote transparent and fair markets and support effective supervision and
enforcement.
It should protect shareholders' rights and ensure all are fairly treated (i.e. including minority
shareholders)
It should provide for stock markets to contribute to good corporate governance (e.g. by
prohibiting insider trading)
It should recognize the rights of all stakeholders, not just shareholders.
It should ensure timely and accurate disclosure of all material matters, including financial
position, performance, ownership and governance.
It should ensure the strategic guidance of the entity, effective monitoring of management by the
board and the board’s accountability to the entity and their shareholders.

S.M.A.R.T.S.

1. S – Supervision & Enforcement (Promote transparent and fair markets, effective supervision)

2. M – Minority Protection (Protect shareholders' rights, fair treatment of all, including minorities)

3. A – Anti-Insider Trading (Stock markets should contribute to good corporate governance)

4. R – Recognize Stakeholders (Acknowledge rights of all stakeholders, not just shareholders)

5. T – Timely Disclosure (Ensure accurate and timely disclosure of financial and governance

matters)

6. S – Strategic Guidance & Accountability (Board should guide strategy, monitor management, and

remain accountable)

7
The UK Corporate Governance Code

The Principles of the Code emphasize the value of good corporate governance to the long-term
success of the company

The main principles of the code are,

Board Leadership and Company Purpose
Division of Responsibilities
Composition, Succession and Evaluation
Audit, Risk and Internal Control
Remuneration

Board Leadership and Company Purpose

Every company should be headed by an effective board which is collectively responsible for the
long-term success of the company

All directors must act with integrity, led by example and promote the desired culture

Division of Responsibilities

There should be a clear division between the running of the board and the executive
responsibility for the running of the company’s business. No one individual should dominate
decision making. This means that the roles of CEO and chair should not be performed by one
person as that concentrates too much power in that person (responsible to run the board –
chairman, responsible to run the operations – CEO)

The chair is responsible for leadership of the board and should be independent on appointment
(e.g. not an employee within the last 5 years)

At least half the board should be non-executive directors (NEDs) who are considered independent
(e.g. no close family ties with executive directors, no significant shareholdings, etc.)

NEDs should provide constructive challenge and strategic guidance and hold management to
account.

Composition, Succession and Evaluation (Nomination committee – Majority NEDs)

Appointments to the board should be subject to a formal, rigorous and transparent procedure led
by a nomination committee. A majority of the committee should be independent NEDs

The board and its committees should have a combination of skills, experience and knowledge

The length of service of the board as a whole should be considered and membership regularly
refreshed. The post of chair should not be held beyond nine years.

8
 The board should undertake a formal and rigorous annual evaluation of its own performance and
that of its committees and individual directors

All directors should be submitted for re-election annually

Audit, Risk and Internal Control

The board should establish formal and transparent policies and procedures to ensure the
independence and effectiveness of internal and external audit and the integrity of financial
statements

The board should present a fair, balanced and understandable assessment of the company’s
position and prospects. The financial statements should state whether the board considered the
appropriateness of the going concern basis of accounting and identify any material uncertainties
for at least 12 months from the date of approval of the financial statements

The board should establish procedures to manage risk, oversee internal controls and determine
the nature and extent of the principal risks the company is willing to take to achieve its long-
term strategic objectives

The board should establish an audit committee of independent NEDs (minimum 2 with one person
having financial accounting experience)

Remuneration (all NEDs)

In essence, remuneration should be sufficient to attract, retain and motivate directors of sufficient
quality, but avoid paying more than is necessary.

A significant proportion of executive directors’ remuneration may be structured to link rewards to
corporate and individual performance. In other words, profit related pay is encouraged. Directors
should not receive high pay irrespective of company performance

There should be a formal and transparent procedure for developing policy on executive
remuneration and for fixing the remuneration packages of individual directors. No director should
be involved in deciding his or her own remuneration. This means that a remuneration committee
(NEDs) should be formed to fix directors’ remuneration.

The Audit Committee (all NEDs)

The audit committee should be composed of independent NEDs,

A minimum of three members (or two for smaller companies);
The chair of the board should not be a member;
At least one member must have recent and relevant financial experience;
The committee as a whole must have competence in the relevant business sector

9
The Main Roles and Responsibilities of the Audit Committee

Monitoring and reviewing the effectiveness of internal audit. Companies don’t have to have an
internal audit department, but the need for one must be reviewed annually

Monitoring the integrity of the financial statements and reviewing significant financial reporting
judgements

Review the internal financial controls and risk management systems (unless there is a separate
risk committee or the board does this)

Making recommendations to the board about the appointment, reappointment and removal of the
external auditors and agreeing the terms of engagement. (Note that the external auditors are
appointed by members in general meeting, but the board puts forward the nomination.

Annually assessing the independence, objectivity and effectiveness the external auditors
including confirming that there are no self-interest or familiarity issues and that partners and
staff are rotated properly

Acting as a forum to link directors and auditors. Auditors will typically write to the audit
committee about any problems they may be having on the audit or obtaining all the information
they require. If the auditors are worried in some way about the financial statements, they will
raise those concerns with the audit committee

Developing and implementing policy on the engagement of the external auditor to supply non-
audit services: skills, ensuring any threats to independence and objectivity are reduced

10
 Ethics and Acceptance

First paragraph – scenario which gives rise to the ethical threat
Second paragraph – What is the ethical threat and why is it a threat
Safeguard – what is the safeguard and why

What is Ethics?

Ethics could be defined as the moral principles that govern a person’s behavior or the conducting of an
activity.

The ACCA Code of Ethics and Conduct ('the Code') sets out certain fundamental principles about how its
members should behave. It also recognizes how its members could be subject to certain threats which
would compromise their behavior and suggests ways in which members can safeguard themselves against
the operation of those threats

The conceptual framework approach to professional ethics recognizes that there are,

Fundamental principles to be followed
These are subject to threats
Threats must be addressed

Note
As opposing to the conceptual framework countries such as USA follows a rules-based approach. This
approach clearly mentions what is right and what is wrong.

Fundamental Principles

Integrity A professional accountant must be straight forward and honest in all professional and business relationships.

A professional accountant must not allow bias, conflicts of interst or undue influence of others compromise
Objectivity professional or business judgement.

Professional Competence and A professional accountant must attain and maintain professional knowledge and skill at the level required to ensure
that a client or employer receives competent professionals services based on current developments in practise,
Due Care legislation and tecniques.

A professional accountant must respect the confidentiality of information acquired as a result of professional and
business relationships.
Confidentiality They should not disclose any such information to third parties without proper and specific authority unless there is a
11
legal or professional right or duty to disclose. Such confidnetial information should not be used for the personal
advantage of memebers or third parties.

A professional accountant must comply with relevent laws and regulations and avoid any conduct that might discredit
Threats to the Fundamental Principles

Self Review This is where non audit work is provided to an audit client and is then
subject to audit, the auditor will be unlikely to admit to errors in their
own work or may not identify the errors in their own work.

Advocacy Promoting the position of a client or representing them in some way could
mean the audit firm is seem to be "taking sides" with the client.

Self Interest Where the auditor has a financial or other interest that will inappropriately
influence their judgement or behaviiour, a self interst threat will arise.

When the auditor becomes too sympathetic or too trusting of a client and
Familiarity looses professional skepticism or where the relationship between the
auditor and the client goes beyond professional boundaries.

Actual or perceived pressures from the client, or attempts to excercise
Intimidation undue influence over the assurance provider creates an intimidation threat.

Note - Management Threat

Assuming management responsibilities for an audit client may also create threats to independence. An audit firm
must not assume management responsibilities as part of an assurance engagements or for an audit client. (e.g.:
setting policies and strategic direction, hiring or dismissing employees, authorizing transactions etc.)

Where such threats exist, the auditor must,

Eliminate the circumstance that creates the threat(s); or
Apply safeguards, where available, to reduce the threats to an acceptable level; or
Decline or end the specific professional activity

Self-Interest Threats

Fee dependency

Gifts and hospitality

12
 Owning shares/financial interest

Loans and guarantees from the client to the auditor

Overdue fees

Contingent fees

Business relationships

Actual or threatened litigation

Potential employment with an audit client

Self-Review Threats

Apart from the above examples, self-review threat can also arise if a member of the audit team,
Recently served as a director/officer of the client
Is seconded ('lent') to the client for a temporary assignment

Advocacy Threats

Advocacy is where the assurance or audit firm promotes a point of view or opinion to the extent the
subsequent objectivity is compromised. As always, the audit firm should weigh up the risks to its
objectivity, integrity and independence and should withdraw from performing further work if those risks
are too high

Examples for advocacy

1. Representing the client in a court or in any dispute whether the matter is material to the
financial statements
2. Negotiating on the client’s behalf for finance
3. Providing tax services to an audit client

Familiarity Threats

Familiarity threats arise because of the close relationship between members of the audit team and the
client. The close relationship can arise by friendship, family or through business connections. There is no

13
general definition of what’s meant by close relationships, but if you were an auditor and your brother
was the Finance Director of a client firm then there probably is a close relationship

Intimidation Threat

An intimidation threat exists if the auditor is intimidated by management or its directors to the point
that they are deterred from acting objectively.

Examples

1. Fee dependency
2. Family and personal relationships
3. Employment with an audit client

Safeguards

The ACCA Code of Ethics (2019) defines safeguards as "actions, individually or in combination, taken
by the professional accountant that effectively eliminate threats to compliance with the
fundamental principles or reduce them to an acceptable level".

Safeguards vary depending on the facts and circumstances. Examples of actions that might be
safeguards to address threats include,

1. Assigning additional time and qualified personnel (e.g. for a self-interest threat).
2. Having an appropriate reviewer (not a member of the team) review the work performed (for a
self-review threat).
3. Using different partners/engagement teams with separate reporting lines for the provision of non-
assurance services to an audit client (for self-review, advocacy or familiarity threats).
4. Involving another firm to (re-)perform part of the engagement (for most threats).
5. Disclosing to clients any referral fees/commission arrangements for recommending services/
products (for a self-interest threat).
6. Separating teams when dealing with matters of a confidential nature (for a self-interest threat)

The Supply of Other Services

The issue of whether the auditor should provide audit clients with other services, such as taxation and
management consultancy, is a controversial one as there are both pros and cons

For example, auditors will know a great deal about the operations of their clients and this can make the
performance of other work much more efficient.

The provision of many non-assurance services will create a self-review threat.

Another danger, of course, is that the auditors come to rely too heavily on the fees earned from the
other work and are therefore reluctant to risk losing a client if they express a modified audit opinion,
which is a self-interest threat.

Confidentiality

External auditors are in a unique position of having a legal right of access to all information about their
clients. The client must be able to trust the auditor not to disclose anything about its business to third
parties as it could be detrimental to its operations.

14
Disclosure of confidential information should only be made if,

Disclosure is required by law
Production of documents or other provision of evidence in the course of legal proceedings,
Disclosure to the appropriate public authorities of infringements of the law that come to light

Disclosure is permitted by law and is authorized by the client or the employer

There is a professional duty or right to disclose, when not prohibited by law
To comply with the quality review of ACCA or another Body, to respond to an inquiry or
investigation by ACCA or a regulatory body, to protect the professional interests of a professional
accountant in legal proceedings and to comply with technical and ethical requirements

Conflicts of Interest

A conflict of interest arises when the same audit firm is appointed for two companies that interact with
each other, for example, companies which compete in the same market.

Where conflicts of interest exist the firms, work should be arranged to avoid the interest of one being
adversely affected by those of another and to prevent a breach of confidentiality. In order to ensure
this, the firm must disclose the nature of the conflict to the relevant parties and obtain consent to act.

Safeguards

1. Separate engagement teams who are provided with clear guidance on maintaining confidentiality
2. Sign confidentiality agreements by the engagement team members
3. Physical separation of confidential information including separate practice areas
4. Specific training and communication

Accepting/Continuing an Audit Engagement

The matters to consider before accepting a new engagement or client are,

Professional clearance

The prospective (potential) audit firm must,
Ask the client for permission to contact the existing auditor (if refuses decline the
engagement)
If permission is given contact the outgoing auditor asking for all information relevant to
the decision whether or not to accept appointment (disagreements with managements
etc.)
If a reply is not received, the prospective auditor should try and contact via telephone and
if a reply is still not received, should proceed with care
The existing auditor must ask the client for permission to respond to the prospective
auditor. If the client refuses permission, it should be notified to the prospective auditor
and the engagement will be declined.
If a reply is received considered the outgoing firm’s response and assess whether they
should accept the appointment or not.

Independence and objectivity
15
 Management integrity

Money laundering (client due diligence)

Resources

Risks

Fees

Professional competence

Reputation of the client

Preconditions for an audit (tested)

In accordance with ISA 210 agreeing the terms of audit engagements the management should
acknowledge and understand its responsibility for,

▪ Preparation of the financial statements in accordance with the applicable financial
reporting framework and internal controls necessary for the financial statements to give a
true and fair view.
▪ Providing the auditor with access to all relevant information and explanations.

Continuance

Once the engagement is complete, the audit firm must revisit the acceptance considerations again to
ensure it is appropriate to continue for the following year. If any significant issues have arisen during the
year, such as disagreements with management or doubts over management integrity, the firm
may consider resigning.

Engagement Letters

The engagement letter specifies the nature of the contract between the firm and client. The letter will
be sent before the audit commences. The purpose of it is to,

Minimize the risk of any misunderstanding between the practitioner and client
Confirm acceptance of the engagement
Set out the terms and conditions of the engagement.

16
The engagement letter should be reviewed every year to ensure that it is up to date and there is no need
to reissue the letter unless there are changes such as,

Changes to statutory duties due to new legislation
Changes to professional duties, for example, due to new or updated ISAs
Recent changes in senior management
A significant change in ownership

Contents of the Engagement Letter

The objective and scope of the audit of the financial statements
The responsibilities of the auditor
The responsibilities of management
Identification of the applicable financial reporting framework for the preparation of the financial
statements
Reference to the expected form and content of any reports to be issued by the auditor
Reference to professional standards, regulations and legislation applicable to the audit
Limitations of an audit
Expectation that management will provide written representations
Basis on which the fees are calculated
Agreement of management to notify the auditor of subsequent events after the auditor's report is
signed
Agreement of management to provide draft financial statements in time to allow the audit to be
completed by the deadline
Form (and timing) of any other communication during the audit

Short Notes

17
18
19
 Subject F8 – Audit and Assurance

Lecturer Sachith Tillekeratne

Handout Number

Lesson Planning and Risk Assessment

Handout Code

Achievers ®
No. 39, Bauddhaloka Mw, Col-04 Tel: 011 759 0001 | 077 789 5900

INDEX

Page

05. Risk 20-25

06. Planning 26-33

20
 “All our dreams can come true, if we have the
courage to pursue them.”
-Walt Disney

Risk

Audit Risk

Audit risk is a technical term related to the process of auditing. It should be noted that audit risk cannot
be reduced to zero, as an audit cannot provide absolute assurance but reasonable assurance. This is
because an audit has ‘inherent limitations’, for example,

Part of the nature of financial reporting is that financial statements should include accounting
estimates which necessarily involve judgement
Audit procedures are designed to gather audit evidence, not to detect intentional misstatement
that has been deliberately concealed.
As an audit needs to be conducted within a reasonable period of time and at a reasonable cost, it
is not possible to examine everything exhaustively

Audit risk is considered throughout the audit, in particular,

21
 In understanding the entity – what are the risks? (ISA 315 Identifying and Assessing the Risks of
Material Misstatement through Understanding the Entity and Its Environment)
In planning the audit – how are risks to be reduced to an acceptably low level? (ISA 330 The
Auditor’s Responses to Assessed Risks)

Definition – Audit Risk

The risk that the auditor gives an inappropriate opinion on the financial statements (i.e. the audit
opinion is that the financial statements show a true and fair view when, in fact, they contain a material
misstatement)

Audit risk is a function of two risks;

Audit Risk

Risk of MM
(material Detection Risk
mistatements)

Inherent Risk Control Risk

Risk of MM – This is the risk that the financial statements are materially misstated prior to the audit

Misstatement – A difference between the reported amount, classification, presentation or disclosure
of a financial statement item and the amount, classification, presentation or disclosure that is
required for the item to be in accordance with the applicable financial reporting framework.

Inherent risk – the susceptibility of an assertion about the class of transaction, account balance or
disclosure to misstatement that could be material, before consideration of any related controls.

Control risk – the risk that a misstatement that could occur and that could be material, will not be
prevented or detected and corrected on a timely basis by the entity’s controls.

Detection risk – the risk that the procedures performed by the auditor to reduce audit risk to
acceptably low level will not detect a misstatement that exists and that could be material.

If it is a first-time audit there will be detection risk – should assign more experienced senior
auditors.

22
Therefore, for an inappropriate opinion to have been expressed,

The client's procedures The material error
The auditor must have
The error has to occur has not picked it and reaches the published
failed to detect it
corrected it financial statments

The Audit Risk Model

Risk of material misstatements

AR = IR x CR x DR
Audit Risk Sample Risk

Inherent risk Detection Risk

Non-Sample Risk

Control risk

If both inherent risk and control risks are high, then the only way you will get the audit risk low is to be
very sure that your detection risk is low. This means you would have to do an enormous amount of
audit work.

If, however, the inherent risk and control risks are low themselves, in other words that there is only a

small chance the error occurs in the first place and the client systems and staff are very good, then you
can achieve a relatively low audit risk even with a relatively high detection risk. In other words, the
auditor doesn’t have to do so much work

The auditor assesses inherent and control risk - but cannot change them - they are 'givens' specific to
each audit. The auditor must respond to the assessed risks by varying the nature, timing and extent
of work which is actually performed to reduce detection risk to an acceptably low level

Sampling Risk

This risk arises when audit procedures are applied to samples rather than entire populations. The auditor
may conclude, based on a sample, that controls are more effective than they actually are or that there
is no material misstatement when, in fact, there is.

Non-Sampling Risk

23
This risk arises from reasons other than sample size. For example, audit staff were insufficiently
experienced, there is a higher risk that they might use inappropriate audit procedures, misinterpret
evidence or fail to recognize an error.

Non-sampling risk must be minimized through adequate planning, assigning sufficiently skilled staff and
the direction, supervision and review of their work

Inherent Risk

This is the risk that there is a misstatement that could be material, if there were no related internal
controls which could identify and trap that misstatement.

Inherent risks can be increased by complex transactions which are difficult to understand, inexperience
staff, cash-based systems (because cash is usually more difficult to record than bank transfers) etc.

Control Risk

This is the risk that the material misstatement, having occurred, will not be prevented or detected and
corrected by the internal control system. The main factors which affect control risk are the control
environment (essentially the status that the internal control system has in the organization), the design
of the internal control system itself, and finally how well and consistently the internal control system
operates.

Detection Risk

This is the failure of the auditor to detect the material misstatement in the financial statements. This
will be increased if the auditor was relatively inexperienced, if it was a new client, if there was a lot of
time and fee pressure, if planning was poor so the entity was poorly understood, and if the auditor was
straying into an industry where they had little previous experience or expertise

Note - Professional Scepticism
An attitude that includes a questioning mind, being alert to conditions which may indicate possible
misstatements due to fraud or error and a critical assessment of audit evidence.

Materiality

Misstatements, including omissions, are considered to be material if they, individually or in the
aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis
of the financial statements.' [ISA 320 Materiality in Planning and Performing an Audit]

ISA 320 recognizes the need to establish a financial threshold and the following benchmarks can be used,

½ – 1% revenue
5 – 10% profit before tax
1 – 2% total assets

✓ Lower the materiality threshold – the more misstatements there will be to caught
✓ When the Audit company is doing the audit for the first time – not familiar with the client, therefore
select a materiality level closer to the lower threshold
✓ When they are becoming familiar, they slowly increase the threshold closer to the upper threshold

24
Material by Nature

Misstatements that affect compliance with regulatory requirements
Misstatements that affect compliance with debt covenants. (debt conditions)
Misstatements that, when adjusted, would turn a reported profit into a loss for the year.
Misstatements that, when adjusted, would turn a reported net-asset position into a net-liability
position.
Transactions with directors, e.g. salary and benefits, personal use of assets, etc.
Disclosures in the financial statements relating to possible future legal claims or going concern
issues

Performance Materiality (below the materiality level)

The amount set by the auditor at less than materiality for the financial statements as a whole to reduce
to an appropriately low level the probability that the aggregate of uncorrected and undetected
misstatements exceeds materiality for the financial statements as a whole. [ISA 320]

(Smaller limit set by the auditor, below the overall materiality, to make sure that any
mistakes—whether undetected or uncorrected in aggregate do not exceed the total materiality
level.)

If the materiality level is set at $750,000 performance materiality level would be set at $
500,000
The company’s RM misstatement - $150,000, WIP misstatement - $ 200,000, FG misstatement - $
200,000
Even though this is lower than the materiality level set, since the aggregation of these is higher
than $ 500,000 auditors can say Inventory is not providing true and fair view

Understanding the Entity and its Environment

Nature of the Entity
We have to understand the nature of the entity. For example, we simply have to understand what
it does, is it in a financial sector, the retail sector, the manufacturing sector?

Particular Regulations
Banks, insurance companies, and many other operations in the financial sector are subject to
regulation and sometimes the auditor has to ensure that these regulations have been adhered to

Accounting Policies
We need to understand what the entity’s accounting policies are; different entities have different
ways of valuing inventories perhaps. If you are a building company you will have specific
accounting policies with regard to taking profits from long-term contract.

Nature of business risks
Most business risks will eventually have financial consequences and therefore an effect on the
financial statements.

Internal Controls
The auditor has to gain an understanding of the entity’s internal controls. Whether they exist and
to what extent they are expected to operate.
25
 The Control Environment
This refers to the context in which the internal controls operate. The effectiveness of the control
environment has a significant bearing on audit procedures.

Financial Performance
Obtaining an understanding of the entity’s performance measures assists the auditor in
considering whether they put pressure on management to act in any way that increases the risks
of material misstatements

Sources of Information

Past experience of audit firm – prior year file, prior year team
Analytical procedures – ratios, trends
Client – Discussion, observation, web sites
External – Internet, trade press (media), companies house

Risk Assessment Procedures

Enquiries

With management, appropriate individuals within the internal audit function (if there is one)
and others within the client’s entity (about external and internal changes the company has
experienced)

Analytical Procedures

ISA 520 – “Evaluations of financial information through analysis of plausible(reasonable)relationships among
both financial and non-financial data and investigation of identified fluctuations, inconsistent relationships
or amounts that differ from expected values by a significant amount”

Analytical procedures are used in order to,
Identify aspects of the entity of which the auditor was unaware.
Assist in assessing the risks of material misstatement.
Help identify unusual transactions or events, and amounts, ratios, and trends that might have
audit implications.
Help identify risks of material misstatement due to fraud
Analytical procedures include
Comparable information for prior periods.
Anticipated results of the entity, such as budgets or forecasts, or expectations of the auditor,
such as an estimation of depreciation.
Similar industry information
Analytical procedures are used as,
Preliminary analytical procedures
Substantive analytical procedures
Final analytical procedures

Observation

26
E.g.: Inventory count

Inspection

E.g.: Key strategic documents, procedural manuals

Business Risk

Business risk is the exposure a company or organization has to factor(s) that will lower its profits or lead
it to fail. Anything that threatens a company's ability to achieve its financial goals is considered a
business risk

Audit Risk Identification and Explanation

Identification of Risk Audit Risk Explanation Business Risk
Customers are struggling to pay Receivables maybe overstated if Irrecoverable debts may arise
debts. irrecoverable debts are not reducing the profits of the
written off company
The client operates in a fast- Inventory may be overstated if Inventory may have to be
paced industry the inventory is obsolete and written off reducing the profits
NRV is lower than cost of the company
Revenue is falling due to This means the company is The falling revenue will result in
recession. The cash flow unable to continue for the reduced profits and possible
forecast shows negative cash foreseeable future and going going concern issues.
flows for the next 12 months concern disclosures may be
required. There is a risk that
adequate disclosure is not made.

Auditor Responses to Risks

✓ First Paragraph – scenario
✓ Second paragraph – Accounting standard related why is it AR
✓ Third paragraph – Understated or overstated
✓ Response – What auditors should do, not the company

(Receivables, inventory and payable have aged list)

27
 Planning

ISA 300 - Planning an Audit of Financial Statements

In accordance with ISA 300 ‘'The objective of the auditor is to plan the audit so that it will be performed
in an effective manner’

Benefits of Planning

✓ Devote appropriate attention to the important areas of the audit

✓ Identify and resolve potential problems on a timely basis

✓ Select team members with appropriate capabilities and competencies

✓ Direct and supervise the team and review their work

✓ Effectively coordinate the work of others, such as experts and Internal audit

Audit Timing

28
The first thing that has to happen is a planning visit, or if not a visit at least a telephone call. There
would certainly be a visit before the first audit of a new client commenced.

Contact is necessary because, at the very least, you have to agree with the client when the audit staff
will visit. Also at this planning stage, enquiry should be made about what changes may have taken
place at the client’s since the previous audit.

The next stage is what’s known as the interim audit. The interim audit would typically happen perhaps
in July or August of the year to 31 December. The auditor will carry out tests of controls, to ensure that
the system of internal control as they understand it and as specified by the client is actually working in
practice

There will usually be some audit procedures that have to be carried out at the reporting date. For
example, where the value of inventory included in the financial statements will be based on physical
quantities, the auditor will plan to attend the physical count.

After the year-end, the auditors will return and carry out a final audit. At this point the client should
have prepared the financial statements and the auditor will be concentrating on obtaining sufficient
appropriate audit evidence to express a conclusion on the financial statements

Planning Process

Preliminary engagement activities
✓ performing procedures regarding the acceptance and continuance of the client
relationship and audit engagement.
✓ Evaluating compliance with ethical requirement.
✓ Ensuring there are no misunderstandings with the client as to the terms of the
engagement.

Planning activities

✓ Developing audit strategy and audit plan

Audit Strategy (high-level, overall approach to how an audit will be conducted. It outlines the
scope, direction, and focus of the audit.)

29
Audit Plan (detailed, step-by-step guide that describes how the audit strategy will be
implemented)

What audit procedures are to be carried out
Who should do them
How much work should be done (sample sizes, etc.)
When the work should be done (interim vs. final)

Interim and Final Audit

Interim Audit Final Audit

Completed partway through Takes place after the year
Timing a client’s accounting year. end at a time agreed with
(before the year ending) the client which enable them
to file the financial
statements by the required
Early enough to give timeline.
warnings of specific
problems to address that
needs to be addressed in the
final audit and late enough
to do sufficient work to ease
the pressure on the final
audit.

Allows the auditor to spread To obtain sufficient appropriate
out their procedures and evidence to enable auditors
Purpose enables more effective planning report to be issued.
for the final stage of the audit.

30
 Useful when there is an
increased detection risk due to
a timed reporting deadline,

Documenting systems Audit of statement of financial
position balances which will
only be known at the year end
Evaluating controls
Obtaining evidence that the
Attending inventory counts controls tested at the interim
Work Performed
audit have contribute to
operations during the period
Testing of transactions such as since the interim audit took
sales, purchases, payroll for place
the year to date

Completion activities such as
Testing of specific and going concern and the
complete material subsequent event review and
transactions communication of
(e.g.: purchasing new NCA) misstatements to management
and those charged with
governance.

Importance of an Interim Audit

If the controls tested at the interim stage provided evidence that control risk is low fewer
substantive procedures can be performed.

If the interim audit identified areas of increased risks, for example controls were found not to be
completely working effectively increased substantive procedures will be performed at the audit

The auditor’s report can be signed closer to the year-end resulting in more time reporting to
shareholders.

Fraud and Error (repeated questioned area)

Fraud is the deliberate falsifying of records or misappropriation of company asset. Fraud can be,

Fraudulent financial reporting. For example, overstating profits to attract investors and lenders.
Misappropriation of assets. For example, the theft of cash, inventory or non-current assets.

Error is the innocent misstatement of amounts. Errors can be,

A mistake in gathering and processing data from which financial statements are prepared.
An incorrect accounting estimate arising from oversight or a misinterpretation of facts.
A mistake in the application of accounting principles relating to measurement, recognition,
classification, presentation or disclosure

It is management’s responsibility to prevent and detect fraud – not the auditors. Auditors are not

31
expected to find every fraud, but they are expected (with reasonable assurance) to find material
misstatements, whether innocent or fraudulent [ISA 240]

At the planning stage the susceptibility of an entity to fraud should be discussed, with the
engagement team members.

Fraud must be communicated to those charged with governance if it results in material misstatement
or if management is implicated. It is important, even for what appears to be a small fraud, to
investigate how long it has been going on for, how much is involved and who is behind the fraud

Note
Internal Auditors

Typical functions of the internal auditors that can be performed include

Testing the effectiveness of the internal controls and preventing and detecting fraud and error
and provide recommendations for improvements of the controls
Performing fraud investigations to identify how it was committed, identifying the extent of the
fraud, provide recommendations on how to prevent fraud happening
Performing surprise asset counts to identify misappropriation

External Auditor's responsibilities in respect of Fraud

1. Assess the risk of material misstatement due to fraud

Obtain reasonable assurance that the financial statements are free from material misstatement,
whether caused by fraud or error
Apply professional skepticism
Consider the potential for management override of controls

To achieve the above the auditors should,

Enquire of management about their processes for identifying and responding to the risk of fraud
Enquire of management, internal auditors and those charged with governance if they are aware
of any actual or suspected fraudulent activity
Consideration of relationships identified during analytical procedures
Consider any incentives to commit fraud such as profit related bonuses or applications for finance

2. Responding to the Assessed Risks

Review journal entries made to identify manipulation of figures recorded or unauthorized journal
adjustments
Review management estimates for evidence of bias
Review transactions outside the normal course of business, or transactions which appear unusual
and assess whether they are indicative of fraudulent financial reporting

32
 Obtain written representation from management and those charged with governance that they
have disclosed all relevant information relating to fraud risk

Reporting of Fraud and Error

If the auditor identifies any fraud or suspected fraud it should be communicated to those charged
with governance or the management
The auditor must also consider whether they have a responsibility to report the occurrence of a
suspicion to a party outside the entity
If the fraud has a material impact on the financial statements the audit opinion will be modified

Laws and Regulations (IAS 37 provision,contingent liabilities and contingent assets)

Responsibility of Management

It is the responsibility of management, with the oversight of those charged with governance, to ensure
that the entity's operations are conducted in accordance with relevant laws and regulations [ISA 250]

Responsibilities of the Auditor

The auditor is responsible to perform audit procedures to help identify non-compliance with laws and
regulations that may have a material impact on the financial statements

Audit Procedures to identify instances of Non-Compliance

obtaining a general understanding a of the legal and regulatory framework applicable to the
entity and the industry, and of how the entity is complying with that framework

Inquiring of management and those charged with governance as whether to entity in in
compliance with such laws and regulations

Inspecting correspondence with relevant licensing or regulatory authority

Remaining alert to the possibility that other audit procedures apply may bring instances of non-
compliance to the auditor’s attention

Obtaining written representation from the directors that they have disclosed to the auditors of all
possible non-compliance, together with actual or contingent consequences which may arise from
such non-compliance

Audit Procedures when Non-Compliance is identified

Inquire of management the penalties to be imposed

Inspect correspondence with the regulatory authority to identify the consequences

Inspect board minutes for management discussions on actions to be taken regarding the non -
compliance

Inquire of the company’s legal department as to the possible impact of the non - compliance

33
Reporting Non-Compliance

The auditor must report non-compliance to management and those charged with governance
If the non-compliance has a material effect on the financial statements, a qualified or adverse
opinion should be issued
The auditor should also consider whether they have any legal or ethical responsibility to report
non-compliance to third parties

Quality Management

ISA 220 Quality Management for an Audit of Financial Statements requires the firm to design,
implement and operate a system of quality management that provides reasonable assurance
that the firm,

Conducts engagements in accordance with professional standards and applicable legal and
regulatory requirements and

issues report that are appropriate in the circumstances

Engagements Resources

The engagement partner must ensure sufficient and appropriate resources are assigned or made
available to the engagement team.

Human Resources

The engagement team, auditor’s external experts and internal auditors who provide direct
assistance must be competed and capable to perform the audit.

Competency and capability include practical experience, understanding of professional standards,
expertise in specialized area of accounting and auditing, expertise in IT or automated tools and
techniques, willing to skepticism, understanding of the firm’s policies and procedures.

Technological Resources

34
 This includes technology to conduct meetings, communication and automated tools and
techniques. The auditor must be careful not to place too much reliance on those resources.

Intellectual Resources

These include audit methodologies, implementation tools, auditing guides and templates

Engagement Performance
This comprises direction, supervision and review of the engagement

Direction

Contribute to the management and achievement of quality of the engagement
Maintain a questioning mind and exercise professional skepticism
Fulfill ethical requirement
Perform audit procedures and for more experienced team members to direct, supervise and
review the work of less experienced team members
Address threats to the achievement of quality (e.g.: budget or resource constraint)
Supervision

Tracking the progress of the audit to ensure the objective of the work is achieved and adequate
ongoing resources are assigned
Addressing issues arising and modifying the planned approach accordingly
Identifying matters for consultation. Consultation may be required where the firm lacks
appropriate internal expertise
Creating an environment where engagement team members can raise concerns without any fears.
Review

The work has been performed in accordance with professional standards, policies and procedures
Appropriate consultation has taken place
The work performed supports the conclusions reached
The evidence obtained in sufficient and appropriate to support the auditor’s report

Note

An EQR is an example of a pre-issuance ('hot') review - i.e. it is carried out before the auditor’s report
is signed

Any reviews carried out after the auditor’s report is signed are known as post-issuance ('cold')
reviews. They will not affect the audit for the year being reviewed, but they will help maintain or
improve quality standards in the future

An audit firm may choose to carry out reviews ('hot' or 'cold') where an EQCR is not required

✓ EQCR (Engagement Quality Control Review) is compulsory for listed and high-risk clients
✓ An engagement quality reviewer is a partner, other individual in the firm or an external induvial
appointed by the firm who was not part of the external audit.

Monitoring & Remediation
35
 Monitoring & remediation process must be established to provide relevant, reliable and timely
information about the design, implementation and operation of the system of quality
management and take appropriate actions to respond to identified deficiencies such that
deficiencies are remediated on a timely basis.

In order to achieve this the firm must
Establish quality objectives
Identify and assess quality risks
Design and implement responses to address quality risks

Audit Documentation

ISA 230 Audit Documentation requires auditors to prepare and retain written documentation that,

Provides evidence of the auditor’s basis for their report.
Provides evidence that the audit was planned and performed in accordance with ISAs and
applicable legal and regulatory requirements

In addition, audit documentation fulfils the following very important purposes,

To enable senior staff to review the work of junior staff. The review process is essential in
carrying out a competent audit: the work of junior staff is reviewed by their supervisor, the
supervisor’s work is reviewed by the manager, and finally the partner, who will sign the auditor’s
report, will review everyone else’s work. Review is not possible without recording the work
carried out and evidence obtained

To help the audit team in future years. An immensely useful planning exercise at the start of the
audit is to examine last year’s file. Were there problems? Were there any errors? How did last
year’s audit team go about gathering evidence?

To encourage a methodical, high-quality approach. The audit documentation contains information
documenting the client’s accounting system, the tests that have to be performed (eg select 20
invoices at random and ensure that they are authorized). As each part of the audit is completed
the audit program is signed off by the person who carried it out. Outstanding matters are easy to
see.

Form and content of Audit Documentation

Title
Date prepared
Person who prepared the paper and their signature
References to other schedules
Purpose of the audit tests being performed
Precise details of work performed, such as invoices examined, assets inspected, calculations
reperformed.
Conclusion from the work performed
Reviewers’ signatures and date of review

Note

36
Documentation is retained in an audit file, which should be completed in a timely fashion after the date
of the auditor's report (normally not more than 60 days after) and retained for the period required by
national regulatory requirements (this is normally five years from the date of the auditor's report)

Short Notes

37
38
39
 Subject F8 – Audit and Assurance

Lecturer Sachith Tillekeratne

Handout Number 03

Lesson Internal Control

Handout Code

40
 Achievers ®

No. 39, Bauddhaloka Mw, Col-04 Tel: 011 759 0001 | 077 789 5900

INDEX

Page

07. Systems and Controls 39-49

08. Internal Audit 50-52

“Our greatest weakness lies in giving up. The most
certain way to succeed is always to try just one
more time.”

- Thomas A. Edison

41
 Systems and Controls

One of the first things that the auditor has to do in a new audit is to record the client’s accounting
system and internal control processes. This will provide a basis for evaluating the design of internal
controls.

Note -
Where it’s a repeat audit, the auditor must ensure that their records of the client system are updated
and remain accurate

If Control Risk is,
HIGH

LOW

Limitations of Internal Controls

Human error
Ineffective controls
Collusion of staff in circumventing controls
The abuse of power by those with ultimate controlling responsibility
Use of management judgment on the nature and extent of controls it chooses to implement

42
Components of an Internal Control System

In accordance with ISA 315 Identifying and Assessing the Risks of Material Misstatement Through
Understanding the Entity and its Environment the auditor is required to understand the entity’s
internal controls

Control
Environment

Risk
Control Assessment
Activities
Process

Information
Monitoring
System

Control Environment –

Control Activities –

43
44
Note –
Enquiries, Observation, Tracing transactions and Inspection can be used to obtain evidence
regarding the design and Implementation of controls

Documenting Client Systems

One of the first things that the auditor has to do in a new audit is to record the client’s accounting
system and internal control processes. This will provide a basis for evaluating the design of internal
controls

Where it’s a repeat audit, the auditor must ensure that their records of the client system are updated
and remain accurate

Narrative Notes A written description of the system

Flowcharts A diagrammatical representation of the system

A diagram showing reporting lines, roles,
Organisational Charts responsibilities
A prepared list of questions in relation to the
Questionnaaires controls

There are two main patterns of questionnaire,

1. Internal Control Questionnaire (ICQ)
In ICQs, when you get the answer “yes” to a question, it is a good sign. An example of a question
could be, “Are suppliers’ invoices cancelled when they are paid?” The answer “Yes” is good, the
answer “No” is bad because it means that those invoices could be inadvertently paid a second
time

2. Internal Control Evaluation Questionnaire (ICEQ)
The client is asked to describe the controls they have in place for a given control objective
Eg : How does the company ensure that only hours worked are recorded on timesheets?

45
Advantages and Disadvantages of Documentation Methods

46
Testing of the System

The auditor needs to gather evidence on the effectiveness of the controls during the period and the
typical methods of testing controls are,

Observation –
Inspection -
Computer assisted audit techniques

Communicating Control Deficiencies

If the auditors find that the internal control system is inadequate, or is not operating efficiently, then
they will send what is known as a management letter or letter of weakness to the board of the
company (or the audit committee). A weakness (deficiency) exists when,

A control is designed, implemented, or operated in such a way that it is unable to prevent (or
detect and correct) misstatements on a timely basis; or

Such a control is missing

In accordance with ISA 265 Communicating Deficiencies in Internal Control to Those Charged with
Governance and Management requires the auditor to, communicate any deficiencies to the
management and those charged with governance.

Sales System

Purchase
System

Systems Payroll System

Inventory
System

Cash System 47
Sales System

Objectives of the System

Stage Objective
Ordering

Dispatch

Invoicing

Recording

Cash Received

48
Purchase System

Stage Objective
Ordering

Goods
Received

Invoice
Received

Recording

49
Cash
Payments

Payroll System

50
Stage Objective
Clock cards
(timesheets)
submitted

Payroll
calculation

Standing data
amendments

Recording

Payments to
employees
and tax
authorities

Inventory System

51
Objectives of an Inventory System

Inventory levels meet the needs of production (raw materials and components) and customer
demand (finished goods).
Inventory levels are not excessive, preventing obsolescence and unnecessary storage costs.
Inventory is safeguarded from theft, loss or damage.
Inventory received and dispatched is recorded on a timely basis.
All inventory is recorded.
Inventory should be recorded at the appropriate value.
Only inventory owned by the company is recorded

Cash System

Objectives of the Cash System

Petty cash levels are kept to a minimum, preventing theft.
Payments can only be made for legitimate business expenditure.
Cash can only be withdrawn for business purposes.
Cash is safeguarded to prevent theft.
Receipts are banked on a timely basis to prevent theft.
Cash movements are recorded on a timely basis

52
Exam Approach

53
 Internal Audit

Internal audit is an independent, objective assurance and consulting activity designed to add
value and improve an organization’s operations.

The Need for an Internal Audit Department

Scale and diversity of activities

Complexity of operations

Number of employees

Cost/Benefit considerations

Senior Management requirements

History of fraud

The Difference between Internal and External Auditors

54
Key Activities of the Internal Audit Function

Assessing whether the company is demonstrating best practice in corporate governance.
Evaluating the company's risk identification and management processes.
Testing the effectiveness of internal controls.
Assessing the reliability of financial and operating information.
Assessing the economy, efficiency and effectiveness of operating activities (value for money).
Assessing compliance with laws and regulations.
Providing recommendations on the prevention and detection of fraud.

Note

In addition to the above, the internal audit will carry out fraud investigations, IT systems reviews, asset
verifications, assisting the external auditors, mystery shopper visits etc.

Outsourcing Internal Audit

Outsourcing is where the company uses an external company to perform its internal audit service instead
of employing its own staff.

Advantages and Disadvantages of Outsourcing Internal Audit

1.Professional firms follow an ethical code of conduct
and should therefore be independent of the client
2.Professional firms should have qualified, competent
staff and specialist skills
3.Employment cost of of permanent staff are avoided
4.The risk of staff turnover is passed to the
outsourcing firm
5.Management time in administering an in-house
department will be reduced

1.Professional firms lack the intimate knowledge and
understanding of the organisation that employees
have
2.Fees charged by professional firms may be high
3.Lack of control over the quality of service
4.An ethical threat may arise if the services are
provided by the external audit
5.Pressure on independence of the outsourced firm
since management might threaten not to renew the
contract

55
Internal Audit Assignments

Value for money -

Operational audits -

Audit of IT systems -

Financial audit -

Reporting

The format of an internal audit report does not have a formal reporting structure, since these reports
will generally be for internal use only.

A typical report will include,

Terms of reference – the requirements of the assignment.
Executive summary – the key risks and recommendations that are described more fully in the body
of the report.
Body of the report – a detailed description of the work performed and the results of that work.
Appendix – containing any additional information that doesn't belong in the body of the report but
which is relevant to the assignment.

56
Short Notes

57
58
59
 Subject F8 – Audit and Assurance

Lecturer Sachith Tillekeratne

Handout Number 04

Lesson Evidence and Audit Reporting

Handout Code

Achievers ®
No. 39, Bauddhaloka Mw, Col-04 Tel: 011 759 0001 | 077 789 5900
60
 INDEX

Q 18 (20 marks)
Page

09. Evidence 58 – 68 (theory)

10. Procedures 69 - 79 (15 marks)

11. Completion and Review 80 – 83 (theory)

12. Reporting 85 – 90 (5 marks)

“If you don’t go after what you want, you’ll
never have it. If you don’t ask, the answer is always
no. If you don’t step forward, you’re always in the
same place.”

- Nora Roberts

61
 Evidence

Audit Evidence

In accordance with ISA 500 Audit Evidence, the objective of the auditor, in terms of gathering evidence,
is,

“'to design and perform audit procedures in such a way to enable the auditor to obtain sufficient
appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor's
opinion”

01. Sufficiency – This auditor needs to gather “enough” evidence to form a conclusion. This a matter of
professional judgement. When deciding on this the auditor must consider,

The risk of material misstatements, the materiality of the item, the reliability of the evidence
obtained (less reliance more evidence) etc.

02. Appropriateness – Appropriateness of evidence can be broken down into reliability and relevance.

Reliability
✓ The auditor should always obtain evidence from the most trustworthy and
dependable source possible.

E.g.
Evidence obtained from an independent external source is more reliable than client
generated evidence
Evidence obtained directly by the auditor is more reliable than evidence obtained
indirectly
Written evidence is more reliable than oral evidence
Original documents are more reliable than photocopies

Relevance
✓ This means the evidence relates to the financial statement’s assertions been
tested.

E.g.:
select a sample of items from inventory and trace them to physical inventory to confirm
the existence

Financial Statement Assertions

The auditor will perform a range of tests on the significant classes of transactions and account balances.
These tests focus on the financial statement’s assertions

62
 Occurrence – The transactions and events recorded and disclosed have occurred and pertained
(relates to) to the entity.

Completeness – All transactions and events and all related disclosures that should have been
included have been included.

Accuracy – Amounts and other data have been recorded appropriately and related disclosures
have been appropriately measured and described.

Cut-off – Transactions and events have been recorded in the correct accounting period.

Classification – Transactions and events have been recorded in the proper accounts.

Presentation – Transactions and events are appropriately aggregated or disaggregated. (NCA
should be disaggregated, Inventory aggregated)

Existence – Assets, liabilities and equity interest exists.

Rights and obligations -The entity holds or controls the rights to assets and liabilities and the
obligations of the entity.

Accuracy, valuation and allocation – Assets, liabilities and equity interests have been included in
the financial statements at appropriate amounts and any resulting valuation or allocation
adjustments have been appropriately recorded.

Sources of Audit Evidence

63
Test of Control

Tests of control are designed to evaluate the operating effectiveness of controls in preventing or
detecting and correcting material misstatement.

In order to rely on the controls, the auditor needs to,

Ascertain (find out) how the system operates
Document the system in audit working papers
Test the operation of the system
Assess the design and operating effectiveness of the control system
Determine the impact on the audit approach for specific classes of transactions, account balances
and disclosures

Substantive Procedures (detailed tests and procedures performed by auditors to detect
material misstatements in a company’s financial statements)

Tests of detail - to verify individual transactions and balances (e.g.: examining invoices,
contracts, or bank statements to confirm individual transactions or balances)

Substantive analytical procedures - involve analyzing relationships between information to
identify unusual fluctuations which may indicate possible misstatement

Types of Audit Procedure

Inspection of records, documents or physical assets.
Observation of processes and procedures, e.g. inventory counts.
External confirmation obtained in the form of a direct written response to the auditor from a
third party.
Recalculation to confirm the numerical accuracy of documents or records.
Reperformance by the auditor of procedures or controls.
Analytical procedures.
Enquiry of knowledgeable parties

Relying on the Work of Others

64
There are two classes of expert (i.e. expertise in a field other than accounting or auditing),

Management’s expert – assists management in preparing the financial statements

Auditor’s expert – assists the auditor in obtaining sufficient appropriate audit evidence. May be
internal or external to the audit firm

If the work of management’s expert is to be used as audit evidence (ISA 500), the auditor must evaluate,

The expert’s competence, capabilities and objectivity
The appropriateness of their work to the relevant assertion(s)
Whether it is sufficiently reliable for audit purposes (i.e. accurate and complete and sufficiently
precise and detailed)

Relying on the Work of an Auditor's Expert

If the auditor lacks the required technical knowledge to gather sufficient appropriate evidence to form
an opinion, they may have to rely on the work of an audit expert (ISA 620).

In order to do so the auditor must evaluate whether the expert has the necessary competence, capability
and objectivity for the purpose of the audit

Note

Agreeing the work

Once the auditor has considered the above matters, they must then obtain written agreement from the
expert of the following,
65
 The nature, scope and objectives of the expert’s work.
The roles and responsibilities of the auditor and the expert.
The nature, timing and extent of communication between the two parties.
The need for the expert to observe confidentiality

Evaluating the work

Once the expert's work is complete the auditor must scrutinize it and evaluate whether it is appropriate
for audit purposes.

The reasonableness of the findings and consistency with other evidence.
The significant assumptions made.
The use and accuracy of source data
Reference to the Work of an Expert

The use of an auditor’s expert is not mentioned in an unmodified auditor's opinion unless required by law
or regulation. Reference to the work of an expert may be included in a modified opinion if it is relevant
to the understanding of the modification.

(in the audit report, they will not mention that they got the help from an expert (because the responsibility of
audit is on the audit firm) However, if it’s required by law they will mention. And if they modify the report due to
expert opinion, they need to mention that.)

Relying on Internal Audit (ISA 610)

Before relying on the work of internal audit, the external auditor must assess the effectiveness of the
internal audit function and assess whether the work produced by the internal auditor is adequate for the
purpose of the audit

The extent to which the internal audit function's organizational status and relevant policies and
procedures support the objectivity of the internal auditors.
The competence of the internal audit function.
Whether the internal audit function applies a systematic and disciplined approach.
Whether any constraints are placed on the internal function by management or those charged
with governance
Whether the internal auditors are members of a professional body which requires compliance with
ethical requirements
Whether the resources of the internal audit function are appropriate and adequate for the size of
the organization and nature of its operations

Evaluating the Internal Audit Work

The work was properly planned, performed, supervised, reviewed and documented
Sufficient appropriate evidence has been obtained
The conclusions reached are appropriate in the circumstances
The reports prepared are consistent with the work performed

Note

66
To evaluate the work adequately, the external auditor must reperform some of the procedures that the
internal auditor has performed to ensure they reach the same conclusion

Note that the auditor is not required to rely on the work of internal audit. In some jurisdictions, the
external auditor may be prohibited or restricted from using the work of the internal auditor by law.

Using the Internal Audit to provide Direct Assistance

ISA 610 provides guidance to aim to reduce the risk that the external auditor over uses the internal
auditor,

Direct assistance cannot be provided where laws and regulations prohibit such assistance, e.g. in
the UK
The competence and objectivity of the internal auditor. Where threats to objectivity are present,
the significance of them and whether they can be managed to an acceptable level must be
considered
The external auditor must not assign work to the internal auditor which involves significant
judgment, a high risk of material misstatement or with which the internal auditor has been
involved
The planned work must be communicated with those charged with governance

Where it is agreed that the internal auditor can provide direct assistance,

Management must agree in writing that the internal auditor can provide such assistance and that
they will not intervene in that work
The internal auditors must provide written confirmation that they will keep the external auditors
information confidential.
The external auditor will provide direction, supervision and review of the internal auditor's work
During the direction, supervision and review of the work, the external auditor should remain alert
to the risk that the internal auditor is not objective or competent

The auditor should document,

The evaluation of the internal auditor's objectivity and competence.
The basis for the decision regarding the nature and extent of the work performed by the internal
auditor.
The name of the reviewer and the extent of the review of the internal auditor's work.
The written agreement of management mentioned above.
The working papers produced by the internal auditor

Use of Service Organizations

ISA 402 Audit Considerations Relating to an Entity Using a Service Organization provides guidance to
auditors.

The auditor needs to obtain an understanding of the service organization to identify and assess
risks of material misstatement and design audit procedures to respond to those risks

67
 The auditor needs to understand the nature of services, materiality of the transactions and the
relationship between the service organization and the entity

The auditor should also understand the reputation of the organization, extent of controls,
experience of errors and omissions, degree of monitoring by the user

Sources of information about the Service Organization

Obtaining a type 1 or type 2 report from the service organization’s auditor
Type 1 report – This provides a description of the design of the controls and includes a
report by the service auditor providing an opinion on the description of the system and the
suitability of the controls.

Type 2 report – This is a report on the description, design and operating effectiveness of
controls at the service organizations and includes a report by the service auditor providing
an opinion on the description of the system, the suitability of the controls, the
effectiveness of the controls and a description of the tests of controls performed by the
auditor.

Contacting the service organization through the client.
Visiting the service organization.
Using another auditor to perform tests of controls

Note

The use of a service organization auditor is not mentioned in the auditor's report unless required by law
or regulation. Reference to the work of a service organization auditor may be included in a report
containing a modified opinion if it is relevant to the understanding of the modification. This does not
diminish the auditor’s responsibility for the opinion

Benefits Drawbacks
Independence - since the service organization is external to the The auditor has a legal right to acceess the client's records and
client, the audit evidence derived from it is regarded as being to receive answers and explanations that they consider
more reliable than evidence generated internally by the client. necessary for the audit. However, they do not have such rights
over records and information held by a third party such as a
Competence - Since the service organization is a specialist, it service organization.
may be more competent in executing its rule than the client's
internal department resultin in fewer errors

Selecting items for Testing

The auditor has t