Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

STUDY NOTES

PAPER 3 - AUDIT AND ASSURANCE

CERTIFIED PUBLIC SECTOR AUDITOR (CPSA)

SUPREME AUDIT OFFICE (SAO), AFGHANISTAN

1
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Table of Contents
CHAPTER 1 – AUDIT FRAMEWORKS ............................................................................................... 5
Syllabus aim ............................................................................................................................................. 5
Learning outcomes and content ....................................................................................................... 5
1.1 Audit frameworks ................................................................................................................... 6
1.2 Assurance engagements ...................................................................................................... 6
1.3 Levels of assurance and the concept of reasonable assurance ............................ 9
1.4 Accountability and stewardship...................................................................................... 10
1.5 External Audit ........................................................................................................................ 11
1.6 Audit of financial statements – roles and responsibilities .................................... 12
1.7 Audit of financial statements – the professional standards framework ......... 15
1.8 Audit of financial statements – the legal framework ............................................. 16
1.9 Fundamental principles of public sector auditing (ISSAI 100) ........................... 17
1.10 Audit of financial statements – the private sector .............................................. 21
1.11 Audit of financial statements – the public sector................................................. 21
1.12 Agreeing the terms of an audit engagement ......................................................... 23
CHAPTER 2 – ETHICS AND CORPORATE GOVERNANCE ......................................................... 25
Syllabus aim ........................................................................................................................................... 25
Learning outcomes and content ..................................................................................................... 25
2.1 Ethics and corporate governance ................................................................................... 26
2.2 Audit of financial statements – the ethical framework ......................................... 26
2.3 Audit of financial statements – the quality control framework .......................... 34
2.4 The governance framework ............................................................................................. 36
CHAPTER 3 – AUDIT PLANNING AND AUDIT RISK.................................................................. 43
Syllabus aim ........................................................................................................................................... 43
Learning outcomes and content ..................................................................................................... 43
3.1 Audit planning and audit risk........................................................................................... 44
3.2 Objectives and general principles of audit planning ............................................... 44
3.3 The audit and assurance model underpinning the ISSAI approach to the
conduct of audits .............................................................................................................................. 49
CHAPTER 4 – IDENTIFICATION AND ASSESSMENT OF RISK AND THE AUDITOR’S
RESPONSE ............................................................................................................................................... 62
Syllabus aim ........................................................................................................................................... 62

2
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Learning outcomes and content ..................................................................................................... 62

4.1 Identification and assessment of risk and the auditor’s response .................... 64
4.2 ISSAI 2315 – Identifying and assessing the risks of material misstatement
through understanding the entity and its environment .................................................... 64
4.3 Internal controls ................................................................................................................... 74
4.4 Fraud ......................................................................................................................................... 78
4.5 4.5 ISSAI 2330 – The auditor’s responses to assessed risks ............................... 82
4.6 Key controls............................................................................................................................ 89
CHAPTER 5 –AUDIT EVIDENCE ....................................................................................................... 96
Syllabus aim ........................................................................................................................................... 96
Learning outcomes and content ..................................................................................................... 96
5.1 Audit evidence ....................................................................................................................... 97
5.2 The requirements for audit evidence ............................................................................ 97
5.3 Techniques for gathering audit evidence .................................................................. 101
5.4 Use of sampling................................................................................................................... 105
5.5 Audit testing......................................................................................................................... 113
5.6 Using the work of internal auditor............................................................................... 119
5.7 Additional relevant ISSAIs.............................................................................................. 123
5.8 Audit documentation ........................................................................................................ 125
CHAPTER 6 – FORMING AND REPORTING THE AUDIT OPINION .................................... 131
Syllabus aim ......................................................................................................................................... 131
Learning outcomes and content ................................................................................................... 131
6.1 Forming and reporting the audit opinion .................................................................. 132
6.2 Finalizing the audit including communication and forming the audit opinion
132
6.3 The auditor’s report ........................................................................................................... 140
6.4 Other communications ..................................................................................................... 145
CHAPTER 7 – INTERNAL AUDITING ............................................................................................ 150
Syllabus aim ......................................................................................................................................... 150
Learning outcomes and content ................................................................................................... 150
7.1 Internal auditing ................................................................................................................ 152
7.2 Recap ...................................................................................................................................... 152
7.3 Internal audit frameworks ............................................................................................. 152

3
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

7.4 Internal audit and internal controls ............................................................................ 160

7.5 Performance audits ........................................................................................................... 166
7.6 Contract audits .................................................................................................................... 167
7.7 Fraud investigations .......................................................................................................... 170

4
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

CHAPTER 1 – AUDIT FRAMEWORKS

Syllabus aim
▪ Identify and explain the scope, regulatory and ethical environment within which
audits are performed.
▪ Explain the risk assessment and planning procedures required by relevant
auditing standards.

Learning outcomes and content

▪ Explain the concepts of audit and assurance:
o Objectives of external audit and other assurance engagements
o Levels of assurance and concept of reasonable assurance
o Accountability and stewardship
o True and fair presentation
o The assurance engagement process

▪ Explain the provisions relating to audits within current public services and
private sector legislation:
o General requirements relating to the provision of internal and external audit
services
o Auditor’s rights and duties
o Auditor’s liability including criminal liability and liability to third parties
o Impact of International Standards of Supreme Audit Institutions Auditing
(ISSAI) on external audit work
o Fundamental principles of public sector auditing
o Public sector audit frameworks
o Companies audit requirements

▪ Explain the scope of internal and external audits:

o Basic views and concepts of internal and external audit work
o Power and authority available to internal and external auditors

▪ Explain the objectives and general principles of audit planning and risk
assessment:
o Agreeing the terms of audit engagements

5
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

1.1 Audit frameworks

The need for confidence underpins the process by which audit and assurance
activities have been standardized and professionalized over time, resulting in the
current legal and regulatory frameworks.

1.2 Assurance engagements

1.2.1 What is assurance?
There are many different definitions of ’assurance‘ but they all center on the idea
that good quality information enhances people’s confidence in an
organization. Such assurance, or confidence, is often very important.

For example, heightened confidence encourages people to invest, which

contributes to wider economic development. Conversely, major assurance failures
can have a negative effect on investor confidence and, in turn, on stock markets
and the wider economy. In the public sector, assurance builds confidence in
publicly funded bodies, reinforces the idea that those receiving public money are
accountable, and ultimately assists the whole democratic process.

Exercise 1.1: Consider what factors might affect the level of assurance you could
take from an assurance statement given to you by a third party. You need not
focus on the audit context here.

For example, you might want to consider what factors you would consider when
someone reviewed and reported to you on the quality of work an engineer had
done to your car.

What factors would you consider when deciding whether to trust in such a report?

1.2.2 What is an assurance engagement?

An assurance engagement typically provides improved or additional information
that enhances stakeholders’ confidence in the organization and may also allow
senior management to make better decisions.

6
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The term covers a wide range of activities, which may focus on both financial and
non-financial information. Examples include: information systems evaluations,
data security reviews, risk assessments, and customer satisfaction surveys.

1.2.3 The three parties involved

There are usually three discrete parties involved in an assurance engagement:
▪ The responsible party – normally the owners and management who run the
organization and therefore produce the information which the piece of
assurance work will assess.
▪ The users – normally the shareholders, or the general public in the case of
public sector bodies, who are affected by the activities of the responsible party.
▪ The practitioner – the firm or individual who will conduct the assurance work.

Either the responsible party, or the users, or in some circumstances both, may
engage the practitioner to carry out the assurance engagement.

1.2.4 The nature of the work

The practitioner is responsible for determining the nature, timing and extent of the
work to be carried out, so as to gather sufficient and appropriate evidence. They
also pursue, as far as possible, any issue which leads them to question whether
material changes should be made by the responsible party to the information being
examined or to the assertions arising from that information, and to consider the
effect on the assurance report if no changes are made.

An assurance engagement may focus on a range of aspects, such as:

▪ The fairness of the way that a particular management activity or information
stream is described.
▪ The design of internal processes (e.g. business activities, control procedures).
▪ The effectiveness of processes.
▪ Business outcomes. or
▪ A comprehensive report (e.g. a report that may include elements of all of the
above with an overall view on management’s performance).

7
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

1.2.5 External audit

An external audit is a form of assurance engagement.

Audit: Audit is the systematic process of obtaining, and then objectively

evaluating, the accounts or financial records of an organization.

External auditor: The external auditor is a professionally qualified person

working outside the organization in question, who is commissioned to perform an
audit in accordance with the specific laws and rules that are in force in a particular
place at a particular time.
Why is audit needed? Audit is needed because there are stakeholders who need
to know that an organization's accounts are accurate, but who cannot possibly
develop the insights required to provide that knowledge themselves.

In the commercial sector, for example, shareholders want to know that the
financial statements provided to them by management are reliable. Such
knowledge is fundamental to the trust that underpins capital markets and long-
term investment.

In public sector bodies – for example, government departments and educational

establishments – slightly different considerations apply. Funding generally comes
from taxation rather than private capital, so it is the general public rather than the
shareholder that needs to know the funding is being accounted for properly.

However, the external auditor plays a fundamentally similar role, providing an

independent professional opinion on the accuracy of the financial statements.

1.2.6 Internal audit

Internal audit is ’an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an
organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control
and governance processes‘. (Public Sector Internal Audit Standards (2013))

We can see from this definition that internal audit is provided as a service to the
entity itself rather than to external stakeholders. The purpose of internal audit is
8
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

to contribute to the improved management of an organization. The Chartered

Institute of Internal Auditors state that:

’In sum, internal auditors help organizations to succeed. We do this through a

combination of assurance and consulting. The assurance part of our work involves
telling managers and governors how well the systems and processes designed to
keep the organization on track are working. Then, we offer consulting help to
improve those systems and processes where necessary‘.
([Link]

Details in chapter 7.

1.3 Levels of assurance and the concept of reasonable assurance

1.3.1 Reasonable assurance
When conducting an audit, the auditors cannot evaluate every relevant piece of
financial information and assess every relevant financial system. As such, they
cannot be expected to provide absolute assurance that the financial statements
are accurate.

However, they are expected to act in a way that provides ‘reasonable assurance’.
The concept of reasonable assurance appears in a number of places within ISSAI
200 which sets out the overall objectives of the independent auditor. Paragraph
38 states that:

‘Audits of financial statements conducted in accordance with the ISSAIs are

reasonable assurance engagements. Reasonable assurance is high, but not
absolute, given the inherent limitations of an audit, the result of which is that most
of the audit evidence obtained by the auditor will be persuasive rather than
conclusive.’

The key points to note here are that reasonable assurance:

▪ is a high level of assurance
▪ is obtained when the auditor has obtained sufficient appropriate audit evidence
to reduce audit risk to an acceptably low level
▪ is not an absolute level of assurance

9
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Reasonable assurance enables a conclusion to be expressed positively. A

positive opinion is where the auditors state that they have found something to
be the case.
▪ For example, the auditors might conclude that financial statements do not
contain material misstatement. This conclusion might be worded: ’I am of the
opinion that client X’s financial statements are free from material misstatement.‘

1.3.2 Limited assurance

Limited assurance is a lower (but still meaningful) level of assurance that the risk
of material misstatement has been reduced to an acceptable level, enabling a
conclusion to be expressed negatively.

A negative opinion is where the auditors state that they have seen nothing to
indicate that something is not the case.

Auditors will be engaged in either a reasonable assurance engagement or a limited

assurance engagement. The level of assurance required will depend on such
factors as the level of assurance sought by the users and/or responsible party
(which would depend on the nature of the aspect being audited) and any legal
requirements that might exist. The type of assurance engagement will determine
the quantity and quality of evidence sought and the type of the audit opinion given.

Limited assurance engagements are not covered at present by the ISSAIs on

financial audit.

1.4 Accountability and stewardship

1.4.1 Stewardship
One of the key functions of an entity’s financial statements is to provide
information to users about the management’s stewardship of that entity and its
resources. This means, essentially, the way that management has run the entity
and deployed its resources in the past (e.g. the transactions entered into, the
decisions taken, and the policies adopted), and how they are planning to do so in
the future.

10
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Stewardship is inherently linked to agency theory. That is, the fact that
management of the entity is acting on behalf of, or as agents for, its owners. In
the case of a public service organization the owners are principally taxpayers, on
whose behalf management runs that organization.

Owners need to oversee management behavior, to ensure that:

▪ It is aligned to their objectives (this includes the idea of regularity in a public
service organization).
▪ Management are devising strategies aimed at making the best use of the
organization's assets. and
▪ No misappropriation of the organization's assets takes place.

The financial statements therefore provide a bridge between owners (the intended
users) and management (the responsible party), helping the former to understand
and assess the latter’s performance, and therefore to make informed decisions
about the organization. By issuing an independent, professional opinion about
those statements, external auditors play a crucial role in helping the intended users
understand the responsible party’s performance.

1.4.2 Accountability
Related to the idea of stewardship is the notion that management are
accountable to the owners for the performance of the entity they control. This
important term has a number of meanings. In a literal sense, it means that
management have to provide an account of, or disclose, their activities to the
owners, in the form of financial statements. It also means that they are responsible
for the entity insofar as they manage it, and that they are held accountable for
successes and failures.

1.5 External Audit

1.5.1 The purpose of external audit
’The purpose of an audit [of financial statements] is to enhance the degree of
confidence of intended users in the financial statements. This is achieved by the
expression of an opinion by the auditor on whether the financial statements are
prepared, in all material respects, in accordance with an applicable financial
reporting framework. In the case of most general-purpose frameworks, that

11
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

opinion is on whether the financial statements are presented fairly, in all material
respects, or give a true and fair view in accordance with the framework‘ ISSAI
2200.3 (ISA 200 - Overall objective of the independent auditor, and the conduct
of an audit in accordance with international standards on auditing)

1.5.2 True and fair presentation – practical interpretation

You will see from the purpose of external audit above that auditors often given an
opinion on whether or not financial statements give a true and fair view.

The expression ’true and fair‘ is not strictly defined in the accounting literature.
However, it simply means that the financial statements are free from material
misstatement and faithfully represent the financial performance and position of
the entity. It might be further defined as follows:
▪ ’True‘ suggests that the financial statements are factually correct and have
been prepared according to applicable reporting framework such as the
International Financial Reporting Standards (IFRS), and they do not contain
any material misstatements that may mislead the users. Misstatements may
result from material errors or omissions of transactions and balances in the
financial statements.

▪ ’Fair‘ implies that the financial statements present the information faithfully
without any element of bias, and that they reflect the economic substance of
transactions rather than just their legal form.

1.6 Audit of financial statements – roles and responsibilities

Exercise 1.2: The following exercise will allow you to assess your own
understanding of who is responsible for what, with regard to a large company.
Considering these perspectives will help us to understand the need for audit.

Requirements: Look at things from the perspective of;

▪ You are the company management
o Role: What is your role? What are your objectives?
o Relationships: Who do you answer to? Who is relying on you? Who do
you rely on? Are there any conflicts in these relationships?

12
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

o Risks: What can go wrong? What are the safeguards in place to protect
against these?

▪ You are the external auditor

o Role: What is your role? What are your objectives?
o Relationships: Who do you answer to? Who is relying on you? Who do
you rely on? Are there any conflicts in these relationships?
o Risks: What can go wrong? What are the safeguards in place to protect
against these?

▪ You are a shareholder

o Role: What is your role? What are your objectives?
o Relationships: Who do you answer to? Who is relying on you? Who do
you rely on? Are there any conflicts in these relationships?
o Risks: What can go wrong? What are the safeguards in place to protect
against these?

Don’t worry if you find this difficult – you can return again to this exercise after
you have studied the rest of this chapter and chapter 2.

1.6.1 The auditor’s role and responsibilities

In considering the overall nature of the audit of financial statements we should
return to the definition given earlier:
’The purpose of an audit [of financial statements] is to enhance the degree of
confidence of intended users in the financial statements. This is achieved by the
expression of an opinion by the auditor on whether the financial statements are
prepared, in all material respects, in accordance with an applicable financial
reporting framework. In the case of most general-purpose frameworks, that
opinion is on whether the financial statements are presented fairly, in all material
respects, or give a true and fair view in accordance with the framework‘. (Ibid)

Key to this definition is that the core function of the auditor is to give an opinion
on the financial statements, based on an examination of those statements and the
evidence available to support them. This is quite a narrow and precise remit and
this can lead to what is often referred to as an ’expectation gap‘ between public

13
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

expectations of auditors and their actual roles and responsibilities. For example,
for reasons we will explore later, auditors are not expected to:
▪ Correct financial statements that they consider to be misstated
▪ Prevent fraud or error
▪ Detect all cases of fraud or error

The ISSAI goes on to say that ’The financial statements subject to audit are those
of the entity, prepared by management of the entity with oversight from those
charged with governance‘ (ISSAI 2200.4) and, crucially, ’the audit of the financial
statements does not relieve management or those charged with governance of
their responsibilities‘. (Ibid)

The distinction between ’those charged with governance‘ and ’management‘ is an

important one.

Governance: Those charged with governance are ’the person(s) or

organization(s) (for example, a corporate trustee) with responsibility for
overseeing the strategic direction of the entity and obligations related to the
accountability of the entity‘. (ISSAI 1003 - Glossary of terms to the INTOSAI
financial audit guidelines)

Management: Management are the person(s) with executive responsibility for

the conduct of the entity’s operations. (Ibid)

Governance is thus concerned with oversight, whereas management is concerned

with ’day-to-day‘ executive responsibilities, including the preparation of financial
statements. Both have a role to play in preparing the accounts but the key point
here is that it is the responsibility of the audited organization itself to prepare
accurate financial statements and not the auditor.

1.6.2 Auditor independence

ISSAI 2200 states that ’The auditor shall comply with relevant ethical
requirements, including those pertaining to independence, relating to financial
statement audit engagements‘. (ISSAI 2200.14)

14
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The importance of auditor independence cannot be overstated. When an auditor

gives an opinion on a separate entity, it is vital that the auditor is indeed wholly
independent and free from undue influence, allowing them to take an objective
stance and to form their conclusions, and report these, without fear or favor. If
the users of the auditor’s report do not have full confidence in the objectivity and
independence of the auditor, this necessarily limits the confidence, or assurance,
that the users can draw from that report.

1.7 Audit of financial statements – the professional standards

framework
1.7.1 International Standards on Auditing (ISAs)
The principle international auditing standards are known as International
Standards on Auditing (ISA). These are external audit standards and are intended
to be mandatory for all auditors of company accounts, so that an audit opinion in
one country can be seen by investors as having been arrived at in the same way
as in another country.

ISAs are issued by the International Auditing and Assurance Standards Board
(IAASB).

The IAASB operates within the International Federation of Accountants (IFAC).

Auditors from IFAC member bodies (including CIPFA) are expected to apply the
ISAs unless national laws or regulations override these requirements.

1.7.2 International Standards of Supreme Audit Institutions (ISSAI)

International Standards of Supreme Audit Institutions (ISSAI) are auditing
standards issued by the International Organization of Supreme Audit Institutions
(INTOSAI).

The main purpose of auditing guidelines is ’to provide INTOSAI members with a
comprehensive set of guidelines for the audit of financial statements of public
sector entities‘. ISSAI 1000.14 (ISSAI 1000 - General Introduction to the INTOSAI
Financial Audit Guidelines)

Each of these auditing guidelines contains:

15
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ The full verbatim text of the related ISA, issued by the IAASB;
▪ A supporting Practice Note (PN) which deals with specific considerations
relating to the audit of public sector entities.

Each ISSAI can thus be seen as providing public sector guidance which ‘wraps
around’ an existing ISA.

ISSAIs that are the primary standards referred to throughout the Audit and
Assurance chapters. They can be found at: [Link]
guidelines/general-auditing-guidelines/

1.8 Audit of financial statements – the legal framework

1.8.1 The rights of the auditor
These will be determined in law but common rights of a public auditor typically
include:
▪ The right of access to all books and records of the audited organization
▪ The right to obtain information and explanations from all officers of the audited
organization
▪ The right to report on any matter relating to the audited organization, without
its consent

There may also be an entitlement to be notified, to attend and to address any

public meeting of the audited organization, but this may be dependent on the
nature of the audited organization and its arrangements for public accountability.

1.8.2 Criminal and civil liabilities of auditors

The audit of financial statements is normally governed by national legislation and
there are often further legal considerations for auditors:
▪ In some jurisdictions there may be criminal sanctions that apply to auditors
who, for example, knowingly neglect their duties or who knowingly take on
audit work where a serious conflict of interest exists.
▪ In some jurisdictions, auditors may be subject to laws to counter money-
laundering, fraud or other forms of financial malpractice. Such law may create
a legal duty to report suspected malpractice by audit clients to an appropriate
authority.

16
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ In some jurisdictions, auditors may be open to a civil liability either through

contract law or negligence.
o Auditors may be sued by the organization they are auditing under the law
of contract, because of the letter of engagement they sign. This is the
contract between the external auditor and the client, that is, the audited
company.
o Auditors may also be sued, if they fail to exercise their duty with reasonable
care and skill, for negligence under the law of tort. They can be sued by
anyone to whom they owe a duty of care.

You should familiarize yourself with any legislation or case law which applies to
auditors within your own jurisdiction.

1.9 Fundamental principles of public sector auditing (ISSAI 100)

ISSAI 100 (Fundamental principles of public sector auditing) relates directly to
public sector audit. The standard aims to provide a conceptual base for public
sector auditing and ensure consistency in the INTOSAI framework.
The principles apply to all public sector audits regardless of their form or context.

1.9.1 Public sector audit frameworks

ISSAI 100 addresses the mandate for public sector audit. This will differ from
country to country as the role of the audit organizations will be determined in the
constitution with the mandate further detailed in legislation. The constitutional and
legal arrangements will determine the duties of the audit institution and ensure its
power and independence.

Public sector audit institutions may perform many types of engagement on any
subject relevant to its constitutional responsibility. These will vary according to
national legislation. Audit institutions will need to develop plans and processes that
respond to their legislative position.

In some countries a court of auditors exists with authority over state accountants
and other public officials. This requires that whoever is charged with public funds
is held accountable.

17
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

An example of this is the German federal court of auditors that examines the
financial management of the federal government. The constitution ensures its
independence by not making it subordinate to federal government. The Court
chooses its own areas for investigation and makes recommendations on these.

The state audit institution may carry out audits itself or supervise the work of
private audit firms.

The objectives of a public sector audit will vary according to the type and nature
of the audit, however according to ISSAI 100 all public sector audits will contribute
to good governance by:
▪ ’providing the intended users with independent, objective and reliable
information, conclusions or opinions based on sufficient and appropriate
evidence relating to public entities;
▪ enhancing accountability and transparency, encouraging continuous
improvement and sustained confidence in the appropriate use of public funds
and assets and the performance of public administration;
▪ reinforcing the effectiveness of those bodies within the constitutional
arrangement that exercise general monitoring and corrective functions over
government, and those responsible for the management of publicly-funded
activities;
▪ creating incentives for change by providing knowledge, comprehensive analysis
and well-founded recommendations for improvement‘. (ISSAI 100.20)
1.9.2 Introduction to principles
▪ ISSAI 100 contains a number of fundamental principles. These are grouped as
general principles and principles that relate to various stages of the audit. The
principles that relate to the conduct of an audit will be covered later in these
materials and you will find that the general principles are expanded on
throughout the materials. You should return to this diagram at the end of the
course and ensure that you can understand all of the principles.

18
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

1.9.3 General principles

Ethics and independence: Auditors should comply with the relevant ethical
requirements and be independent.

Ethical principles should be embedded in an auditor’s professional behavior. (ISSAI

100.36)

Professional judgment, due care and skepticism: Auditors should maintain

appropriate professional behavior by applying professional scepticism, professional
judgment and due care throughout the audit.

The auditor’s attitude should be characterized by professional scepticism and

professional judgement. (ISSAI 100.37)

Quality control: Auditors should perform the audit in accordance with

professional standards on quality control. (ISSAI 100.38)

19
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Audit team management and skills: Auditors should possess or have access
to the necessary skills.
The individuals in the audit team should collectively possess the knowledge, skills
and expertise necessary to successfully complete the audit. (ISSAI 100.39)

Audit risk: Auditors should manage the risks of providing a report that is
inappropriate in the circumstances of the audit. (ISSAI 100.40)

Materiality: Auditors should consider materiality throughout the audit process.

A matter can be judged as material if knowledge of it would be likely to influence
the judgements of the user. (ISSAI 100.41)

Documentation: Auditors should prepare audit documentation that is sufficiently

detailed to provide a clear understanding of the work performed, evidence
obtained and conclusions reached. (ISSAI 100.42)

Communication: Auditors should establish effective communication throughout

the audit process. (ISSAI 100.43)

1.9.4 Principles related to the audit process

Planning an audit (ISSAI 100.44-48)
▪ Auditors should ensure that the terms of the audit have been clearly
established.
▪ Auditors should obtain an understanding of the nature of the entity/programme
to be audited.
▪ Auditors should conduct a risk assessment or problem analysis and revise this
as necessary in response to the audit findings.
▪ Auditors should identify and assess the risks of fraud relevant to the audit
objectives.

Auditors should plan their work to ensure that the audit is conducted in an effective
and efficient manner.

Conducting an audit (ISSAI 100.49 & 50)

▪ Auditors should perform audit procedures that provide sufficient appropriate
audit evidence to support the audit report.
20
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Auditors should evaluate the audit evidence and draw conclusions.

Reporting and follow up (ISSAI 100.51)

Auditors should prepare a report based on the conclusions reached.

1.10 Audit of financial statements – the private sector

1.10.1 Company audit requirements
As with public sector audits company requirements vary from country to country.
In the majority of jurisdictions companies above a certain size are required to have
an annual audit of the financial statements. In addition to legislative requirements
Stock Exchange listing will often require an annual financial audit.

Companies that are traded internationally may require an annual audit, for
example in the USA federal security laws require that business whose ownership
and debt securities are traded in the public markets have annual audits.

ISSAI 2200 sets out the objectives of financial audit as being

In conducting an audit of financial statements, the overall objectives of the auditor
are:
▪ To obtain reasonable assurance about whether the financial statements as a
whole are free from material misstatement, whether due to fraud or error,
thereby enabling the auditor to express an opinion on whether the financial
statements are prepared, in all material respects, in accordance with an
applicable financial reporting framework; and
▪ To report on the financial statements, and communicate the result of the audit,
in accordance with the auditor’s findings. (ISSAI 2200.17)

The country of operation will determine the applicable financial reporting

framework.

1.11 Audit of financial statements – the public sector

1.11.1 Introduction
The arrangements for audit in the public sector are often more complex than those
for the private sector.

21
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

This section will briefly compare company and public audit models and considering
some of the wider roles that auditors play in the public services.
1.11.2 Comparison with company audit
There are many features in common between company and public audit. The audit
of financial statements is the key similarity. Auditors will normally have similar
powers of access to information and explanations required though the specific
sources of such authority will differ.

The appointment of company auditors is normally autonomous and is controlled

by the members of the company. In some instances, the audit of larger public
bodies in particular is governed by statutory authority, giving the body no power
to appoint its own auditor. Audits are typically carried out by a public official (an
Auditor General or equivalent) who will typically control a public body, staffed with
audit professionals who allow him or her to fulfil their responsibilities as a state
auditor.

As there are no shareholders, the addressees of the auditor’s report may vary. For
example, the audit report of a government ministry may be addressed to the
members of the parliamentary authority which granted the ministry the authority
to spend public funds.

1.11.3 Wider responsibilities

Auditors in the public sector often have wider responsibilities and powers than the
auditors of companies. This is a complex area, due to the variety of arrangements
in different countries and sectors, but INTOSAI standards recognize that a
‘financial audit’ in the public is normally somewhat broader than just the audit of
financial statements.

These wider roles can include examining and reporting on:

▪ The regularity of expenditure. This means that expenditure was incurred in
accordance with the legislation authorizing it.
▪ Probity and general arrangements for sound financial management. This is part
of a wider public-interest duty to report on whether public money is subject to
proper stewardship.
▪ Investigations of and reporting on mismanagement of public funds.
▪ Audit of reported performance information.
22
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Performance audit
▪ Certification of grant claims made by public bodies.

1.12 Agreeing the terms of an audit engagement

ISSAI 2210 (ISA 210 - Agreeing the terms of an audit engagement) is the relevant
standard here and it recognizes that the terms of an audit engagement in the
public sector are normally mandated and therefore not subject to requests from,
and agreement with, management. Therefore, the requirements of the standard
are useful in establishing a common, formal understanding of the respective roles
and responsibilities of management and the auditor.

Management must accept their responsibility for preparing the financial

statements, for a system of internal control that enables the preparation of
financial statements that show a true and fair view and for providing the auditor
with appropriate supporting information.

This should be documented and this document is commonly known as an

engagement letter. ISSAI 2210 requires that it contain:
▪ The objective and scope of the audit to be conducted;
▪ The responsibilities of the auditor;
▪ The responsibilities of management;
▪ The applicable financial reporting framework for the preparation of the financial
statements; and
▪ The expected form and content of any reports to be issued by the auditor.

23
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 1.1: Which of the following would not normally be part of an assurance
engagement?
A. The responsible party, for example, the management of the organization
B. The users, for example, the shareholders
C. The practitioner, for example, the auditor
D. The standards board, for example, INTOSAI

Quiz Q # 1.2: Which of the following is an example of negative assurance?

A. The auditors state that the financial statements are materially misstated
B. The auditor states that they are unable to obtain sufficient appropriate audit
evidence
C. The auditor states that audit procedures are not necessary in a particular area
D. The auditor states that nothing has come to their attention to indicate that the
disclosures are inaccurate

Quiz Q # 1.3: Which of the following IS a common responsibility of the external

auditor?
A. To correct financial statements that they consider to be misstated
B. To detect all misstatements whether due to fraud or error
C. To obtain sufficient appropriate audit evidence to base an opinion on
D. To prepare financial statements that give a true and fair view of the
performance of the organization

Quiz Q # 1.4: Which of the following could sue an external auditor under the law
of tort?
A. The management of the client organization
B. Someone to whom they owe a duty of care
C. The internal auditors of the client organization
D. Any stakeholder

Quiz Q # 1.5: Which of the following are all defined as general principles under
ISSAI 100?
A. Ethics and independence, documentation, communication and materiality
B. Planning the audit, conducting the audit and reporting and follow up.
C. Confidentiality, professional competence and due care, integrity and honesty
D. Ethics and independence, integrity, documentation and materiality.
24
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

CHAPTER 2 – ETHICS AND CORPORATE GOVERNANCE

Syllabus aim
▪ Identify and explain the scope, regulatory and ethical environment within which
audits are performed.

Learning outcomes and content

▪ Explain the scope of internal and external audits:
o Concepts of independence and objectivity

▪ Discuss and demonstrate the importance of ethical behavior in audit work and
the requirements of applicable standards:
o Professional ethical and legal principles relating to auditor behavior
o Ethical principles, their associated threats and safeguards and their
relevance in an audit and assurance context
o IFAC Code of Ethics for Professional Accountants
o CIPFA Standard of Professional Practice on Ethics
o Code of Ethics - ISSAI 130

▪ Explain the quality control requirements for an audit:

o Good practice in quality control as presented in quality control standards

▪ Explain corporate governance requirements and their impact on audit work:

o Objectives and enforcement of corporate governance
o Structure and role of an Audit committee
o Contribution of internal and external auditors to corporate governance, in
particular through their relationship with the Audit Committee

25
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

2.1 Ethics and corporate governance

The public and other stakeholders have high ethical expectations of auditors. This
is based in part on the nature of assurance engagements and the need for the
users of assurance to have the highest confidence in the independence, objectivity
and diligence of those providing it. It is also based upon the powers of the auditor,
with unfettered access to client information, much of which will be commercially
sensitive or confidential. It may also reflect the seriousness of the consequences
when auditors fail.

You will have studied sources of ethical guidance as part of the Financial
Accounting module. This chapter will revise the principles underpinning
professional ethical behavior, the threats to these principles, and then go on to
consider some of the safeguards which would assist auditors in complying with
them.

Many organizations make significant disclosures with regard to their corporate

governance arrangements and/or the adequacy of internal control arrangements
within their organization. This chapter will consider the nature of these disclosures
and the role of the Audit Committee.

2.2 Audit of financial statements – the ethical framework

2.2.1 Ethical guidance
Before we go on to consider the specific ethical principles you should attempt the
following exercise.

Exercise 2.1: What do you think you should do, as an auditor, if you were ever
concerned that your objectivity might be compromised, or be seen to be
compromised?

For example: If you were offered a gift by an audit client or found out that your
next audit client has just employed a friend of yours?

Requirements: Note your thoughts on the considerations you would need to bear
in mind and a professional course of action.

26
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

2.2.2 Fundamental ethical principles

CIPFA’s SoPP (Statement of professional practice) imposes a duty on its members
to ensure that the following principles of ethical behavior are applied in the
discharge of their day to day responsibilities:

1. Integrity: This is about being truthful, straightforward and honest, dealing

fairly with people and situations. Behaving with integrity would prevent one
making misleading or false statements, whether by omission or inclusion of
information, either knowingly or without taking care to establish the validity of
the data.

2. Objectivity: The avoidance of bias, whether for personal self-interest, or

because of pressure from another, and closely allied to independence.

3. Professional competence and due care: This is about acquiring and

maintaining appropriate technical and other relevant skills and competence to
perform our work, doing it thoroughly and correctly, on a timely basis, and
ensuring that users of our output understand its context and limitations.

4. Confidentiality: Information about organizations and people encountered in

the course of accountancy assignments should not be disclosed to anyone who
does not have a legal or professional right to it.

Specific instances in which it would be appropriate to make a disclosure include:

▪ Where an auditor is personally involved in litigation. and
▪ Where an auditor is subject to disciplinary proceedings by their professional
body.
▪ However, an auditor can be required to disclose information to various
regulatory bodies under, for example, legislation relating to money
laundering, serious fraud and tax evasion. An auditor is also permitted to
disclose information which is considered to be in the ‘public interest’.

5. Professional behavior
▪ This is complying with standards and laws, and avoiding actions that might
bring the profession into disrepute.

27
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ These principles apply to all CIPFA accountants which includes CIPFA members
who work as auditors. The principles of objectivity (which is closely allied to
audit independence) and confidentiality (given the free access that auditors
have to sensitive and confidential information) are of particular importance to
auditors.

Exercise 2.2: The head of internal audit (a CIPFA member) in a public sector
organization is about to tender for the contract for the internal audit service.

A new member of her team has been recruited in the normal course, from the
department responsible for devising the tender contract. He is employed as a
support administrator. Although he was not involved with the tender process, his
former colleague and friend is responsible for the tender specification document
and the evaluation process.

Her new employee had sight of some of the requirements and has offered to share
with her information that may be of use when preparing the tender. However, this
information is confidential and should not be seen by any of the tendering parties.

It will be an open tender process for both external and internal providers. Bids
from external providers are being encouraged. The evaluation process has been
designed with this in mind. If the contract is awarded externally, the head of
internal audit will be unsure of her personal position in the organization.

She understands the use of any insider knowledge of the tendering process would
be inappropriate when preparing the tender proposal, but she feels she would
have a better chance of success if she used this confidential information.

Requirements: Describe the ethical principles that the head of internal audit
must have regard to when considering the approach to take when preparing the
tender proposal?

2.2.3 Threats to ethical behavior

The IFAC Code and CIPFA’s SoPP consider a list of possible threats to the principles
that members are likely to encounter. It is advisable that members examine each
situation to identify possible threats.
28
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

1. Self-interest: Any situation in which we have, or someone close to us has, a

vested interest in an outcome, over which we have some degree of influence
or control.
For example: Having a financial interest in a client.
It is important to note that this threat is not limited to purely financial interests;
a self-interest threat would exist if your employment status were under
question: it might make us more vulnerable to intimidation.

2. Self-review: When we have to check, audit or approve our own work.

For example: Auditing financial statements you have contributed to.

3. Advocacy: When we promote a position or view to an extent that we become

associated with it and our promotion exceeds the facts in the case.
For example: Acting as an advocate for a client in litigation or dispute with an
entity.

4. Familiarity: Familiarity may arise from long association with individuals

(clients, colleagues or customers). Objective critique of the work of someone
you know well becomes harder because it impacts on your relationship with
them.
For example: Auditing a client for many years.

5. Intimidation: Occurs in any situation where somebody puts pressure on us

(or is perceived to) to achieve a particular outcome.
For example: The consequences of an adverse audit opinion can be very serious
for the future of an organization or at least the careers of certain individuals.
There can thus be an incentive for auditees to put pressure on an auditor to
tone down or omit any concerns they have when giving an audit opinion.

6. Political bias: This relates to the public sector and occurs when accountants
become associated with a political position.
For example: Being lenient as an auditor due to political sympathies with the
local government councilors.

29
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

2.2.4 ISSAI 130 – Code of Ethics

INTOSAI have issued a Code of Ethics which is ‘a comprehensive statement of the
values and principles which should guide the daily work of auditors’. It is issued as
ISSAI 130.

INTOSAI recognize that local factors may need to be taken into account, including
national laws/regulations and you should familiarize yourself with any more
specific ethical guidance that applies in your own country or organization.

ISSAI 130 sets out principles which should guide the behavior of individual
auditors, The relevant contents are reproduced below.

Note: ‘political neutrality’ is an ethical consideration that is arguably applicable only

to public sector organizations.

When you read through these principles you will observe that there are many
similarities with those in the CIPFA SoPP and the IFAC code.

FUNDAMENTAL ETHICAL VALUES

9. This Code is based on five fundamental values. These values, and the
respective summarized guiding principles, follow:
a. Integrity – to act honestly, reliably, in good faith and in the public interest;
b. Independence and objectivity – to be free from circumstances or
influences that compromise, or may be seen as compromising, professional
judgement, and to act in an impartial and unbiased manner;
c. Competence – to acquire and maintain knowledge and skills appropriate
for the role, and to act in accordance with applicable standards, and with
due care;
d. Professional behavior – to comply with applicable laws, regulations and
conventions, and to avoid any conduct that may discredit the SAI;
e. Confidentiality and transparency – to appropriately protect information,
balancing this with the need for transparency and accountability.

30
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

RISKS AND CONTROLS

10. Risks (often also referred to as ’threats‘ or ’vulnerabilities‘) of non-
compliance with the above values can be influenced by a number of risk factors.
These include, but are not limited to:
a. political influence and external pressure from auditees or other parties;
b. personal interests;
c. inappropriate bias from previous judgements made by the SAI or SAI staff;
d. advocating the interests of auditees or other parties;
e. long or close relationships.

INTEGRITY
25. Requirements at the level of SAI staff
a. The SAI’s leadership shall lead by example.
b. SAI staff shall set a good example by acting honestly, reliably, in good faith
and in the public interest. In the course of their work they shall be
trustworthy. They shall comply with the policies and standards set by the
organization.
c. SAI staff shall take care to exercise responsibilities and use the powers,
information and resources at their disposal solely for the benefit of the public
interest. They shall not use their position to obtain favors or personal
benefits for them or for third parties.
d. SAI staff shall be aware of integrity vulnerabilities and approaches to
mitigate them, and shall act accordingly.

INDEPENDENCE AND OBJECTIVITY

35. Requirements at the level of SAI staff
a. SAI staff shall be free of impairments to independence and objectivity,
whether real or perceived, that result from political bias, participation in
management, self-review, financial or other personal interest, or
relationships with, or undue influence from, others. For this purpose SAI
staff shall:
i. maintain independence from political influence and be free from
political bias;
ii. not be involved in the auditee management’s decision-making;
iii. not audit their own work;

31
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

iv. avoid auditing entities in which they have recently been employed,
without appropriate safeguards;
v. avoid circumstances where personal interests could impact decision-
making;
vi. avoid circumstances where relationships with the management or
personnel of the auditee or other entities could impact decision-
making;
vii. refuse gifts, gratuities or preferential treatment that could impair
independence or objectivity.
b. SAI staff shall identify possible threats and situations in which their
independence or objectivity may be impaired.
c. SAI staff shall inform the management about any pre-existing relevant
relationships and situations that may present a threat to independence or
objectivity.

COMPETENCE
51. Requirements at the level of SAI staff
a. SAI staff shall perform their job in accordance with applicable standards and
with due care.
b. SAI staff shall act in accordance with the requirements of the assignment,
carefully, thoroughly and on a timely basis.
c. SAI staff shall maintain and develop their knowledge and skills to keep up
with the developments in their professional environment in order to perform
their job optimally.

PROFESSIONAL BEHAVIOR
60. Requirements at the level of SAI staff
a. SAI staff shall comply with the laws, regulations and conventions of the
society in which they operate, as well as with the guidance for their behavior
established by the SAI.
b. SAI staff shall not engage in conduct that may discredit the SAI.
c. SAI staff shall inform their superiors about any arising conflicts between the
SAI’s and their profession’s ethical requirements.

32
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

CONFIDENTIALITY AND TRANSPARENCY

71. Requirements at the level of SAI staff
a. SAI staff shall be aware of the legal obligations and of the SAI’s policies and
guidelines concerning both confidentiality and transparency.
b. SAI staff shall not disclose any information acquired as a result of their work
without proper and specific authority, unless there is a legal or professional
right or duty to do so.
c. SAI staff shall not use confidential information for personal gain or for gain
of third parties.
d. SAI staff shall be alert to the possibility of inadvertent disclosure to third
parties of confidential information.
e. SAI staff shall maintain professional confidentiality during and after
termination of employment.

Exercise 2.3: You are external auditor for a state-funded hospital, which has
some discretion over its choice of auditor.

As the hospital approaches the year-end, the Director of Finance identifies a

number of accounting adjustments that will ensure the hospital achieves its
statutory financial duties, including to break even. The adjustments include
changing the accounting policy for some items of inventory and capitalizing certain
salaries.
The Director of Finance has now reported to the local strategic health authority
that the hospital will break-even for the year.

The adjustments made have now come to light during the audit, and you (in your
role as external auditor) do not accept that the accounting treatments are correct.
As the adjustments are material, if the hospital does not amend its accounts, you
will have to qualify your opinion.

When the issues are discussed with the Director of Finance, he states that ’These
are legitimate interpretations of accounting policy and if you do not accept them I
will ensure that we appoint different auditors in future” He also tells the local
newspaper that “Our auditors are determined to make our financial position look
worse than it is.‘

33
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Requirements:
a. Outline the ethical principles, set out by the INTOSAI Code of Ethics, you must
have regard to in considering your position and the possible impact of
complying with the Director of Finance’s demands on your observance of them.
b. What would be the suggested course of action to ensure compliance with the
INTOSAI Code of Ethics?

2.3 Audit of financial statements – the quality control framework

2.3.1 Introduction
For auditors (often large organizations with complex team structures) to conduct
highly effective, professional and ethical audits requires a thorough system of
quality control. There are two main elements of INTOSAI guidance in this regard:
▪ ISSAI 140 (Quality control for SAIs), which relates to general quality control
arrangements within the overall audit function.
▪ ISSAI 2220 (ISA 220 - Quality control for an audit of financial statements),
which relates to the quality control arrangements to be applied on an individual
audit.

The requirements of these standards are summarized below.

2.3.2 ISSAI 140

The Standard requires that the audit organization establish and maintain a system
of quality control that addresses the following six elements.

1. Leadership responsibilities for quality: This is focused on ensuring that a

quality-oriented culture is promoted, and the quality control system should be
led, ultimately by the head of an SAI.

2. Relevant ethical requirements: This focuses on developing internal

processes to maintain compliance with ethical requirements.

3. Acceptance and continuance of client relationships: This focuses on the

policies and procedures for taking on or keeping an audit client, and specifically
whether the auditors are:
▪ competent to act as auditors;

34
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ able to comply with ethical requirements, with conflicts of interest being a

key consideration; and
▪ satisfied with the integrity of the actual or potential client.

The ISSAI acknowledges that SAIs may have limited control over who they
audit; in some cases they may be required to conduct an audit by law.

4. Human resources: This focuses on the policies and procedures to secure for
the organization personnel with the required competences, capabilities and
commitment to ethical principles.

5. Engagement performance: This focuses on the general arrangements for

the consistent performance of audits to a high quality, concentrating largely on
arrangements for supervision and review.

6. Monitoring: These are the arrangements for reviewing the quality controls
system itself, obtaining assurance that it remains relevant and adequate and is
operating effectively.

2.3.3 ISSAI 2220

Many of the arrangements that are required are similar to those described above
(ISSAI 140 – Quality control for SAIs) but are more specific to an individual
engagement.

1. Direction, supervision and performance: This sets out the responsibility

of the leader of the audit team for the direction of the audit in a manner
compliant with professional, legal and regulatory requirements.

2. Reviews: This sets out the responsibility of the leader of the audit team for
reviews being performed. Clearly much of this work would be delegated to
managers and supervisors but the ultimate responsibility lies with the audit
partner.

3. Consultation: Similarly, the leader of the audit team has responsibilities for
appropriate consultation, especially on contentious audit matters, taking place
both within the audit team and others.
35
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

4. Engagement quality review: For certain high profile audits an ‘engagement

quality control reviewer’ will be appointed who will discuss significant matters
arising during the audit engagement. This is, in effect, peer supervision and
review of the leader of the audit team.

5. Differences of opinion: There should be arrangements for resolving any

significant differences of opinion that arise in or with the audit team in the
course of an audit.

Furthermore, there is a requirement for the auditor to document the issues

identified and conclusions reached in the course of the quality control process, as
it applies to each individual audit.

2.4 The governance framework

2.4.1 Good governance
Introduction: In addition to the traditional financial reporting requirements of
companies, many large companies (especially those listed on stock markets) have
a more complex set of reporting requirements, reflecting wider concerns about the
way in which such influential organizations are managed and controlled.

This culture of increased scrutiny has had an effect on the role of auditors, both
in an advisory capacity (on what is best practice and how to support it) and in an
assurance capacity (reviewing the statements given by the organization and
providing assurance on their reliability). The arrangements recommended by
current governance guidance, in particular the focus on audit committees, has also
had an impact on the work of auditors.

Corporate governance: There are a number of definitions of corporate

governance but the one we will use here is that it is the system by which companies
are directed and controlled.

This definition centers on private companies, and in many countries, it is investors

and other company stakeholders who have taken the lead on corporate
governance. However, many of the fundamental principles can also be applied to
the governance of the public services.

36
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Common considerations: Corporate governance is concerned with the ways in

which large organizations can be controlled effectively at the most senior level
while operating with integrity, transparency and accountability.

There is considerable emphasis on designing the checks and balances necessary

to prevent abuses of executive power.

Organizational accountability is a prominent feature of good governance and audit

arrangements are critical to public accountability.

Governance guidance: There are a variety of guidance documents which seek

to codify good governance practice though, unlike the audit of financial
statements; there is arguably no single authoritative set of international standards,
though there are often many similarities between various guidance documents,
reflecting common thinking on good practice.

Some guidance can, however, be mandatory within a particular country and/or a

specific sector of the economy. You should establish which, if any, codes apply to
your own country and sector.

2.4.2 Audit committees

The role of an effective audit committee: Audit committees have been a key
feature of the development of governance best practice. Although their roles can
vary significantly, they are intended to manage the organization's relationship with
external and (where present) internal audit to support improved communication,
assurance and organizational risk management.

Governance codes often stress that:

An objective and professional relationship is needed between those charged with
governance and the auditors. This serves to avoid the pressures put on auditors
in the past to ’bend the rules‘ on contentious matters to satisfy the whims of a
dominant chief executive.

The establishment of an audit committee should be beneficial to the auditors in

helping to improve communication between those charged with governance,
auditors and management.
37
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The membership of an effective audit committee: An audit committee is a

subcommittee of the body charged with governance of a large organization. It is
important that they are able to give a view that is independent and objective. It is
thus seen as important that audit committee members are not executive and do
not have day-to-day management responsibilities. Non-executives who have had
long or close past involvement in running the organization should normally be
avoided for the same reason – the audit committee requires a degree of
detachment from the organization.

It is also important that the committee has sufficient skill to carry out its work.
Finance, accountancy and audit have significant technical aspects. It is seen as
important that at least one member of such a committee should have the technical
knowledge and experience to understand the financial management of the
organization and the work conducted by its auditors in technical detail. Where
governance codes allow for this, a weakness in this area could be addressed by
’co-opting‘ an external expert to advise the committee.

The functions of an audit committee: You should always consult any

governance codes, regulation or audit law that relate to your own country and
sector to determine what functions are appropriate to your own organization's
circumstances, but examples of common audit committee functions are set out
below.
▪ To monitor the integrity of the financial statements of the organization;
▪ To review the internal controls of the organization;
▪ To review the risk management processes of the organization;
▪ To monitor and review the effectiveness of the organization's internal audit
function;
▪ To make recommendations to the board in relation to the appointment and
terms of engagement of the external auditor;
▪ To review and monitor the external auditor’s independence and objectivity and
the effectiveness of the audit process;
▪ To develop and implement policy on the engagement of the external auditor to
supply non-audit services.

Impact on auditors: Such arrangements will clearly have a significant impact on

the work of both external and internal auditors. The audit committee would clearly
38
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

be an important and routine reporting line for auditors. In addition to improving

communication as, the existence of a committee with specific responsibilities
relating to audit, internal control and often risk management too, will send a clear
signal to the rest of the organization about the importance of such matters.

The audit committee, made up of non-executives, should also be an important

guard against threats to auditor independence due to pressure being put upon the
auditor by management and indeed would be normally the appropriate channel
for an auditor to raise any such concerns.

2.4.3 Governance disclosures

The nature of governance disclosures: Many organizations make significant
disclosures with regards to their corporate governance arrangements and/or the
adequacy of internal control arrangements within their organization.

Such disclosures are often presented as a section within the directors’ annual
report or equivalent.

Common features of these disclosures typically include a statement on the strength

of internal control and adequacy of supporting arrangements. The nature of
internal control and its importance will be addressed in Chapter 4.

Auditor’s responsibilities with regard to governance disclosures –

internal audit: The findings of internal audit, communicated through the audit
committee, would clearly be a key consideration when preparing such a statement,
though it is important that internal audit maintain their operational independence
and as such internal audit should not prepare the governance disclosures.

Auditors’ responsibilities with regard to governance disclosures –

external audit: The auditors of an organization's financial statements are also
normally required to report, on an exception basis, on its governance disclosures.
This is an important distinction. Rather than providing positive assurance that the
disclosures are accurate the auditor provides negative assurance, effectively
stating that they are not aware of any reason to think that that the disclosures are
not accurate.

39
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Exercise 2.4: External auditors help ensure accountability of management to their

external stakeholders. Internal auditors help ensure the accountability of different
parts of the management structure to the organization as a whole.

Auditors should have personal qualities and professional skills of the highest
standard. An essential element of this is adherence by auditors to a code of ethical
behavior.
Requirements:
a. Briefly describe the purpose of an external audit and the role of external
auditors.
b. Explain why external auditors must maintain and be seen to maintain their
independence from audit clients.

Exercise 2.5: You are a trainee accountant. As part of your rotational training
you are currently mid-way through a six-month placement with the internal audit
department of a municipality. The internal audit team is relatively small and
consequently you report directly to the Head of Internal Audit. You have recently
completed an audit and have uncovered what you regard as a number of material
operational deficiencies in the accounts receivable system. Although you have
issued a written report detailing your concerns to the Head of Internal Audit, you
are anxious that these matters have apparently been ignored in the final report to
the Audit Committee.

Requirements:
a. The INTOSAI Code of Ethics lists ’professional secrecy‘ as a fundamental ethical
principle. Explain this principle and explain circumstances in which an auditor
may have authority to disclose confidential client-related information to third
parties without the client’s knowledge or consent.
b. You have been advised by a colleague not to take your concerns on the lack of
reporting of issues in the accounts receivable system any further; that the best
course of action in the circumstances is to do nothing.
i. Explain why it would be inappropriate to follow this advice.
ii. As doing nothing is not an acceptable way forward, describe some possible
steps you could take that would be more appropriate in the circumstances
described.

40
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Exercise 2.6
Requirements:
a. Identify some of the possible additional functions that auditors can fulfil in the
public sector.
b. Explain the recommended composition of an audit committee and the reasoning
which underlies these recommendations.
c. Explain the ethical duty need for ’political neutrality‘ by auditors working with
public service organizations.

41
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 2.1: Which of the following is NOT an ethical principle as set out in the
CIPFA SoPP on Ethics
A. Integrity
B. Independence
C. Objectivity
D. Confidentiality

Quiz Q # 2.2: Which of the following is NOT an element of ISSAI 1s40?

A. Relevant ethical requirements
B. Engagement quality review
C. Acceptance and continuance of client relationships
D. Engagement performance

Quiz Q # 2.3: Which of the following is NOT a common responsibility of the audit
committee?
A. To develop and implement a system of internal control
B. To monitor risk management processes
C. To make recommendations regarding the appointment of the external auditors
D. To develop and implement policies relating to external audit delivering non-
audit services

Quiz Q # 2.4: A SAI has a policy prohibiting audit team leaders from auditing the
same client for more than five years or returning to that audit client for a further
five years.
Which threat is this most likely to address?
A. Intimidation
B. Self-review
C. Familiarity
D. Management

Quiz Q # 2.5: Exaggerating one’s professional experience would contravene

which of the following ethical principles?
A. Confidentiality
B. Independence
C. Objectivity
D. Integrity
42
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

CHAPTER 3 – AUDIT PLANNING AND AUDIT RISK

Syllabus aim
▪ Identify and explain the scope, regulatory and ethical environment within which
audits are performed.
▪ Explain the risk assessment and planning procedures required by relevant
auditing standards.
▪ Discuss the requirements of audit programmes, including the design of audit
tests, in order to obtain sufficient appropriate audit evidence.

Learning outcomes and content

▪ Explain the scope of internal and external audits:
o Materiality

▪ Explain the objectives and general principles of audit planning and risk
assessment:
o Audit strategy and audit planning
o Purpose of interim and final audits
o Impact of interim audit work on the final audit
o Documenting the audit plan

▪ Explain the audit assurance model underpinning the ISSAI approach to the
conduct of audits:
o Definition of audit risk
o Importance of professional scepticism
o Role of professional judgement

▪ Identify audit risks and discuss their implications:

o Setting of planning and performance materiality

▪ Explain the role of audit in an IT environment in relation to selecting and

evaluating audit evidence:
o Risks of auditing in an IT environment

43
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

3.1 Audit planning and audit risk

We have already seen (in Chapter 1) that an auditor is required to express an
opinion on whether the financial statements are presented fairly, and in
accordance with the applicable financial reporting framework. In doing so the
auditor is only able to provide reasonable assurance. Reasonable assurance is
obtained when the auditor has obtained sufficient appropriate audit evidence to
reduce audit risk (that is, the risk that the auditor expresses an inappropriate
opinion when the financial statements are materially misstated) to an acceptably
low level.

An integral part of this process is the planning of the audit. This chapter will
consider the development of the overall audit strategy for the engagement and
the audit plan.

It will then consider audit risk and its component elements.

3.2 Objectives and general principles of audit planning

3.2.1 The audit strategy and the audit plan
ISSAI 2300 (ISA 300 - Planning an audit of financial statements) relates to audit
planning.
For an audit to be carried out efficiently and effectively in a manner that is
compliant with all legal, ethical and professional requirements, it needs to be
carefully planned.

The complexity of the plan will typically depend on the size and complexity of the
audit client itself.

The ISSAI identifies the following as likely benefits of effective audit planning:
▪ ’Helping the auditor to devote appropriate attention to important areas of the
audit.
▪ Helping the auditor identify and resolve potential problems on a timely basis.
▪ Helping the auditor properly organize and manage the audit engagement so
that it is performed in an effective and efficient manner.

44
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Assisting in the selection of engagement team members with appropriate levels

of capabilities and competence to respond to anticipated risks, and the proper
assignment of work to them.
▪ Facilitating the direction and supervision of engagement team members and
the review of their work.
▪ Assisting, where applicable, in coordination of work done by auditors of
components and experts‘. (ISSAI 2300.2)

The ISSAI also notes that ‘planning is not a discrete phase of an audit, but rather
a continual and iterative process that often begins shortly after (or in connection
with) the completion of the previous audit and continues until the completion of
the current audit engagement’. (ISSAI 2300.A2)

The circumstances surrounding the audit may change significantly, and the
auditor’s approach (and thus the plan) needs to evolve depending on, among other
things, the auditor’s risk assessment (which may change as the audit progresses)
and the implications of the audit evidence that is uncovered. The ISSAI emphasises
the importance of discussions within the whole team in forming and developing
the audit plan.

The auditor is required to maintain both an audit strategy and an audit plan. (ISSAI
2300.7-9)

Audit strategy: The audit strategy sets the scope, timing and direction of the
audit, and in turn guides the development of the audit plan.

Itis likely to include:

▪ The overall characteristics of the engagement that define its scope.
▪ The reporting objectives of the engagement.
▪ The factors that are significant in directing the engagement team’s efforts.
▪ The results of previously gained knowledge, whether gained through
preliminary engagement activities or on other, similar engagements.
▪ The nature, timing and extent of resources necessary to perform the
engagement. (ISSAI 2300.8)

45
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Audit plan: Having developed the audit strategy, the auditor then needs to
formulate a plan that describes more specifically how the audit will be conducted,
along with procedures for obtaining audit evidence.

It is likely to include:
▪ The nature, timing and extent of planned risk assessment procedures.
▪ The nature, timing and extent of planned further audit procedures (for
example, to verify closing balances).
▪ Other planned audit procedures that are required to be carried out to comply
with ISSAIs and any other relevant regulatory requirements. (ISSAI 2300.9)

Deriving an audit plan from the audit strategy: It should be obvious from
the paragraphs above that the audit strategy drives the nature and content of the
audit plan.

Examples of how the strategy might influence the detail of the plan are as follows:
▪ The strategy might identify that the audit used to be subcontracted, but has
just been brought back in-house. As a result, more initial planning work than
normal might be required.
▪ The strategy might identify that the nature of the client’s business means that
its senior management is overseas for a certain period of the year. As a result,
the reporting timetable for the audit might be amended.
▪ The strategy might identify that a particular type of testing proved to be very
challenging in the previous year. As a result, more experienced audit staff might
be brought in to carry out the testing this year.
▪ The strategy might identify that the support services for a government body
(procurement, estates management etc.) have been moved to a shared service
center run by another government body. As a result, the auditors might be able
to place reliance on the work carried out by another audit team, and thereby
reduce the testing that they carry out themselves.
▪ The strategy might identify a significant increase in political focus on the
activities of a public sector body, due to a slight change in role. As a result, the
auditors might reduce the level of materiality.

Exercise 3.1: In your own words, distinguish between ’audit strategy‘ and ’audit
plan‘ and state THREE things you might expect to see in each document.
46
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

3.2.2 Interim and final audits

In fulfilling the statutory obligation to audit financial statements the auditor needs
to take a risk-based approach to the audit work ISSAI 2200.7 (ISA 200 - Overall
objective of the independent auditor, and the conduct of an audit in accordance
with international standards on auditing). This may involve two different types of
audit testing that will be discussed in more detail in Chapter 4:
▪ Controls testing – which tests whether or not controls that govern the
production of financial statement balances are operating effectively.
▪ Substantive testing – which tests the integrity of a particular financial
statement balance, either by directly vouching the balance or through analytical
procedures.

Note: More precise definitions of these terms will be given in Chapter 4, for now it
is enough for you to have a broad understanding of what the terms mean.

Clearly an audit cannot be concluded until after the end of the accounting period
to which the financial statements relate. Auditors will therefore always need to
carry out some work after the year end. However, it is common practice for the
audit to be conducted in two separate stages, the interim audit and the final audit.

Interim audit: The interim audit is usually carried out before the end of the
relevant accounting period.

During the interim audit the auditor may:

Record and evaluate the controls that are in place over the recording of financial
statement balances. The purpose of this evaluation is to determine whether the
controls, if operated as intended, can be relied upon to produce fairly presented
financial statement balances.
▪ Test that the controls are operating as intended (provided the controls are
evaluated as sufficient to be capable of producing reliable financial statement
balances). The purpose of this testing is to determine whether the controls
have been operating as intended during the period, and can therefore be relied
upon in practice as well as in theory.
▪ Carry out analytical procedures on interim financial statements that have been
produced for management or control purposes. Analytical procedures should
have already been carried out at the audit planning stage, as part of the overall
47
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

risk assessment (this will be covered in later chapters). However, they can also
be used at this point, to identify key trends and balances that need to be
investigated further at the final audit.

Final audit: As already stated, the final audit cannot take place until after the
year end.

At the final audit, the auditor may:

▪ Extend the controls testing that has already been carried out at the interim
audit to cover the period between the date of the interim audit and the year-
end. The purpose of this testing is to ensure that the controls operated as
intended throughout the period.
▪ Carry out substantive testing. Where the results of controls testing are
satisfactory, the amount of substantive testing can be reduced.

Impact of interim audit work on the final audit: The initial audit plan will
outline the extent and timing of the procedures to be carried out at both the interim
and the final audit stages.

However, the results of work carried out at the interim audit stage will often
influence the work needed at the final audit stage. Specifically:
▪ The evaluation and testing of controls at the interim stage may affect the extent
of additional controls testing required at the final stage.
▪ The evaluation and testing of internal controls at the interim stage may affect
the amount of substantive testing that needs to be carried out at the final stage.
▪ The preliminary analytical procedures carried out at the interim stage may draw
attention to key trends that will influence the nature and extent of substantive
testing at the final stage.

Exercise 3.2: Consider the following audit activities:

a. Testing 20 paid purchase invoices to check whether they had been authorized
for payment in line with normal control procedures of the audited body.
b. Considering the reasonableness of this year’s trade payables figure by
comparing it to last year’s figure.
c. Agreeing 10% of the total year-end trade receivables balance to supporting
documentation such as sales order, dispatch note and sales invoice.
48
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

d. Physically inspecting some of the assets included in the year-end property,

plant and equipment balance.
e. Examining the records of new employees joining during the first nine months
of the financial year to ensure that appropriate authorizations (commencement
of employment, rate of pay etc.) had been obtained in line with normal control
procedures of the audited body.

For each activity identify whether it would initially take place at the interim audit
or the final audit.

3.2.3 Documentation of the audit plan

Audit documentation is defined as: ‘the record of audit procedures performed,
relevant audit evidence obtained, and conclusions the auditor reached’. (ISSAI
2230.6)

More specifically, ISSAI 2300 requires that the documentation should include
(ISSAI 2300.12):
▪ The overall audit strategy.
▪ The audit plan.
▪ Any significant changes made during the audit engagement to the overall audit
strategy or the audit plan and the reasons for such changes (perhaps the result
of interim audit work on work done at the final audit as previously discussed).

3.3 The audit and assurance model underpinning the ISSAI approach
to the conduct of audits
3.3.1 Reasonable assurance
In chapter 1 you learnt that auditors can only be expected to provide reasonable
assurance.

ISSAI 2200 requires an auditor ’to obtain reasonable assurance about whether the
financial statements are free from material misstatement, whether due to fraud or
error‘.

You should recall that ISSAI 2200 states that ’reasonable assurance is a high level
of assurance... However, reasonable assurance is not an absolute level of

49
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

assurance, because there are inherent limitations of an audit which result in most
of the audit evidence on which the auditor draws conclusions and bases the
auditor’s opinion being persuasive rather than conclusive‘. (ISSAI 2200.5)

Exercise 3.3: There are inherent limitations of an audit which result in most of
the audit evidence on which the auditor draws conclusions and bases the auditor’s
opinion being persuasive rather than conclusive.

Make notes on what you think such limitations might include.

You should review the solution to this exercise before continuing.

3.3.2 Materiality
Closely linked to the concept of ’reasonable assurance‘ is that of ’materiality‘. Given
that auditors cannot give absolute assurance, it is reasonable that auditors should
focus their efforts on matters that are of the greatest concern to those who depend
on the accuracy of the financial statements.

ISSAI 2320 (ISA 320 - Materiality in planning and performing an audit) states that
’misstatements, including omissions, are considered to be material if, individually
or in the aggregate, they could reasonably be expected to influence the economic
decisions of users taken on the basis of the financial statements‘. (ISSAI 2320.2)

Materiality is thus crucial to the:

▪ planning of audit work;
▪ conduct of the audit; and
▪ formation and communication of the audit opinion.

It should also be noted that auditors do not have a responsibility to identify

misstatements that are not material.

Materiality might seem to be simply a matter of value – a £5 petty cash claim

seems trivial but a £5 million capital project does not – but ISSAI 1320 states that
’Judgments about materiality are made in light of surrounding circumstances, and

50
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

are affected by the size or nature of misstatement, or a combination of both‘

(Ibid).

Size: This is a monetary amount established by auditors at the start of the audit.
This is usually determined with regard to the size of the account e.g. 1% of total
assets, 2% of turnover, though ISSAIs make no formulaic requirements in this
regard.

For example: Clearly users will be far more concerned that a dilapidated hospital
wing was overvalued by £5 million than to find out that an expense claim for £20
was miscoded in the accounts.

Nature: Certain items in the accounts may be material by their high profile or the
particular disclosures required in respect of them. Fraud and irregular expenditure
are very sensitive topics in the public sector and errors falling into these categories
may be more material than other errors of greater monetary value. Special
reporting requirements may also fall into this category e.g. higher paid employees.

For example: It is quite common for auditors of hospitals to carry out an audit of
small sums of money/jewelry deposited for safekeeping by patients. This is despite
the fact that the cash value of the deposits is typically very small in relation to the
multi-million-pound budgets of the hospital concerned. The reason for this is that,
given the vulnerable nature of patients, public trust in the probity of the hospital
could be seriously undermined by any fraud or theft. Any losses could thus be
material by their nature.

Context: Referring back to the quote above from ISSAI 2320, ’judgments about
materiality are made in light of surrounding circumstances‘. In the public services,
such surrounding circumstances might include the regulatory framework, statutory
duties or targets. This might, in effect, make some errors or omissions material by
context. They could, for example, take a public body from just meeting a
statutory break-even target to just failing to do so.

3.3.3 Setting performance materiality in planning

ISSAI 2320 requires the auditor to determine materiality and ’performance
materiality‘. (ISSAI 2320.11)
51
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The ISSAI avoids being prescriptive and emphasizes auditor judgement so there
is no standard formula for determining materiality but the ISSAI does require
materiality to be determined for the whole financial statements.

Auditors may also have to determine materiality for any given element of the
accounts which might reasonably be expected to affect the decisions of the users
of the accounts. For example, the auditor of an organization with known cash-flow
and liquidity problems might choose to determine materiality for the cash balance
in the accounts differently than for the accounts as a whole.

Performance materiality is defined as the ’amount or amounts set by the auditor

at less than materiality for the financial statements as a whole to reduce to an
appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeds materiality for the financial statements as a
whole‘. (ISSAI 2320.9)

This is a rather unwieldy definition but it simply means that several misstatements,
each below a materiality threshold, could add up to one that is above such a
threshold. The auditor must thus plan such that they are likely, when performing
the audit, to identity such multiple, smaller misstatements by setting ‘performance
materiality’ somewhat lower.

The ISSAI also requires the auditor to review and, if necessary, revise materiality
and performance materiality in the light of information gained in the course of the
audit. (ISSAI 2320.12 & 13)

3.3.4 Auditor scepticism and judgement

Scepticism: ISSAI 2200 requires auditors to adopt an attitude of scepticism,
which it defines as ’an attitude that includes a questioning mind, being alert to
conditions which may indicate possible misstatement due to error or fraud, and a
critical assessment of audit evidence‘. (ISSAI 2200.13)

In practical terms, auditors need to be alert to:

▪ Evidence that contradicts other evidence obtained.
▪ Conditions that may indicate the possibility of fraud.

52
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ The need for audit procedures additional to those strictly required by the
ISSAIs.

If there is any doubt, the auditor should always investigate further and establish
whether additions to audit procedures are necessary to resolve the matter.

Judgement: The ISSAI also emphasizes that auditors need to continually apply
professional judgement in their work. This is particularly necessary when making
decisions about:
▪ Materiality and audit risk.
▪ The nature, timing and extent of audit procedures to be carried out.
▪ Whether sufficient audit evidence has been obtained.
▪ The reasonableness of actions taken by the audited body.

3.3.5 Audit Risk:

Audit risk is ’the risk that the auditor expresses an inappropriate audit opinion
when the financial statements are materially misstated‘. (ISSAI 1003)

It is the responsibility of the auditor to manage this risk and bring it to an

acceptably low level by obtaining sufficient, appropriate audit evidence.

Audit risk cannot be wholly eliminated. If this were possible then the auditor could
offer absolute assurance but, as we have seen, auditors can only offer reasonable
assurance, which entails a low but non-zero residual audit risk.

Audit risk ’is a function of the risks of material misstatement and detection risk‘.
(Ibid)

Audit Risk = (Risk of material misstatement) × Detection Risk

The ’risk of material misstatement‘ is the risk that the financial statements are
materially misstated prior to audit and can be further analyzed into ’Inherent Risk‘
and ’Control Risk‘, so we can say that;

Audit Risk = (Inherent Risk × Control Risk) × Detection Risk

53
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

or more simply:
Audit Risk = Inherent Risk × Control Risk × Detection Risk
or
AR = IR × CR × DR

From this we can see that audit risk has three components and can only be
identified once inherent, control and detection risks are known. We will consider
each of these components in turn.

Inherent Risk: ’The susceptibility of an assertion (This term is explained later in

this chapter) about a class of transaction, account balance or disclosure to a
misstatement that could be material... before consideration of any related
controls‘. (ISSAI 1003)

For example, significant risks may be presented by:

▪ Complex transactions, particularly when there is a large volume of these.
▪ Accounting estimates where estimation is inherently judgmental or complex.
▪ External circumstances, for example a technological change that would render
stock obsolete, affecting its valuation.

Role of Management: Management should identify inherent risks to their

organization and develop plans to manage these risks where appropriate.

Role of Audit: The auditor should assess inherent risk. The higher the level of
inherent risk, the greater the risk of a material misstatement and the consequent
risk of an inappropriate audit opinion.

Control Risk: ’The risk that a misstatement that could occur in an assertion about
a class of transaction, account balance or disclosure and that could be material...
will not be prevented, or detected and corrected, on a timely basis by the entity’s
internal control‘. (Ibid)

Control risk could be affected by factors such as:

▪ The quality and quantity of management/staff: if inadequately skilled, or
insufficient numbers of staff are employed, basic controls such as segregation
of duties may not operate within an organization.
54
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ The nature of control activities, frequency of their operation and the

segregation of duties in the course of their operation.

Role of Management: Management is responsible for establishing systematic

control mechanisms to ensure risks are managed effectively by a reliable internal
control framework.

Role of Audit: The auditor cannot affect the strength of management control (at
least not in the short term) but must assess its strength. The higher the level of
control risk, the greater the risk of a material misstatement and the consequent
risk of an inappropriate audit opinion.

Detection Risk: ’The risk that the procedures performed by the auditor to reduce
audit risk to an acceptably low level will not detect a misstatement that exists and
that could be material, either individually or when aggregated with other
misstatements‘. (Ibid)

This could be as a result of:

▪ Ineffective planning of audit procedures.
▪ Failure to target audit procedures to high-risk areas.
▪ Lack of skilled audit staff/ insufficient resources.

Role of Management: While management manages inherent and control risk,

detection risk is managed by the auditor.

Role of Audit: Auditors first assess the levels of inherent and control risk, and
must then decide on an audit strategy that will reduce detection risk to a level
such that the consequent audit risk is acceptably low.

All other things being equal, the more audit testing the auditor conducts the lower
detection risk will be and, as a consequence, the lower audit risk will be.

Returning to the formula: AR = IR × CR × DR

IR and CR are a ’given‘ – the auditor can assess them but not directly affect them.

55
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

In order to reduce AR to an acceptably low level, the auditor must thus focus on
reducing DR.

All other things being equal, the more audit testing the auditor conducts the lower
DR will be.

This tends to have a significant impact on the extent and nature of the audit testing
carried out and often has a consequent impact on the approach taken to audit
sampling.

Exercise 3.4: This exercise will help you to consolidate your understanding of the
relationship between Audit Risk (AR) and its three component factors.

You are an audit manager, responsible for the audit of a public body. In a recent
meeting the Audit Partner has stated what level of audit risk is acceptable. You
and your team have then determined what the levels of inherent risk and control
risk are within the company and, as a consequence, have been able to determine
an acceptable level of detection risk.

Make a note of the implications of each of the following:

a. The Audit Partner declares a change in policy – the tolerable level of audit risk
has been lowered.
b. Political instability is having a serious effect on your client. This leads you to
conclude that inherent risk is somewhat higher than your initial assessment.
c. The client’s internal audit comments that their new Director of Finance has seen
through a programme of reform in the last year that has greatly improved
routine financial administration. This leads you to conclude that control risk is
somewhat lower than your initial assessment.

Exercise 3.5: You work for a private sector audit firm that has just been
appointed as external auditors to [Link], a limited company.

You have done some initial fact-finding, the results of which are shown below.

56
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Requirements: Identify
a. Inherent Risks: The risks of a material misstatement before consideration of
any related controls.
b. Control Risks: The risks that a material misstatement will not be prevented,
or detected and corrected, on a timely basis by the entity’s internal control.

[Link] is a relatively new company, founded 18 months ago by an e-business

entrepreneur who owns 51% of share capital and is the Managing Director of the
firm. The balance of share capital is owned by a number of private investors and
venture capital funds.

[Link] is based around a gap that Buoy believes exists in the market: for the
urgent dispatch of new mobile phones to professional customers who have lost
their own. These are ordered either online or by phone to a customer service
center. Orders are then passed electronically to one of eight distribution centers
in major cities.

The firm has a well-advertised commitment to deliver its phones (by motorcycle
courier) within 90 minutes in these cities or three hours elsewhere. If the company
fails to meet this target, no charge is made for delivery.

Customers are required to take out a 24-month contract with one of the major
suppliers of mobile phone services. [Link] collects this credit income monthly
and pays for the service supplied. They receive a 5 per cent commission on the
contract, but if the customer fails to make payments [Link] has to meet the
outstanding liability.

So far, growth has been prodigious. Reported profits have been high but analysts
in the business press have commented on the risks of ‘overtrading’ – where cash
flow lags behind rapid business growth. This is supported by management
accounts to date which show high levels of both accounts receivable (through
credit sales) and accounts payable. Considerable capital investment has been
made in the IT systems and communications systems which are key to the
business model.

57
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

You have met the Chief Executive in his very impressive office in the headquarters
building. He strikes you as being very ambitious, with a real enthusiasm for driving
sales through good customer service and motivating his sales and distribution
managers through a generous performance related bonus scheme. He has
commented to you that:

’While I understand the need for you to do your job, you have to understand that
I don’t want my business being bogged down. 97% of our phones are delivered
on time. I’m very proud of that and I don’t want my sales and delivery people
having their hands tied with red tape. I know my managers and trust them; I don’t
see the need to waste my money on an internal audit service.‘

You have not yet been able to visit one of the eight distribution centers but have
met the Distribution Manager. He explains that the need to supply phones at short
notice means a substantial inventory must be held at all times. He confirms that
the majority (85 per cent) of sales are made by credit card, but as this is a premium
service often used in an emergency, couriers will accept payment in cash or
cheque, to be returned to the local store manager for banking.

You have been unable to meet up with the Finance Director, who is normally based
at the headquarters offices but is currently on holiday. He referred you to his
Finance Manager. She and her staff are based in a windowless room at the back
of an outlying distribution facility.
The Finance Manager is a newly qualified accountant, the only other in the
company being the Finance Director. She is responsible for all finance activities
including periodic production of budget reports, investment plans etc., as well as
the day-to-day exchequer functions such as paying creditors, payroll and debtor
control.

She seems enthusiastic and conscientious but rather fed up. She feels that Finance
is given a very low priority, being seen as a ’necessary evil‘ while energies are
devoted towards sales, marketing and customer focus. She has joked that her staff
get fed up slaving away to process ‘eye-opening’ payroll and expenses sheets for
the ‘in crowd’ at headquarters. She speaks to the Finance Director most days but
has only met him twice.

58
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

She has commented that her staff pay and morale are both low, the office is
understaffed and staff turnover is correspondingly high. You have asked her about
formal financial procedures but she has said she simply hasn’t had time to compile
any yet.

3.3.6 IT and the audit risk model

The widespread use of IT systems throughout most organizations means that
auditors will need to consider IT systems as part of their work. This includes when
considering inherent risk, control risk and detection risk.

Exercise 3.6: Identify what you think are the main inherent and control risks
associated with computerization.
Make a list of any of which you may be aware based on your own experience and
knowledge of using or auditing IT systems.

It may help to compare to manual and paper-based systems. Bear in mind that in
some cases IT may carry fewer or different risks.

Exercise 3.7
Requirements: You are the audit manager responsible for planning the audit of
a hospital for the year ended 31 March 20X4. Assume today’s date is 15 March
20X4. As part of the audit planning you discover the following issues. Explain the
impact of these items on the audit planning for the year ended 31 March 20X4,
and describe an appropriate audit response.
1. On 1 August 20X3, the manager responsible for authorizing expense claims
from staff at one department in the hospital was taken ill and was off work for
three months. During this period, the chief financial officer of the hospital
reviewed the overall expense claims from relevant staff for reasonableness
rather than authorizing each claim.
2. On 1 February 20X4, the trust received a letter from a solicitor acting for the
relatives of an elderly patient who had died at the hospital. This death took
place in December 20X3. The letter alleges negligence on the part of the
hospital and indicates an intention to seek financial compensation through the
courts. No date for legal proceedings has yet been set.
3. During the year, the hospital introduced a new procurement system for the
purchase of non-medical services such as catering and cleaning.
59
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Exercise 3.8
Requirements:
a. Define the following terms, briefly stating factors which might affect each:
▪ Inherent risk
▪ Control risk
▪ Detection risk
b. Describe the factors that may indicate that:
▪ Audit risk is normal
▪ Audit risk is higher than normal
c. For the following organizations, identify possible factors which would require
consideration by an auditor in assessing inherent risk:
i. An ice cream manufacturer.
Small manufacturing base in a UK city; makes all his own ice cream and
owns three vans for delivery and sale in the street.
ii. A trader in heavy construction equipment.
High quality but expensive equipment; supplied from another country;
customers mainly municipalities and construction companies.
iii. Manufacturer and seller of fashionable knitwear.
Selling through its own outlets throughout the UK, and by mail order
overseas.

Exercise 3.9: This question covers some of the material in this chapter whilst also
helping you revise some of Chapters 1 and 2.

Requirements:
a. Define and explain the concept of ‘reasonable’ assurance.
b. Define ‘materiality’ and explain, with supporting examples, the two main factors
that would affect judgments regarding materiality.
c. Describe the role that auditor judgement plays in determining audit materiality.
d. The INTOSAI Code of Ethics identifies ‘Competence’ as a key ethical principle.
Explain this principle.
e. State three benefits of effective audit planning.

60
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 3.1: Which of the following is NOT a valid consequence of carrying out
an interim audit?
A. The overall amount of audit testing required may be reduced.
B. In the final audit testing can be better focused on key risk areas.
C. Changes may be made to internal controls that will reduce the level of control
risk by the time of the final audit.
D. Where the results of interim controls testing are satisfactory, the amount of
substantive testing in the final audit can be reduced.

Quiz Q # 3.2: Which of the following correctly describes control risk?

A. The risk of material misstatement before consideration of any controls.
B. The risk that internal controls do not prevent or detect and correct material
misstatements.
C. The risk that the auditor fails to identify that a control is not working correctly
to prevent or detect and correct material misstatements.
D. The risk that controls fail to eliminate inherent risk.

Quiz Q # 3.3: Which of the following factors would be mostly likely to result in
an increased detection risk?
A. Use of experienced audit staff in high risk areas.
B. Focusing audit procedures on low risk areas.
C. Review of all audit work by the audit partner.
D. Effective audit planning.

Quiz Q # 3.4: Which of the following is NOT an inherent limitation of audit as set
out in ISSAI 2200?
A. The nature of financial reporting.
B. The nature of audit procedures.
C. The need for the audit to be conducted within a reasonable period of time.
D. The need for the auditors to make a profit on the audit.

Quiz Q # 3.5: Which of the following would you expect to find in an audit strategy?
A. The programme of work for the interim and final audits.
B. The audit staff that will be involved in the assignment.
C. The dates on which the interim and final audits are due to start and finish.
D. Problems arising from the previous year.
61
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

CHAPTER 4 – IDENTIFICATION AND ASSESSMENT OF RISK AND THE

AUDITOR’S RESPONSE

Syllabus aim
▪ Explain the risk assessment and planning procedures required by relevant
auditing standards.
▪ Discuss the requirements of audit programmes, including the design of audit
tests, in order to obtain sufficient appropriate audit evidence.
▪ Discuss the use of audit evidence and apply audit evidence to form an audit
opinion.

Learning outcomes and content

▪ Identify the information required for the risk assessment process:
o Understanding the organization and its control environment
o Fraud risks and the related internal controls established
o Evaluation of the design and implementation of internal controls
o Preliminary analytical procedures
o Matters arising from audit team meeting proceedings
o Using the work of internal auditors

▪ Identify audit risks and discuss their implications:

o Identification of risk at the financial statement level
o Identification of risk at the assertion level
o Determination of potential misstatements in respect of each assertion
o Nature of significant risk and required audit responses

▪ Identify and discuss an overall audit response to address assessed risks at both
the financial statement and the assertion level:
o Use of experienced staff
o Enhanced supervision
o Changes in nature, timing and extent of audit tests
o Considerations regarding the control environment
o Focus on potential misstatements or key control weaknesses
o Role of controls testing
o Role of substantive testing
o Use of a combined testing approach

62
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Identify internal controls, design appropriate audit tests and identify the
requirements for audit working papers:
o Evaluation of control weaknesses
o Internal control procedures for key transactions and processes

▪ Identify and discuss the issues that an auditor would consider when assessing
control weaknesses or whether unadjusted misstatements are material,
individually or in aggregate:
o The nature of control weaknesses

63
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

4.1 Identification and assessment of risk and the auditor’s response

In this chapter, we will begin by considering the ways in which auditors identify
and assess risk, the requirements of ISSAI 2315 (ISA 315 - Identifying and
assessing the risks of material misstatement through understanding the entity and
its environment) through understanding the entity and its environment will be
considered in detail.

We will then examine the auditor’s responses to risk identification and assessment,
in particular the requirements of ISSAI 2330 (ISA 230 - The auditor’s response to
assessed risks).

4.2 ISSAI 2315 – Identifying and assessing the risks of material

misstatement through understanding the entity and its environment
4.2.1 Introduction to ISSAI 2315
As its name suggests, ISSAI 2315 sets out the auditor’s responsibility to identify
and assess the risks of material misstatement in the financial statements, through
understanding the organization and its environment, including the organization's
internal control and risk assessment processes.

The main requirements of ISSAI 2315 are summarized below:

▪ ’The auditor shall perform risk assessment procedures to provide a basis for
the identification and assessment of risks of material misstatement at the
financial statement and assertion levels‘.
▪ The auditor is required to obtain an understanding of the entity and its
environment, including the entity’s internal control.
▪ The auditor shall identify and assess the risks of material misstatement. This is
to provide a basis for designing and performing further audit procedures.

We shall now go on to look at these requirements in turn.

4.2.2 Risk assessment procedures - overview

ISSAI 2315.6 states that audit procedures shall include the following:

Inquiries of management and others within the audited body: This can
help in understanding the environment within which the financial statements are

64
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

prepared, management’s own assessment of organizational risk and internal

control and key issues or changes that are affecting the organization. There is
clearly a need for professional scepticism when considering such representations.
’Others‘ includes internal audit where the organization has an internal audit
function.

Observation and inspection: This might involve simply observing the way in
which the organization's main activities operate, examining documents such as
business plans, strategies, management reports and other records. These might
be used to confirm management representations obtained through inquiries
(above).

Analytical procedures: These can be defined as ‘evaluations of financial

information through analysis of plausible relationships among both financial and
non-financial data’.

Analytical procedures are a technique which are commonly used in different ways
at different stages of an audit. Their mandatory use in risk assessment will be
considered in more detail below.

4.2.3 Risk assessment procedures – using the work of internal auditors

ISSA 2315 states:
’If an entity has an internal audit function, inquiries of the appropriate individuals
within the function may provide information that is useful to the auditor in
obtaining an understanding of the entity and its environment, and in identifying
risks at the financial statement and assertion levels. In performing its work, the
internal audit function is likely to have obtained insight into the entity’s operations
and business risks, and may have findings based on its work, such as identified
control deficiencies or risks, that may provide valuable input into the auditors
understanding of the entity, the auditors risk assessment or other aspects of the
audit. The auditor’s inquiries are therefore made whether or not the auditor
expects to use the work of the internal audit function‘. (ISSAI 2315.A9)

Note: The use of internal audit’s work by external audit is covered by ISSAI 2610
and will be considered in chapter 5.

65
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

4.2.4 Risk assessment procedures – analytical procedures

The use of analytical procedures is a complex and wide-ranging area of audit
expertise in itself. The effective design of analytical procedures is dependent on a
sound understanding of the way in which a client’s business operates (which in
itself will vary significantly between sectors and individual clients) and thus the
relationships that might normally be expected between various data sets.
A full treatment is thus beyond the scope of these materials; what follows is a brief
introduction to some of the main types of analysis that might be carried out and
the contribution they could make to the auditor’s risk assessment process.

The role of analytical procedures in the risk assessment process: The

main role for analytical procedures at this stage of an audit is broadly to use
aggregated data from different sources (i.e. not individual transactions) to
identify issues that are suggestive of a risk of material misstatement. ISSAI 2315
identifies more specifically that analytical procedures can serve to:
▪ ’Identify aspects of the entity of which the auditor was unaware‘ . (ISSAI
2315.A7)
▪ and
▪ ’Assist the auditor in identifying risks of material misstatement, especially risks
of material misstatement due to fraud‘. (ISSAI 2315.A8)

Types of analytical procedures at the planning stage of an audit may include the
following, though this is by no means an exhaustive list:

Profiling: For example, listing monthly levels of transactions and/or balances, and
seeking explanations for differences between them, for example gross payroll
totals. Many organizations (particularly in the public sector) experience an upsurge
in expenditure towards the year end. Where this has been the case in the past, a
fall in spending in March might indicate that the budget is in danger of being
exceeded and management is deliberately delaying payment.

Ratio analysis: i.e. calculating accounting or other ratios and focusing on

unexpected movements. For example, the ratio of salaries to staff numbers. Where
average wage costs per member of staff have been stable in the past, a rise or fall
in the calculated value for the current year may be the result of a change in the

66
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

pay system (which the auditor needs to assess) or it may indicate errors such as
misclassification of non-salary staff costs.

Trend analysis over time: An example of this process would be the comparison
of annual totals of activity and using them to predict this year’s level. If income for
a particular service has been rising steadily for a number of years and then starts
to fall, this could indicate the presence of alternatives in the marketplace which
will impair the organization’s ability to achieve its financial targets and put pressure
on other income-generating activities.

Comparison of actual with budget: For some services, for example, internal
re-charges, the total amount to be re-charged is predetermined and thus there
should be no difference at all between the budget and the outturn figures. Any
deviation will indicate a likelihood of error.

Comparison of one entity with another: i.e. comparing one organization or

department with another, either in terms of financial ratios/statistics or, more
generally, through performance indicators. Significant differences between two
organizations may be the result of structural or demographic factors but by careful
choice of comparable organizations some indications of risk areas may be
obtained.

We will consider some examples of the types of information an auditor might

examine and the risks they might to help identify, as a basis for planning an audit
response:

Exercise 4.1: You are a member of a team auditing Bricket, which is an

organization owned jointly by three municipalities, which undertakes maintenance,
repair and minor construction works for these municipalities and some
independent providers of social housing.

You are conducting analytical procedures in the course of the risk assessment
process for this year’s audit of financial statements.

67
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Bearing in mind the purposes of such procedures, set out above, present your
thoughts on the possible interpretations of each of the following analyses. Also
bear in mind the possible implications for the accuracy of the financial statements.
1. Last year the gross profit margin (turnover less the cost of sales) was 20%.
Budgetary reports for the first eight months of this financial year show a gross
profit margin of only 12%.
2. Last year the average time taken to settle accounts payable was 15 days. In
the year to date it has climbed to an average of 28 days.
3. In the last two years there was a noticeable increase in sales in the last two
months of the financial year. Bricket has the same financial year end date as
almost all of their clients.
4. Staff costs, which have been fairly stable in recent years, showed a one-off
10% increase in month four of the current financial year.
5. Bricket management accounts show that Work In Progress typically makes up
around 21% of the company’s net asset value. A recent industry survey shows
that in private building companies of similar size, the average is around 13%.
6. From your audit of similar organizations you know that Bricket’s spending on
sales and marketing is higher than usual – 2.4% of expenditure rather than the
1.1% which is more typical of the sector.

4.2.5 Understanding the entity and its environment

ISSAI 2315 requires auditors to obtain an understanding of the following:
▪ Relevant industry, regulatory and other external factors including the applicable
financial reporting framework
▪ The nature of the entity
▪ The entity’s selection and application of accounting policies
▪ The entity’s objectives and strategies
▪ The measurement and review of financial performance

Exercise 4.2: Auditors should not accept a client in the first place unless they
already understand its ‘industry, regulatory and other external factors including
the applicable financial reporting framework’.

But what steps could you take to actively maintain such expertise?

68
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Exercise 4.3: What could you do to develop the understanding of a specific client
in the following areas?
▪ The nature of the entity
▪ The entity’s selection and application of accounting policies
▪ The entity’s objectives and strategies
▪ The measurement and review of financial performance

What sources of information might you use?

4.2.6 Understanding the entity’s internal control

ISSAI 1315 states ‘the auditor shall obtain an understanding of internal control
relevant to the audit’ (ISSAI 2315.12). The ISSAI acknowledges that the relevant
controls are likely to be those related to financial reporting though it stresses that
not all financial controls will be relevant to the audit and it is a matter of auditor
judgement to determine the relevance of any given control.

The ISSAI then goes on to set out the five components of internal control, as
follows:

1. The control environment: This is the overall environment and culture within
which internal control operate. It would include considerations such as the
‘tone’ set and the leadership demonstrated by those in management and
governance roles and the importance placed on internal control. It can be
thought of both as being part of internal control itself and as being the
organizational environment in which routine procedural controls can operate
effectively.

2. The entity’s risk assessment process: These are the arrangements to

identify risks to the organization (though the ISSAI focuses only on those risks
relevant to reporting objectives) and assess those risks in terms of their
likelihood and impact. The ISSAI also highlights the organizational
arrangements for deciding what to do to address such risks.

3. The information system, including the related business processes,

relevant to financial reporting, and communication: Auditors should also
obtain an understanding of the information system, including the related
69
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

business processes, relevant to financial reporting, including the following

areas:
▪ The classes of transactions that are significant to the financial statements.
The procedures that transactions are initiated, recorded, processed,
corrected as necessary, transferred to the general ledger and reported in
the financial statements.
▪ How events and conditions that are significant to the financial statements
are captured by the information systems
▪ The financial reporting process used to prepare the entity’s financial
statements.
▪ Controls surrounding journal entries.

4. Control activities relevant to the audit: ’The auditor shall obtain an

understanding of control activities relevant to the audit, being those the auditor
judges it necessary to understand in order to assess the risks of material
misstatement at the assertion level and design further audit procedures
responsive to assessed risks‘. (ISSAI 2315.20)

5. Monitoring of controls: This is simply the monitoring, by those in governance

or management roles, of the effectiveness of internal control and the remedial
action taken where this is required.

The ISSAI also states that the auditor must obtain an understanding of the
responsibilities and activities of internal audit, to determine whether the internal
audit service is likely to be relevant to the audit. Internal audit should not,
however, be regarded as a component of internal control but rather as an
independent appraisal of internal control.

We will consider the potential relevance of internal audit to an audit of financial

statements in chapter 5.

4.2.7 The risk of material misstatement

Once an auditor has obtained an understanding of the entity and its environment,
including the entity’s internal control, then the auditor must identify and assess
the risks of material misstatement. This is to provide a basis for designing and
performing further audit procedures.
70
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

ISSAI 2315 requires the auditor to ’perform risk assessment procedures to provide
a basis for the identification and assessment of risks of material misstatement
at the financial statement and assertion levels‘ (ISSAI 2315.5).

We shall look at each of these levels in turn.

Financial statement level risks: These are pervasive risks that are not confined
to specific aspects or elements of the accounts. For example, if management are
not competent or internal controls seem to be routinely bypassed the effects are
likely to be widespread and may pose a risk to the accuracy of the financial
statements as a whole.

Financial statement assertions: When preparing and presenting a set of

financial statements, the audited body is (explicitly or implicitly) making a series
of assertions about those financial statements. For example, it would be asserted
that the accounts present a complete record of all balances and transactions, have
been recorded accurately, apply to the correct accounting period and so on.

Risks at the assertion level are the risks that one of these assertions is materially
untrue. So, for example, this might include the risk that not all sales have been
recorded, they are not recorded accurately and do not apply to the correct
accounting period.

ISSAI 2315 identifies three categories of assertion, those relating to:

▪ classes of transactions;
▪ account balances at the period end; and
▪ presentation and disclosure.

Auditors are required to obtain sufficient, appropriate audit evidence over every
relevant assertion for every material item in the financial statements.

71
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Assertions about classes of transactions and events for the period

Transactions and events that have been recorded have occurred
Occurrence
and pertain to the entity.
All transactions and events that should have been recorded have
Completeness
been recorded.
Amounts and other data relating to recorded transactions and
Accuracy
events have been recorded appropriately.
Transactions and events have been recorded in the correct
Cutoff
accounting period.
Transactions and events have been recorded in the proper
Classification
accounts.

Assertions about account balances at the period end

Existence Assets, liabilities, and equity interests exist.
Rights and The entity holds or controls the rights to assets, and liabilities are
obligations the obligation of the entity.
All assets, liabilities and equity interests that should have been
Completeness
recorded have been recorded.
Assets, liabilities and equity interests are included in the financial
Valuation and
statements at appropriate amounts and any resulting valuation or
allocation
allocation adjustments are appropriately recorded.

Assertions about presentation and disclosure

Occurrence and
Disclosed events, transactions and other matters have occurred
rights and
and pertain to the entity.
obligations
All disclosures that should have been included in the financial
Completeness
statements have been included.
Classification and Financial information is appropriately presented and described,
understandability and disclosures are clearly expressed.
Accuracy and Financial and other information are disclosed fairly and at
valuation appropriate amounts.

72
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

As stated above, risks at the assertion level are the risks that one of these
assertions is materially untrue and so auditors must consider the circumstances
under which this could occur.

Exercise 4.4: Focusing on the assertions which relate to classes of

transactions/events and those which relate to account balances at the period end,
consider some of the possible circumstances in which the financial statement
assertions fail to be true. Complete the table on the following pages.

For example, what are the circumstances, whether due to fraud or error, where
assets, liabilities or equity interests are recorded in the financial statements but do
not actually exist?
Due to Due to
Assertion Transactions/events Balances
fraud error
Classification Yes
Completeness Yes Yes
Existence Yes
Occurrence Yes
Cutoff Yes
Rights and
Yes
obligations
Accuracy Yes
Valuation and
Yes
allocation

Regularity: ISSAIs recognize that in public bodies, a broader range of assertions

may be appropriate, given the broader nature of public sector audit. Arguably the
key additional consideration can be treated as being an additional ’regularity‘
assertion.

The regularity assertion applies to transactions and events and is concerned with
the requirement that financial transactions are in accordance with the legislation
authorizing them, regulations issued by a body with the power to do so under
governing legislation and Parliamentary or other appropriate authority.

73
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

4.2.8 Audit team meetings

ISSAIs stress the requirement for discussion within the audit team when
considering the risks of material misstatement overall or as a result of fraud.

Such a meeting should allow a better and more complete understanding of the
entity to be built up overall and for knowledge to be shared. It also allows an
inclusive ‘brainstorming’ approach to risk identification, possibly identifying risks
that individual auditors might not identify when working alone.

Senior members of the audit team may well have the best overall understanding
of an organization's business, sector and strategy but more junior members may
be more familiar with how the organization works at an operational level, including
financial management processes. Both perspectives are important to a thorough
risk identification process.

4.2.9 ISSAI 2570

ISSAI 2570 (ISA 570 – Going concern) requires that when the auditor is carrying
out their risk assessment procedures (in accordance with ISSAI 2315) they must
’consider whether there are events or conditions that may cast significant doubt
on the entity’s ability to continue as a going concern‘. (ISSAI 2570.10)

4.3 Internal controls

4.3.1 Introduction
A key and recurring theme in risk assessment is that of internal control. Internal
control is also an important concept for some later chapters so you should feel
confident in this subject matter before progressing.

4.3.2 What are internal controls?

Internal control can be defined as:
’The whole system of financial and other controls, including the organizational
structure, methods, procedures and internal audit, established by management
within its corporate goals, to assist in conducting the business of the audited entity
in a regular economic, efficient and effective manner; ensuring adherence to
management policies; safeguarding assets and resources; securing the accuracy

74
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

and completeness of accounting records; and producing timely and reliable

financial and management information‘. (ISSAI 1003)

In order to reduce the risk that organizational objectives are not met, management
must have a system for controlling the activities of the organization, and ensuring
that adequate records are kept.

What constitutes an adequate system will depend on the circumstances. For

example, in terms of record-keeping, this can range from a simple cash book with
a file of paid invoices kept by a small trader, to the sophisticated organizational
systems maintained by multinational corporations.

Exercise 4.5: In the course of your work you should already have come across a
number of routine controls, such as those over your employer’s expenditure, the
security of your employer’s assets and the behavior of staff in the workplace.

Make a note of at least five internal controls you can identify in your workplace.

4.3.3 Types of internal control

ISSAI 2315 identifies five different categories of control activities (ISSAI
2315.A96):
1. Authorization: All transactions should require authorization or approval by an
appropriate responsible individual. The limits for these authorizations should be
specified.

2. Performance reviews: ’These control activities include reviews and analyses

of actual performance versus budgets, forecasts, and prior period performance;
relating different sets of data – operating or financial – to one another, together
with analyses of the relationships and investigative and corrective actions;
comparing internal data with external sources of information; and review of
functional or activity performance‘. (Paragraphe 9, Appendix 1, ISSAI 2315)

3. Information processing: These can be grouped into two categories (Ibid):

a. Application controls – these apply to the processing of individual applications

75
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Examples of application controls include:

o checking the arithmetical accuracy of records;
o maintaining and reviewing accounts and trial balances;
o automated controls such as edit checks of input data and numerical
sequence checks; and
o manual follow-up of exception reports.

b. General IT controls – policies and procedures that relate to many

applications and support the effective functioning of application controls by
helping to ensure the continued proper operation of information systems.

Examples of general IT controls are:

o program change controls;
o controls that restrict access to programs or data;
o controls over the implementation of new releases of packaged software
applications; and
o controls over system software that restrict access to or monitor the use of
system utilities that could change financial data or records without leaving
an audit trail.

4. Physical controls: ’Controls that encompass:

o The physical security of assets, including adequate safeguards such as
secured facilities over access to assets and records.
o The authorization for access to computer programs and data files.
o The periodic counting and comparison with amounts shown on control
records (for example, comparing the results of cash, security and inventory
counts with accounting records)‘. (Ibid)

5. Segregation of duties: ’Assigning different people the responsibilities of

authorizing transactions, recording transactions, and maintaining custody of
assets.

Segregation of duties is intended to reduce the opportunities to allow any

person to be in a position to both perpetrate and conceal errors or fraud in the
normal course of the person’s duties‘. (Ibid)

76
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

4.3.4 Another classification of controls

Another method of classifying internal controls is by their design:
Preventative controls: These controls are designed to limit the possibility of an
undesirable outcome being realized.

The more important it is that an undesirable outcome should not arise, the more
important it becomes to implement appropriate preventative controls.
The majority of controls implemented in organizations tend to belong to this
category.
Segregation of duties is an example of a preventative control, for example, the
person who authorizes payment of an invoice is separate from the person who
ordered the goods, preventing one person securing goods for their own benefit.

Detective controls: These controls are designed to identify occasions of

undesirable outcomes having been realized.

Their effect is, by definition, after the event and so they are only appropriate when
it is possibly to accept the loss or damage incurred or where corrective measures
are both readily available and reliable.

Examples of detective controls include inventory checks (which detect whether

inventory has been removed without authorization), reconciliation (which can
detect unauthorized transactions) and post implementation reviews (which detect
lessons to be learnt from projects for application in future projects).

Directive controls: These controls are designed to ensure that a particular

outcome is achieved and that appropriate guidance is provided in order to do so.

They are particularly important when it is critical that an undesirable event is

avoided, typically associated with health and safety or with security.

Examples of directive controls include a requirement that protective clothing be

worn during the performance of dangerous duties or that staff be trained with
required skills before being allowed to work unsupervised.

77
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Corrective controls: These controls are designed to correct undesirable

outcomes that have been realized.

They can provide a route of recourse to achieve some recovery against loss or
damage.
An example of this would be contract terms which allow for recovery of
overpayments.

Exercise 4.6: Name one preventative, one detective, one directive and one
corrective control used in driving a car in compliance with the speed limit.

4.3.5 Responsibility for internal control

It is the audited body which is responsible for the effectiveness of the internal
control system.

It is not the responsibility of auditors, either internal or external, to ensure that

adequate controls are in place, although they both have a part to play in reviewing
systems of internal control and making recommendations for improvements to
management where appropriate.

4.4 Fraud
4.4.1 Introduction
We now know that ISSAI 2315 requires auditors to identify and assess the risks of
material misstatement at the financial statement and assertion levels.

Furthermore, ISSAI 2240 (ISA 240 - The Auditor’s Responsibilities Relating to

Fraud in an Audit of Financial Statements) states that ‘misstatements in the
financial statements can arise from either fraud or error’. (ISSAI 2240.2)

It thus follows that auditors need to identify and assess the risk of both fraud and
error at both the financial statement level and the assertion level.

In this section we will:

▪ Consider fraud risks and the auditor’s responsibilities with regards to fraud.

78
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Consider the risks of fraud and error that might be relevant to audit of financial
statements.
▪ Consider the internal controls that might serve to mitigate such risks and which,
as a consequence, the auditors would wish to understand as part of their risk
assessment processes.

4.4.2 Fraud risks and the auditor’s responsibilities relating to fraud

Fraud: ISSAI 2240 defines fraud as: ’an intentional act by one or more
individuals among management, those charged with governance, employees or
third parties, involving the use of deception to obtain an unjust or illegal
advantage’ (ISSAI 2240.11) [emphasis added].

ISSAI 2240 identifies two major categories of fraud which concern the auditor:
1. Fraudulent financial reporting: Fraudulent financial reporting ’involves
intentional misstatements including omissions of amounts or disclosures in
financial statements to deceive financial statement users‘. (ISSAI 2240.A2)

ISSAI 2240 states that such frauds can occur through:

o Manipulation, falsification or alteration of accounting records or supporting
documentation.
o Misrepresentation or deliberate omission of items in the financial
statements.
o Intentional misapplication of accounting standards or policies.

The key things to note with this type of fraud are that by definition it is an
internal fraud (i.e. committed by someone within the investigation) and that
intent is required. Accidental misreporting or genuine error in the preparation
of the financial statements are not fraudulent.

This type of fraud can be a serious concern for external audit. Fraudulent
misreporting can misrepresent the entire message conveyed by a set of
financial statements. It is likely to be carefully concealed and such concealment
is likely to involve the senior management of a company.

Given that fraudulent reporting is likely to be supported or carried out by senior

management, and may be endemic in the senior management culture,
79
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

improved corporate governance is seen as a key defence against this form or

fraud.

2. Misappropriation of assets: Misappropriation of assets ’involves the theft of

an entity’s assets and is often perpetrated by employees in relatively small and
immaterial amounts‘. (ISSAI 2240.A5)

This is probably the most widespread and well-known type of fraud that
includes, for example, the theft of cash or other assets. It can range from small
scale fraud such as falsifying travel expenses to large scale organised crime.

ISSAI 2240 states that such frauds can occur through:

o Embezzling receipts e.g. diverting income to own bank account.
o Stealing physical assets or intellectual property.
o Deliberately causing payment to be made for goods or services not received.
o Taking an entity’s assets for personal use.

Key points regarding fraud

▪ Must involve the use of deception i.e. deliberate intent.
▪ Fraud is never accidental.
▪ Most commonly refers to various forms of theft or misappropriation.
▪ Fraud is often complex in nature with multiple actions or transactions to both
commit and conceal a fraud.
▪ This often means that those with technical knowledge and experience are best
placed to commit and conceal fraud.
▪ It also highlights the need for multiple forms of internal control including
accounting/process controls and ‘softer’ personnel and supervision controls.

Internal and external fraud: ISSAI 2240 separates fraud into the
misappropriation of assets and fraudulent misreporting. Another possible way of
classifying frauds and thus identifying the full range of possible fraud risks is the
distinction between:
▪ Internal fraud – perpetrated against an organization, by individual(s) within
that organization
▪ External fraud – perpetrated against an organization, by individual(s) outside
that organization.
80
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Exercise 4.7: Identify some frauds that could be classified as ‘internal’ frauds or
‘external’ frauds.

You may find it helpful to consider frauds that have affected or could affect your
own organization.

Responsibilities of management: The primary responsibility for the prevention

and detection of fraud and misconduct always lies with management/those
charged with governance.

Specific management responsibilities are to:

▪ Take steps to provide reasonable assurance that activities are conducted
honestly and assets are secured.
▪ Make arrangements to deter and detect dishonest conduct.
▪ Ensure that (to best of knowledge) financial information is reliable.

Responsibilities of auditors of financial statements: The concept of

materiality is fundamental to external audit and it applies in respect of fraud.

In conducting an audit of financial statements, the overall objectives of the auditor

are to obtain reasonable assurance about whether the financial statements as a
whole are free from material misstatement, whether due to fraud or error.

This is reflected in ISSAI 2320 which takes a similar approach to the external
auditor’s responsibilities in respect of fraud as it does to error – it is treated as one
more reason the financial statements may not be materially true and fair. However,
it is important to remember that a fraud could be judged to be material by nature
rather than due to its monetary size.

There is no duty, in statute or professional standards, on the part of auditors to

prevent fraud or to detect all fraud. The so called ’expectation gap‘ refers to
confusion about the role of the auditor; the general public tends to think that
finding fraud is a key duty of auditors though this is not borne out by the law or
by ISSAI.

81
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The auditor thus:

▪ Is not expected to detect all fraud.
▪ Should plan testing around detecting material fraud.
▪ Needs to consider items that could be material by their nature.
▪ Should have a ‘reasonable expectation’ of finding any material fraud that may
be present.

Remember that:
▪ The auditor can only give reasonable assurance, not a 100% guarantee.
▪ Fraud is covert by nature, and is therefore hard to detect.

The responsibilities for internal audit in relation to fraud will be addressed in

Chapter 7.

Fraud risk factors and safeguarding against fraud: As outlined above,

safeguarding against fraud is a management responsibility; however, they may
well seek audit advice and assurance in meeting their responsibilities.

Exercise 4.8: Why does fraud happen? Why do some individuals decide to
attempt or commit fraud?

Requirements:
a. Try to think of some of the circumstances and causes, both personal and
organizational, that could lead to an increased risk of fraud.
b. What indicators of fraud should auditors look out for? What are possible ‘red
flags’ that might indicate a higher risk?
c. What can organizations do to combat the risk of fraud?

4.5 4.5 ISSAI 2330 – The auditor’s responses to assessed risks

4.5.1 Introduction
ISSAI 2330 focuses on the means by which auditors can respond to the risks they
have identified when conducting the procedures set out in ISSAI 2315. It requires
the auditor to design and perform audit procedures to address the identified risks
at both the financial statement and the assertion levels (ISSAI 2330.5 & 6).

82
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The two key procedures that auditors carry out are substantive procedures and
tests of control.

4.5.2 4.5.2 Substantive procedures

A substantive procedure is one which is ’designed to detect material misstatements
at the assertion level‘. (ISSAI 1003)
Substantive procedures thus provide direct evidence that the information in the
financial statements is complete, accurately stated, etc.

The auditor can use a range of methods, and we will return to look at these in
more detail later in the course, in Chapter 5. However, they can be classified into
two categories (Ibid):
▪ Tests of details (of classes of transactions, account balances, and disclosures)
and
▪ Substantive analytical procedures.

Tests of details: These involve testing a number of transactions from the audited
organization's accounting and other records. As these transactions will be collated
through the organization's financial accounting processes and accounts
preparation process, they provide evidence to support the auditor’s opinion
regarding the financial statements. For larger organizations in particular, this can
be quite a repetitive and labor-intensive process.

Analytical procedures: Analytical procedures are ’evaluations of financial

information through analysis of plausible relationships among both financial and
non-financial data‘. (Ibid)

4.5.3 Tests of Controls:

Tests of controls are audit procedures ’designed to evaluate the operating
effectiveness of controls in preventing, or detecting and correcting, material
misstatements at the assertion level‘. (Ibid)

Tests of controls assess the consistent application of internal controls.

83
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Not all controls will be of interest to the auditor of financial statements, but only
those which play a role in ’preventing, or detecting and correcting, material
misstatements‘.

This entails a focus on key controls i.e. those which:

▪ have an effect on the financial statements; and
▪ where such effects would potentially be material.

This would tend to mean less of a focus on trivial administrative procedures and
more focus on a smaller set of controls that are vital in reducing the risk of serious,
significant error or fraud.

4.5.4 The relationship between tests of control and substantive

procedures
It is very important to note that:
▪ tests of controls only provide indirect probabilistic evidence with regard to the
absence of misstatements in the financial statements; whereas
▪ Substantive procedures provide direct evidence.

If the controls surrounding, for example, the recording of sales income are very
strong, it is far less likely that sales income will be materially misstated in the
financial statements as it is very likely that any error would have been prevented,
or detected and corrected, by the organization's management. But this is only
indirect evidence about the likelihood of misstatement, and not direct evidence
that the specific balance presented in the accounts is actually free of material
misstatement.

Tests of controls and the audit risk formula: Indeed, one way of thinking
about tests of control is that they allow a more thorough understanding of control
risk within the audit risk formula:

AR = IR × CR × DR

Where an auditor conducts tests of control and these show that internal control is
strong (hopefully supporting the understanding of internal control gained during

84
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

the risk identification processes required by ISSAI 2315), this would allow the
auditor to say with confidence that control risk is low.

Given that the auditor will have already determined an acceptable (low) level of
audit risk, a lower assessed control risk would allow the auditor to justifiably accept
a higher detection risk. This means that the extent of other audit procedures could
be reduced.

Implications for audit work: This could also mean that, where a financial
accounting system is being used to process a very large number of routine
transactions, the auditor need not always conduct a huge number of tests of detail.

The auditor could:

▪ conduct tests of control;
▪ place some reliance on the strength of internal control where those tests of
control indicate that internal control is strong, (audit evidence shows that CR is
low); and
▪ reduce the extent of substantive procedures.

For the major financial information systems of larger organizations, where initial
indications are that internal control is probably quite strong, this is normally a
much more effective use of audit resources than simply conducting a huge volume
of tests of detail.
A further benefit is that, in some circumstances, the auditor can rely on the results
of tests of control conducted in previous audits, though the auditor must (ISSAI
2330.14 & 15):
▪ consider the general risks associated with doing so, in the organizational and
wider internal control environment.
▪ consider whether there have been any changes which would affect the
relevance of past assessments. and
▪ if there have not been such changes, test the controls at least once in every
third audit and test some controls each audit.

However, taking reliance from internal control needs to be done with considerable
care. ISSAI 2330 states that ’in designing and performing tests of controls, the

85
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

auditor shall obtain more persuasive audit evidence the greater the reliance the
auditor places on the effectiveness of a control‘. (ISSAI 2330.9)

Material items: It is also very important to note that ‘irrespective of the assessed
risks of material misstatement, the auditor shall design and perform substantive
procedures for each material class of transactions, account balance, and
disclosure’. (ISSAI 2330.18)

As tests of control can only provide indirect evidence that the financial statements
are correctly stated, substantive procedures are essential for every material
aspect of the financial statements no matter how low the risk of misstatement.

4.5.5 Practical matters raised by ISSAI 2330

Auditors are permitted to use evidence from previous audits about the operating
effectiveness of specific controls, so long as they have observed that the controls
are still operating properly. (ISSAI 2330.14)

ISSAI 2330 makes some practical points about the timing of audit work. It notes
that controls testing and substantive procedures maybe performed at an interim
date or at the period end.

However, ’the higher the risk of material misstatement, the more likely it is that
the auditor may decide it is more effective to perform substantive procedures
nearer to…. the period end…or to perform audit procedures unannounced or at
unpredictable times‘. (ISSAI 2330.A11)
Although audit procedures performed before the period end may help the auditor
to identify and resolve significant matters at an early stage.

4.5.6 The auditor’s overall approach

The auditor’s overall approach when deciding which procedures to use should
ultimately be determined by an assessment of risk at the assertion level.

The approach is thus likely to vary from one part of the financial statements to the
next and from one assertion to another.

86
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

ISSAI 2330 states that the auditor may determine that:

▪ ’Only by performing tests of controls may the auditor achieve an effective
response to the assessed risk of material misstatement for a particular
assertion‘. (ISSAI 2330.A4(a))
▪ ’Performing only substantive procedures is appropriate for particular assertions
and, therefore, the auditor excludes the effect of controls from the relevant risk
assessment (ISSAI 2330.A4(b))‘

This may be because the auditor’s risk assessment procedures have not identified
any effective controls relevant to the assertion, or because testing controls would
be inefficient and therefore the auditor does not intend to rely on the operating
effectiveness of controls in determining the nature, timing and extent of
substantive procedures (Ibid).

Practical examples might be arrangements for paying Director’s expenses, when

initial enquiries suggest that few if any controls are in place, or the payment of a
large monthly grant, where there will be a small number of material transactions.
In this latter case there will be only 12 transactions and thus no economies of scale
will apply – a fully substantive approach would be more appropriate.
▪ A combined approach using both tests of controls and substantive procedures
is an effective approach (ISSAI 2330.A4(c)).

This probably applies in the majority of cases, where there are benefits to be
gained from a balanced approach which uses tests of control to assess control risk
more fully and uses this as a basis for determining a consequent level of further
substantive testing.

Material items: ’However… irrespective of the approach selected, the auditor

designs and performs substantive procedures for each material class of
transactions, account balance, and disclosure‘. (ISSAI 2330.A4)

In other words, where the item being tested is material:

▪ there are circumstances in which it would be acceptable to use no tests of
control; but
▪ there are no circumstances in which it would be acceptable to use no
substantive procedures.
87
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Exercise 4.9: ISSAI 2330 sets out key procedures that auditors may use when
designing a programme of work in response to assessed risks. Explain which
procedures you would use in the following situations, and your reasons in each
case.
a. Your audit client is a small charity incorporated as a limited company. Both its
income (from grants and donations) and expenditure (mostly on providing
advisory workshops) are fairly irregular. The voluntary Treasurer manages all
financial arrangements alone. Transactions are recorded on an old cash book,
and no IT is used other than for presenting the annual accounts neatly.
b. Your audit client is a medium sized public body. Budgetary authority is
delegated to managers and assistant managers in four production departments,
with the authority to order supplies (through a paper-based requisition process)
often being delegated further. There is an accounting and finance team who
process and record transactions. They use a popular ‘off the shelf’ business
accounting application.
c. Your audit client is a small public agency which develops mobile applications
(apps) that allow public service managers to easily benchmark performance
and learn from best practice at other organization. There is intensive use of IT
as the apps are distributed, operated, sold and paid for online, with such
transactions being recorded automatically through an integrated sales and
ledger IT system are also managed wholly online.

4.5.7 Additional ISSAI 2330 requirements to address the risk of material

misstatement
When considering the overall approach, the auditor should consider the way in
which work is carried out, to help address the risk of material misstatement. For
example, ISSAI 2330 says that audit approaches could include:
▪ ’Emphasizing to the audit team the need to maintain professional scepticism.
▪ Assigning more experienced staff or those with special skills or using experts.
▪ Providing more supervision.
▪ Incorporating additional elements of unpredictability in the selection of further
audit procedures to be performed.
▪ Making general changes to the nature, timing, or extent of audit procedures,
for example: performing substantive procedures at the period end instead of at
an interim date; or modifying the nature of audit procedures to obtain more
persuasive audit evidence‘. (ISSAI 2330.A1)
88
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Remember that an effective control environment may allow the auditor to have
more confidence in internal control, and in the reliability of evidence generated
within the entity. This might, for example, allow the auditor to conduct some
procedures during interim audit rather than at period end. However, deficiencies
in the control environment will have the opposite effect – perhaps forcing the
auditor to do more work at period end, carrying out more substantive procedures,
or visiting more locations.

Each of these steps could help to improve the quality of audit, reducing detection
risk and thus overall audit risk. The suggestion of adding in elements of
unpredictability is interesting, as it implies that over-familiarity with the routine of
audit, on the part of the audited organization or the auditors themselves, might
serve to increase detection risk.

4.6 Key controls

4.6.1 Key controls
As we have seen, the auditor is required to obtain an understanding of internal
controls relevant to the audit. Not all controls related to financial reporting are
relevant to the audit and it is likely that the auditor will focus on key controls which
are likely to significantly reduce the risk of material misstatement.

In order to be able to evaluate which controls are likely to be effective in reducing

the risk of material misstatement, it is important to understand which controls are
likely to be relevant to the achievement of each financial statement assertion. We
could thus think of the assertions in another way; they can be thought of as a set
of control objectives.
In other words, when a manager is designing controls over a financial reporting
system they can start by taking each of the assertions as a control objective and
design a control which will meet one or more of these objectives. Similarly, an
auditor could take each of the assertions and consider how effectively the controls
designed by management are likely to be in serving to achieve the control
objective.

89
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Exercise 4.10: In the table overleaf, you have been given some of the many
reasons why the various financial statement assertions might not be achieved,
drawn from the suggested answer to Exercise 4.4.

Try to design controls on the following pages which would serve to mitigate this
risk that the financial statement assertion would be untrue.
Or, put another way, take the ‘financial statement assertions’ to be control
objectives and design controls that would serve to meet these objectives.
Possible
key
Assertion Due to fraud Due to error
internal
control(s)
Transactions miscoded to cover Incorrect coding
Classification
up theft or misappropriation. input accidentally.
Transactions have been
Invoices have been
deliberately excluded from the
mislaid and
income statement e.g. to boost
amounts are
profit.
Completeness therefore not
‘Window dressing’ to make the
included in the
balance sheet look better than it
financial
really is e.g. off-balance sheet
statements.
finance.
Items have been included in the Accidental double
balance sheet that do not exist counting of balance
Existence
e.g. inventory items that have sheet items e.g.
been stolen. accounts payable.
False supplier invoices have Invoices relating to
been raised in order for the another entity have
Occurrence
fraudster to collect the been received and
payments made. paid in error.
Accruals at the
Purchase invoices received have year-end have not
Cutoff
been held back at the year end. been calculated
correctly.

90
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The entity has

Leased assets have been failed to register
Rights and
deliberately omitted from the ownership e.g.
obligations
balance sheet. when purchasing a
motor vehicle.
Sales invoice amounts have
A programming
been miscast so that the total
error has resulted
Accuracy amount is inflated, in the hope
in VAT being
that the customer will not
miscalculated.
notice.
The value of assets has been The depreciation
Valuation and overstated. charge for the year
allocation Expenditure items have been has been
capitalized. miscalculated.

4.6.2 Assessing control weaknesses

Note: How auditors can test controls will be considered in Chapter 5.

Controls may be weak because they are:

▪ Inherently weak (e.g. they are poorly designed or inappropriate to the risk they
are designed to mitigate); or they are
▪ Well-designed in principle but not being implemented effectively and
consistently. This would normally be identified through tests of control.

Where an auditor intends to place reliance on internal controls they are hopefully
sound at least in principle, so the first of these should not apply.

ISSAI 2330 deals with the second scenario:

’If deviations from controls upon which the auditor intends to rely are detected,
the auditor shall make specific inquiries to understand these matters and their
potential consequences, and shall determine whether:
a. The tests of controls that have been performed provide an appropriate basis
for reliance on the controls;
b. Additional tests of controls are necessary; or

91
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

c. The potential risks of misstatement need to be addressed using substantive

procedures‘. (ISSAI 1330.17)

So, if further assurance about the strength of internal controls cannot be gained
through more or better testing of controls, the auditor needs to think about the
risk of misstatement and their response to that risk.

As was explained in Chapter 3, if assurance cannot be drawn that control risk is

low, then detection risk must be lowered in order to maintain an acceptably low
level of audit risk. This is normally achieved through the use of enhanced
substantive procedures.

There are also requirements, set out in ISSAI 2265 (ISA 265 - Communicating
deficiencies in internal control to those charged with governance and
management), for auditors to report deficiencies in internal control encountered
in the course of the audit. These requirements are considered in chapter 6.

Exercise 4.11: Return to both the exercise and solution to the ‘[Link]’
exercise (Exercise 3.5) and solution in Chapter 3.

In that exercise you were trying to identify inherent and control risks relating to a
fictional audit client.

Go back to this exercise and try to consider what some of the key risks would be
at the level both of the financial statements as a whole and at the financial
assertion level.

Exercise 4.12
Requirements:
a. Controls can be classified by the intended impact on outcomes in any particular
system or activity. Define and describe the four classifications of controls
identified by this approach and provide a relevant example of each type of
control.
b. Internal controls may be compromised by human error. In addition, controls
may be deliberately abused or impaired in an attempt to commit a fraud.

92
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Identify and describe some of the personal and/or organizational factors which
may lead to an increased risk of fraud.
c. Describe the organization-wide controls an organization can put in place to
combat the risk or minimize the impact of fraud.

Exercise 4.13
Requirements:
ISSAI 1315 describes four financial statement assertions which apply to ‘account
balances at the period end’. Identify and describe each of these assertions. You
should illustrate your answer with a brief explanation of how each assertion would
apply to the ‘cash and cash equivalents’ balance presented in a set of financial
statements.

93
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 4.1: At a leisure center the finance department maintains control

accounts for receivables whilst the cashiers collect balances from customers. This
control is an example of which type of control?
A. Authorization
B. Segregations of duties
C. Physical
D. Information processing

Quiz Q # 4.2: The leisure center clearly displays signs instructing customers to
request a receipt. This controls is an example of which type of control?
A. Preventative
B. Detective
C. Directive
D. Corrective

Quiz Q # 4.3: Which of the following statements is TRUE?

A. Tests of control provide indirect evidence about the absence of misstatements
in financial statements.
B. Tests of control provide direct evidence about the absence of misstatements in
financial statements.
C. Substantive procedures provide indirect evidence about the absence of
misstatements in financial statements.
D. Both tests of control and substantive procedures provide direct evidence about
the absence of misstatements in financial statements.

Quiz Q # 4.4: Which of the following are ALL identified by ISSAI 1315 as
assertions about classes of transactions and events for the period?
A. Classification and understandability; completeness; existence; accuracy
B. Occurrence; completeness; accuracy; classification
C. Existence; rights and obligations; completeness; classification
D. Occurrence; completeness; cut-off; valuation and allocation

94
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 4.5: According to ISSAI 1315, what are the five components of internal
control?
A. The control environment; the entity’s risk assessment process; the information
system; financial procedures; internal audit.
B. The control environment; the entity’s risk assessment process; the information
system; financial procedures; monitoring of controls.
C. The control environment; the entity’s risk assessment process; the information
system; control activities relevant to the audit; internal audit.
D. The control environment; the entity’s risk assessment process; the information
system; control activities relevant to the audit; monitoring of controls.

95
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

CHAPTER 5 –AUDIT EVIDENCE

Syllabus aim
▪ Discuss the requirements of audit programmes, including the design of audit
tests, in order to obtain sufficient appropriate audit evidence.
▪ Discuss the use of audit evidence and apply audit evidence to form an audit
opinion.

Learning outcomes and content

▪ Identify internal controls, design appropriate audit tests and identify the
requirements for audit working papers:
o Tests of internal controls
o Substantive analytical procedures
o Substantive tests of details
o Use of audit sampling
o Using the work of internal auditors

▪ Explain the role of audit in an IT environment in relation to selecting and

evaluating audit evidence
o Specialist software for sample selection and testing

▪ Discuss the sufficiency and appropriateness of audit evidence obtained:

o Relevance and reliability
o Importance of obtaining written representations
o Approach to corroborating or conflicting evidence
o Response to insufficient evidence

96
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

5.1 Audit evidence

Audit is about forming an opinion. This must be a professional opinion, based on
the weight of evidence. It is not enough to say that the manager seems like a
competent professional who will carry out their role correctly. Instead, auditors
must collect evidence to support an opinion that they may ultimately be required
to defend. Evidence is therefore a fundamental part of auditing.

5.2 The requirements for audit evidence

5.2.1 The requirements for audit evidence
ISSAI 2500 (ISA 500 - Audit evidence) states: ’The auditor shall design and
perform audit procedures that are appropriate in the circumstances for the purpose
of obtaining sufficient appropriate audit evidence‘. (ISSAI 2500.6)

5.2.2 Sufficient evidence

Sufficiency relates to the quantitative features of the evidence. Auditors must
ask themselves whether they have enough evidence to form an audit opinion.

In order to assess sufficiency auditors should consider:

▪ The persuasiveness of the evidence – e.g. if a till operator is asked if they issue
receipts and (s)he says no it is very convincing, but if (s)he says yes we may
wish to carry out further tests.
▪ The risks involved – the greater the risk of material misstatements the more
evidence that is required. and
▪ The importance or materiality of the matter in question – if it is a critical matter,
the auditors should look for multiple corroborating sources rather than rely on
only one source.

5.2.3 Appropriate evidence

Auditors also need to consider the qualitative aspects of evidence, and
specifically its relevance and reliability. They should ask themselves whether they
have the right type of evidence, and whether that evidence is of good quality.

Relevance: Evidence must be relevant to the audit objective(s).

97
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

For example, testing every item on a client’s non-current asset register provides
no assurance that the register is complete (i.e. that all relevant items have been
included in it).

Reliability: How reliable is the evidence? As a general rule, when ranking audit
evidence:
▪ The most reliable evidence is that directly generated by the auditor.
▪ The next most reliable evidence is that obtained from independent third parties.
▪ The least reliable evidence is that generated by the client.

Evidence that is produced in the presence of a strong control environment is likely

to be more reliable than that produced in a weak control environment.
Similarly, less complex audit procedures are usually considered more reliable than
complex ones, as there is less to go wrong.
Documentary evidence is generally considered to be more reliable than oral
evidence.

Exercise 5.1: Consider the reasons why documentary evidence is generally

considered to be more reliable than oral evidence.

5.2.4 ISSAI 2580 (Written representations)

However, there may be occasions where auditors have to rely on oral evidence.
ISSAI 2580 (ISA 580 – Written representation) sets out the procedures that
auditors should follow to obtain written confirmation of such evidence.

The key principle to keep in mind in respect of written representations is that

’although written representations provide necessary audit evidence, they do not
provide sufficient appropriate audit evidence on their own about any of the matters
with which they deal ‘. (ISSAI 2580.4)

In other words, written representations support audit evidence but they are not
sufficient appropriate audit evidence, so obtaining written representations alone
for material areas of financial statements is not acceptable.

98
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Exercise 5.2
Part 1: Rank the following in order of reliability:
a. The Head of Stores tells the auditor that the value of obsolete inventory to be
written off is £200 000.
b. The auditor examines the actual inventory identified as obsolete, confirms it is
out of date to the inventory records and calculates the value from original
invoices at £190 000.
c. An independent team of professional valuers have valued the out-of-date
inventory at £210 000.

Part 2: Assess the following for sufficiency on which to form an opinion: is more
evidence needed?
a. A sample of 30 petty cash transactions out of a total of 1 000 has been tested
and no errors found.
b. Monetary materiality for the audit is set at £400 000. Total income is £20 000
000 and all government grants (total £18,000,000) have been audited and
found to be both regular and accurately recorded.
c. In accordance with your audit plan, you have written to 50 debtors asking them
to confirm the amount they owe your organization. 42 have replied and they
all confirm the amounts you quoted.

Part 3: Which of these is the most relevant to your audit of the effectiveness of
the organization’s procurement and bulk buying?
a. An analysis of staff sickness in the procurement administration team.
b. An analysis of average discount rates obtained from suppliers in the last 12
months.
c. A list of authorized signatories for supply requests.

5.2.5 Approach to inconsistent audit evidence

ISSAI 2500 requires the auditor to obtain sufficient appropriate audit evidence to
be able to draw reasonable conclusions on which to base the auditor’s opinion.
(ISSAI 2500.4)
The auditor performing the audit will obtain evidence from a range of sources and
for a range of purposes.

99
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

ISSAI 1500 states that if ‘audit evidence obtained from one source is inconsistent
with that obtained from another…..the auditor shall determine what modifications
or additions to audit procedures are necessary to resolve the matter, and shall
consider the effect of the matter, if any, on other aspects of the audit’. (ISSAI
2500.11)

In practical terms, this is likely to mean conducting further procedures to

understand both:
1. The evidence that is to be relied upon.
Clearly if one of two inconsistent results is corroborated by additional evidence
then that result becomes more persuasive.

You should also recall that different sources of audit evidence are seen as
differing in their inherent reliability, for example, information generated
independently of an audit client is seen as more reliable.

2. The wider implications of any inconsistency.

An unreliable source of evidence might indicate a range of issues, from internal
control issues in a key financial system to, in the case of representations from
management, the possibility that the auditor has been deliberately mislead.

5.2.6 Response to insufficient audit evidence

It is clear that, if an auditor concludes that they do have sufficient appropriate
audit evidence, no further audit testing is required in that area. However, what if
an auditor concludes that they do not have sufficient appropriate audit evidence?

ISSAI 2330 states that ’if the auditor has not obtained sufficient appropriate audit
evidence as to a material financial statement assertion, the auditor shall attempt
to obtain further audit evidence. If the auditor is unable to obtain sufficient
appropriate audit evidence, the auditor shall express a qualified opinion or disclaim
an opinion on the financial statements‘. (ISSAI 2330.27)

In other words, if an auditor has not obtained sufficient appropriate audit evidence
then they should attempt to obtain more appropriate evidence. If they are unable
to obtain sufficient appropriate audit evidence, then this will impact upon their
opinion. The audit opinion is considered in more detail in Chapter 6.
100
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

5.3 Techniques for gathering audit evidence

5.3.1 ISSAI 2500 (Audit evidence)
ISSAI 2500 identifies the following seven techniques for gathering evidence:
1. Inspection
2. Observation
3. Inquiry
4. External confirmation
5. Recalculation
6. Reperformance
7. Analytical procedures

The first five can be used as either substantive procedures or tests of controls,
whilst reperformance is normally only a test of control and analytical procedures
can only be substantive.

1. Inspection: ’Inspection involves examining records, or documents, whether

internal or external, in paper form, electronic form, or other media, or a physical
examination of an asset‘. (ISSAI 2500.A14)
’An example of inspection used as a test of controls is inspection of records for
evidence of authorization‘. (Ibid)

An example of inspection used as a substantive test would be to inspect land

registry records to confirm ownership of a building (Note: this would not provide
assurance over other assertions such as existence).

2. Observation: ’Observation consists of looking at a process or procedure being

performed by others‘. (ISSAI 2500.A17)

An example of observation as a test of control would be to observe an inventory

count.
Observation is mainly used as a test of control, but it could also provide
substantive evidence. For example, if the auditor inspects inventory but also
observes the condition of individual items (e.g. damaged, dusty), this could
give some assurance as to whether their valuation in the financial statements
is likely to be accurate.

101
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

It is important to remember that the evidence provided through observation is

’limited to the point in time at which the observation takes place, and by the
fact that the act of being observed may affect how the process or procedure is
performed‘. (Ibid)

3. Inquiry: ’Inquiry consists of seeking information of knowledgeable persons,

both financial and non-financial, within the entity or outside the entity…
Inquiries may range from formal written inquiries to informal oral inquiries‘.
(ISSAI 2500.A22)

In certain circumstances, the auditor may require management to confirm

responses to oral inquiries in writing. This is covered by ISSAI 2580 (see 5.2.4).

4. External confirmation: ’An external confirmation represents audit evidence

obtained by the auditor as a direct written response to the auditor from a third
party (the confirming party), in paper form, or by electronic or other medium‘.
(ISSAI 2500.A18)

External confirmation procedures are commonly used to confirm or request

information such as account balances e.g. investments held by a municipal
authority. They may also be used to confirm transactions between an entity
and other parties.

ISSAI 2505 (ISA 505 - External confirmations) sets out the requirements in
respect of external confirmations. It sets out the two types of request that can
be made, being:
a. ’Positive confirmation request – a request that the confirming party respond
directly to the auditor indicating whether the confirming party agrees or
disagrees with the information in the request, or providing the requested
information‘. (ISSAI 2505.6) and
b. ’Negative confirmation request – a request that the confirming party respond
directly to the auditor only if the confirming party disagrees with the
information provided in the request‘. (Ibid)

102
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

As with all audit evidence, the auditor must evaluate whether the results of the
external confirmation procedures provide sufficient appropriate audit evidence,
or whether further audit evidence is needed.

ISSAI 2505 states that ‘negative confirmation provide less persuasive audit
evidence than positive confirmations’. (ISSAI 2505.15)

Similarly, in the case of non-response ’the auditor shall perform alternative

audit procedures to obtain relevant and reliable audit evidence‘. (ISSAI
2505.12)

If the auditor determines that, in order to obtain sufficient appropriate audit

evidence, a response to a positive confirmation request is needed, alternative
audit procedures will not provide the audit evidence that the auditor requires.

5. Recalculation: ’Recalculation consists of checking the mathematical accuracy

of documents or records‘. (ISSAI 2500.A19)

An example of recalculation as a test of controls would be the auditor checking

the mathematical accuracy of the weekly bank reconciliation carried out by the
client.

An example of recalculation as a substantive test would be a basic arithmetic

check of the financial statements or a recalculation of the way that depreciation
had been worked out for a sample of equipment.

6. Reperformance: ’Reperformance involves the auditor’s independent

execution of procedures or controls that were originally performed as part of
the entity’s internal control‘. (ISSAI 2500.A20)

An example of reperformance is the auditor repeating the inventory count

previously carried out by the client.

Another example of reperformance is the auditor using test data to test the
controls within a computerized system. This is done by the auditor producing
data which is processed by the client’s computer system. As the aim is to test
103
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

the operation of controls, the dummy data will contain a number of errors, to
determine whether the client’s application controls can identify particular errors.

Test data consists of data submitted by the auditor for processing by the client’s
computer system. The principle objective is to test the operation of application
controls. For this reason, the auditor will arrange for dummy data to be
processed that includes many error conditions, to ensure that the client’s
application controls can identify particular problems.

Examples of this include: supplier account codes that do not exist, excessively
high transaction values and a transaction date of 30 February.

Data without errors may also be included to determine whether ‘correct’

transactions are processed properly.

The data produced can then either be run on the actual system (known as live
processing) or alternatively on a copy of the program that you wish to test
(dead processing).

The risk with the former is that dummy data may get onto the system and be
incorporated with real data e.g. if you have entered an unrealistically large
payment to test controls, should the controls fail then the payment may be
made as part of the payment run. The disadvantage of the dead processing
method is that the auditor must make sure that that the version of the program
being tested is identical to the current (live) version being used.

7. Analytical procedures: ’Analytical procedures consist of evaluations of

financial information through analysis of plausible relationships among both
financial and non-financial data. Analytical procedures also encompass such
investigation as is necessary of identified fluctuations or relationships that are
inconsistent with other relevant information or that differ from expected values
by a significant amount‘. (ISSAI 2500.A21)

Conducting analytical procedures as a substantive procedure will be covered in

more detail later in this chapter.

104
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

5.4 Use of sampling

5.4.1 What is sampling and why do auditors use it?
In this section we will look at the use of sampling in audit. We will define sampling,
relate sampling to the audit risk model and go on to look at techniques for
sampling.

Sampling: ’The application of audit procedures to less than 100% of items

within a population of audit relevance such that all sampling units have a
chance of selection in order to provide the auditor with a reasonable basis on
which to draw conclusions about the entire population‘ ISSAI 2530.5 (ISA
530 – Audit sampling) [emphasis added].

This means that auditors do not have to look at all transactions to reach a
judgment on the population as a whole.

The population means the complete set of data i.e. all balances (receivables,
inventory, payables etc.) or all transactions (payments to suppliers, expense
payments etc.).

The individual items – for example, each payment to a supplier or each item of
inventory – are referred to as sampling units.

All sampling units should have a chance of selection, although not necessarily an
equal chance of selection.

Why do auditors use sampling? In a large organization it would be very time

consuming to test every payment to a supplier or every item of stock. We take a
sample to save time and cost.

5.4.2 Sampling and audit risk

Audit risk: You should recall that audit risk is ’the risk that the auditor expresses
an inappropriate audit opinion when the financial statements are materially
misstated‘. (ISSAI 1003)

Sampling carries its own risks and this impacts on audit risk.

105
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The audit risk model may be expressed in the following formula:

Audit risk = Inherent risk × Control risk × Detection risk

Detection risk: You should also recall that detection risk is ’the risk that the
procedures performed by the auditor to reduce audit risk to an acceptably low
level will not detect a misstatement that exists and that could be material, either
individually or when aggregated with other misstatements‘. (Ibid)

Detection risk can be sub-divided into sampling and non-sampling risk.

Sampling Risk: Sampling risk is ’the risk that the auditor’s conclusions based on
a sample may be different from the conclusion if the entire population were
subjected to the same audit procedure‘. (Ibid)

Sampling risk can lead to two types of erroneous conclusions:

1. The auditor might conclude that controls are more effective than they are in
reality, or that no material misstatement exists when in fact it does: This type
of error is a primary concern, as it is more likely to lead to an incorrect audit
opinion.
2. The auditor might conclude that controls are less effective than they are in
reality, or that a material misstatement exists when in fact it does not.: This is
a slightly less serious concern, although it will lead the auditor to conduct more
work in order to assess whether these initial conclusions are correct.

Non-sampling Risk: This is the risk that ’the auditor reaches an erroneous
conclusion for any reason not related to sampling risk‘. (ISSAI 2530.A1)

’Examples of non-sampling risk include use of inappropriate audit procedures, or

misinterpretation of audit evidence and failure to recognize a misstatement or
deviation‘. (Ibid)

5.4.3 Types of sample

Now you understand what sampling is, and why auditors use it, we will go on to
look at some of the different types of sample that can be selected.
There are several ways of classifying audit samples.
106
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Representative v Selective: One way is to divide them into representative

samples or selective samples.

A representative sample is designed to have the same characteristics as the

population as a whole and should therefore allow us to draw conclusions about
the population as a whole.
Selective samples focus on large or material items from a population e.g. all
invoices over a certain value. This type of sampling is designed to detect a few
large errors. Using selective sampling may prevent an auditor from drawing
conclusions about the population as a whole, but it may detect errors that are
material in their own right.

Remember:
If a material misstatement exists in financial statements, it must be the result of
▪ a large number of small errors/frauds; or
▪ a few large errors/frauds or
▪ a combination of the two.

Representative sampling is designed to find the former. Selective sampling is

designed to find the latter. If auditors suspect that both types of errors may be
present, they may need both types of samples.

Statistical v Judgmental: Another way of classifying audit samples is between

statistical samples and judgmental samples.

Statistical sampling is an approach to sampling that has the following

characteristics (ISSAI 2530.5):
i. Random selection of the sample items; and
ii. The use of probability theory to evaluate sample results, including
measurement of sampling risk.

A sampling approach that does not have characteristics (i) and (ii) is considered
non-statistical sampling or judgmental sampling.

107
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The most common non-statistical samples selected by auditors are tests of high-
value items, unusual items or high-risk items. Non-statistical samples are therefore
more likely to be subjective rather than random.

Exercise 5.3: Identify the advantages and disadvantages of statistical sampling

and non-statistical sampling.

Making the decision: The decision on whether to take a representative or

selective, statistical or non-statistical sample will be determined on a cost-benefit
basis. The auditor needs to consider:
▪ the time it will take to select and draw the sample – this should not be
disproportionally large in relation to the time required to examine it; and
▪ the assurance to be gained - if selective sampling can give auditors assurance
about a high proportion of the population by value, then a small non-statistical
sample of the remaining population may be sufficient.

5.4.4 Sample selection

Once auditors have decided on the type of sample ISSAI 2530 identifies five main
ways of selecting the sampling units.
1. Random
2. Systematic
3. Monetary Unit Sampling
4. Haphazard
5. Block

1. Random sampling: The method of selection is exactly what it sounds like –

random – but it is still intended to produce a representative sample.

Auditors might use random number tables or computer-generated numbers to

choose which items to select from the population e.g. the xth, yth and zth order
forms, where x, y and z are three random numbers.

For this method to work efficiently there must be a quick way of identifying the
selected items e.g. sequential document numbers.

108
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

2. Systematic sampling: In systematic sampling the number of sampling units

in the population is divided by the sample size to give a sampling interval, for
example 50, and having determined a starting point within the first 50, each
50th sampling unit thereafter is selected. The starting point may be chosen at
random.

As with random sampling this method requires a quick way of finding the items
selected.

It is worth noting that the results of this method may not be valid if there is
some pattern in the population e.g. if every 20th item is the one the supervisor
checks as part of their control procedures.

3. Monetary unit sampling: This involves identifying each monetary unit in a

population as a sampling unit. For example, if the total on the receivables ledger
is £1 000 000 then the population will be made up of 1 000 000 sampling units
of £1. The auditor will then select a monetary unit upon which to base the
sample selection, and will examine each balance on the ledger containing that
monetary unit.

4. Haphazard sampling: The auditor selects the sample without following a

structured technique in an attempt to ensure that all items in the population
have a chance of selection.

Note: Haphazard selection is different from genuine random sampling.

5. Block sampling: This involves selecting a block of adjacent transactions or

items from the population, e.g. all invoices issued in one month. This does not
provide a sample that is representative of the population as a whole, it but may
be suitable in certain circumstances. For example, it is common for auditors to
use block selection when testing cutoff.

This method of sampling can be more convenient, especially for client staff who
have to chase up the paperwork.

109
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

5.4.5 Interpretation of results

In order to successfully extrapolate and interpret their results, the auditor needs
to:
1. Determine in advance what will constitute an error. If this is not determined in
advance, there is a risk that the auditor will not identify an error that occurs.

For tests of control, a failure to exercise the control is described as a deviation,

while for tests of detail, an error is known as a misstatement.

2. Determine the nature and cause of any deviations and misstatements.

In the rare case where the deviation or misstatement is considered to be an
anomaly (demonstrably not representative of misstatements or deviations in
the population), the auditor must perform additional audit procedures to obtain
a high degree of certainty that this is indeed the case.

3. Extrapolate the results to the total population:

Tests of control – no explicit projection of deviations is necessary, since the
sample deviation rate is also the projected deviation rate for the population as
a whole. So, if errors arose in 4 items out of 80, the deviation rate projected is
4/80 = 5%.

Substantive tests – calculate the projected misstatement, e.g. if we have a 1%

error rate in our sample (ignoring anomalies), the auditor may project a
misstatement level of 1% plus anomalous misstatement (if any is found) as the
auditor’s best estimate of misstatement in the population.

4. Evaluate the results

To do this the auditor must first have decided upon the level of:
- tolerable rate of deviation (for tests of control) – the maximum rate of
deviation from prescribed internal control procedures that the auditor would
accept in the population; or
- tolerable misstatement (for substantive tests of detail) – the maximum
misstatement that the auditor would accept in the population expressed as
a monetary amount.

110
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

5. Finally, the auditor needs to consider the impact on other audit work or the
audit opinion.

Broadly speaking, the auditor will need to decide if the level of error is material.
The auditor may need to: do more work; make recommendations to management;
require an adjustment to the final accounts; or qualify their opinion.

5.4.6 The role of IT in audit sampling

Computer-assisted audit techniques (CAATs) are the ’applications of auditing
procedures using the computer as an audit tool‘ (ISSAI 1003) and a number of
these can be used in sample selection and testing.

Data retrieval: Data retrieval involves using software to extract or manipulate

data. This is usually followed by a more detailed examination of either the data
extracted or the results of the manipulation.

Data retrieval is often used for:

▪ Sampling – this could be representative sampling using random numbers or
statistical techniques e.g. monetary unit sampling is often carried out using IT
rather than manually; or selective sampling e.g. all items over a given size.
▪ Stratifying data – this could be used for taking a stratified sample or for
producing a listing such as aged trade receivables.
▪ Data matching – this is a common fraud detection technique where data from
two different systems are compared e.g. the National Fraud Initiative compared
different sets of data, such as payroll or benefit records, against other records
held by the same or another organization to highlight potentially fraudulent
claims and payments.

Advantages of data retrieval:

▪ It is a non-destructive form of testing i.e. it uses data without changing it.
▪ The output from such a CAAT is audit evidence; if a test discovers faulty data,
you have proved that a weakness has affected the data in the system.
▪ It potentially represents long-term processing; data in the system may have
been there for the whole accounting period under review, and potentially for
much longer (e.g. payroll master file).

111
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The disadvantages include:

▪ It may require specialised audit software and the expertise to use it.
▪ Scope for testing is determined by the data held in the system – this can be a
serious limitation: for example, an auditor will need to carry out additional audit
procedures to gain assurance over the completeness assertion.
▪ Cyclical data files, for example financial ledgers, need to be retained for
interrogation after they have expired.
▪ It does not test every possible condition – only those that have occurred in the
period represented by the file being interrogated.

Embedded audit modules: Embedded audit modules (also known as resident

audit software) require the auditor’s own program code to be embedded into the
software.

There are two types of embedded audit module:

▪ modules ‘switched on’ or activated by the auditors at selected times depending
on the system and flow of data; and
▪ modules activated each time the application program is used.

When in use, it examines transactions as soon as they have been processed by

the system to see if they conform to the selection criteria, for example, all
payments over a given value, and a report is sent to the auditor.

Advantages of embedded audit modules:

▪ It enables a real time audit check of transactions.
▪ It reduces the intervention an auditor needs to make to obtain useful audit
information from the live system.

Disadvantages of embedded audit modules:

▪ Generally, embedded software can only be inserted at the system’s
development stage, so it may not be possible to use such techniques for
established IT systems.
▪ Software development may be expensive.
▪ In order for it to be effective all items reported need to be followed up with
minimum delay and this can be very disruptive to the audit plan.
▪ There is a danger that the client's systems are disrupted by the audit program.
112
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

5.5 Audit testing

5.5.1 Recap
Assertions: As you learnt in chapter 4, ISSAI 2315 identifies three categories of
assertion:
▪ Classes of transactions and events
o Occurrence
o Completeness
o Accuracy
o Cut-off
o Classification

▪ Account balances at the period end

o Existence
o Rights and obligations
o Completeness
o Valuation and allocation

▪ Presentation and disclosure

o Occurrence and rights and obligations
o Completeness
o Classification and understandability
o Accuracy and valuation

In public bodies we should also consider the additional assertion over transactions
and events of regularity.

Audit tests: Auditors are required to obtain sufficient appropriate audit evidence
over these assertions. Audit procedures for obtaining audit evidence are called
tests, and audit tests must therefore relate to one or more assertion.

There are two types of tests:

1. Tests of control: A test of control is ’an audit procedure designed to evaluate
the operating effectiveness of controls in preventing, or detecting and
correcting, material misstatements at the assertion level‘. (ISSAI 2330.4)

113
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

2. Substantive tests of detail: A substantive procedure is ’an audit procedure

designed to detect material misstatements at the assertion level‘. (Ibid)

Tests of detail are tests of ‘classes of transactions, account balances and

disclosures’. (Ibid)

Substantive analytical procedures: Analytical procedures can be defined

as ’evaluations of financial information through analysis of plausible
relationships among both financial and non-financial data‘. (ISSAI 2330.4)

5.5.2 Designing audit tests

In this section, we will look at designing tests of control and substantive
procedures. A competent auditor needs to be able to develop a testing programme
that is relevant and proportionate to the control environment being tested, and
the size of the organization.

This is also a useful exam skill, as the examiner may ask you to suggest tests in
order to demonstrate your understanding of this syllabus area.

Designing tests of control: The critical element in designing tests of internal

control procedures is to establish the outcome desired, the risks to that outcome
being achieved (or not), and identifying what is being done to manage that risk.

Tests of control are used by external audit to gain some assurance that
transactions are well managed and are likely to be accurate. No direct evidence is
gained regarding the outputs as the controls could be sound and error still occur.

Tests of control are used by internal audit more as an end in themselves – to seek
assurance about the system of internal control. Internal auditors are concerned
with assessing the controls themselves in order to assist management in meeting
their objectives.

When you are asked to design tests of control you should follow these basic rules:
▪ Remember that it is the control that you are testing – the aim is to discover
whether the control has operated, not whether the output is correct.

114
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Be specific about what the auditors would actually do – it may help to use the
wording from ISSAI 1500 e.g. ‘inspect’, ‘observe’, or ‘reperform’. Words such
as ‘check’ or ‘test’ are too vague.
▪ Do not phrase your tests as questions – this almost inevitably makes them too
vague.

Exercise 5.4: You are auditing a purchase ledger/creditors system and have
identified the following controls:
1. Prior to payment, purchase invoices are checked for accuracy and authorized
by an appropriate officer
2. Regular reconciliations are performed between the creditors system and the
general ledger and any discrepancies are investigated
3. Prior to payment, invoices are matched to purchase orders and goods received
notes
4. Automated controls within the system which identify and reject duplicate
invoices on input
5. Creditors system is closed at the year-end with arrangements in place for
accrual of invoices received after 31 March but relating to goods and services
received in the previous financial year. These arrangements are documented in
the procedures manual.

Requirements: Design an appropriate audit test for each of these controls.

Designing substantive tests of detail: Substantive tests of detail are primarily

used by external audit to test outputs and account balances. External auditors are
required to give an opinion on a specific set of accounts, and therefore require
direct evidence that balances and transactions are materially accurate.

Substantive tests of detail are sometimes used by internal audit, as errors in the
end result can confirm concerns about the control environment.

When you are asked to design substantive tests of detail in an examination, you
should follow these basic rules:
▪ Remember that it is the output that you are testing – what matters is the end
result, not necessarily how it was arrived at.

115
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Be specific about what the auditors would actually do – it may help to use the
wording from ISSAI 1500 e.g. ‘inspect’, ‘observe’, or ‘recalculate’. State what
you are testing and the source of any documentation you are checking.
▪ Do not phrase your tests as questions – as above this almost inevitably makes
them too vague.

Exercise 5.5: You are auditing the trade payables balance in the financial
statements. For each of the following assertions design an appropriate substantive
procedure:
1. Existence
2. Rights and obligations
3. Completeness
4. Valuation and allocation

Designing substantive analytical procedures: Unlike tests of control or

substantive tests of detail, it is hard to be prescriptive about the rules for designing
substantive analytical procedures as it depends on the data sets.

The key is to be specific about the two pieces of independent information you are
comparing and what you might expect to see. You should examine the
relationships between different pieces of information and use this analysis to
predict what the figure in the accounts or system will be. You should also seek
appropriate explanations when the actual figure is not what is expected.

5.5.3 Substantive analytical procedures

When can they be used? Analytical procedures may be used as a substantive
test.

Substantive analytical procedures are generally applicable to large volumes of

transactions that tend to be predictable over time. The application of analytical
procedures is based on the expectation that relationships among the data exist,
and will continue to exist unless other known conditions are present. Some
assurance can be taken where analysis of data give the expected trends or
relationships over time.

The auditor is most likely to use analytical procedures where:

116
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ the client is well-established;

▪ activities are well-known and stable;
▪ predictive information is readily available; and
▪ accounting and internal control systems are effective.

ISSAI requirements: ISSAI 2520 (ISA 520 - Analytical procedures) states that
where analytical procedures ‘identify fluctuations or relationships that are
inconsistent with other relevant information or that differ from expected values by
a significant amount, the auditor shall investigate such differences by:
a. Inquiring of management and obtaining appropriate audit evidence relevant to
management’s responses; and
b. Performing other audit procedures as necessary in the circumstances’. (ISSAI
2520.7)

Reasonableness tests: The most common substantive analytical procedures are

reasonableness tests.
These tests provide an independent check on the total value of a population, and
are most useful for income and expenditure accounts. Such ‘proofs in total’ may
reduce the need for further substantive procedures (i.e. tests of detail).

The steps are as follows:

1. Calculate the expected value of a population. Base data must be independent
of the population being tested (or otherwise confirmed to be materially correct).
2. Compare with the recorded value.
3. Check whether the difference is significant.

Reasonableness tests: A simple example of this is as follows, where property

plant and equipment are depreciated on a three-year straight line basis:
1. Determine acceptable variance, e.g. 5% or £1,000.
2. Calculate the expected value of depreciation:
o Take the cost brought forward, add any additions, and subtract any
disposals in-year.
o Divide this value by three to give the expected value.
3. Compare this expected value to the value disclosed in the financial statements.
4. The difference should not be above the acceptable variance.

117
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Another example might relate to income generated in the year through the sale of
tickets:
1. Determine the acceptable variance, e.g. 3% of total.
2. Obtain data from the ticket office on the number of tickets sold each month,
by type, and the price of each ticket.
3. Multiply the number of tickets sold by the price of the ticket, to give an income
amount for each month. Add all the monthly totals together to produce the
expected total value of sales for the year.
4. Compare this expected value of ticket sales to the value disclosed in the
financial statements.
5. Investigate any variance above the acceptable level.

Exercise 5.6: Now that you understand how substantive analytical procedures
can be used as a substantive procedure, can you give some further examples?

Exercise 5.7: You are auditing a local charity.

Requirements:
What audit testing might be performed in each of these cases?
Remember the different techniques available if you are trying to establish:
▪ The strength of controls in a system (test of controls) and
▪ The accuracy of a figure/balance in a set of accounts (substantive procedures).

Case 1: You have been asked to check that all the non-current assets (mostly
vehicles) on the statement of financial position:
▪ actually exist; and
▪ have been valued accurately, including depreciation charges.

Case 2: You have been asked to check that the integrated ledger/creditors
system:
▪ is only accessible to appropriate people; and
▪ will flag up exceptionally large cheque payments.

Case 3: You have been asked to check that, with regard to the trade receivables
(debtors) balance in the accounts:
▪ the balance is made up of real debtors (i.e. there is a real debt due);
118
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ each debtor on the list provided by the client is correctly valued; and
▪ the balance takes account of the level of doubtful debts.

Case 4: You have been asked to check that donation income from long-term
corporate donors who pay a fixed amount to become members of their ‘Donor
Plus’ scheme has been fully and accurately recorded.

Case 5: You have been asked to check that the monthly reconciliation of income
to bankings has been correctly performed.

Case 6: You have been asked to check that the year-end accounting adjustments,
put through by the charity accountant have proper supporting evidence.

5.6 Using the work of internal auditor

5.6.1 5.6.1 Introduction
The relevant ISSAI here is ISSAI 2610 (ISA 610 - Using the work of internal
auditors).

ISSAI 2610 makes it clear that the ’external auditor has sole responsibility for the
audit opinion expressed, and that responsibility is not reduced by the external
auditor’s use of the work of the internal audit function on the engagement‘. (ISSAI
2610.4)

ISSAI 2610 sets out the requirements which must be met to enable external audit
to place reliance on the work of internal audit.
5.6.2 Determining whether and to what extent to use the work of the
internal auditors
Firstly, external audit must determine ’whether the work of the internal auditors is
likely to be adequate for the purposes of the audit‘ (ISSAI 2610.8). In order to do
this ISSAI 2610.9 sets out four criteria which must be evaluated:
1. The objectivity of the internal audit function
This will include considering matters such as: the status of the internal audit
function within the organization, reporting lines, freedom from any operating
responsibility, any restrictions on activity and management action on
recommendations made.

119
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

2. The technical competence of the internal auditors

This can be assessed by reviewing the qualifications and experience of the audit
team and on-going training arrangements.

3. Whether the work of the internal auditors is likely to be carried out

with due professional care
To assess this the planning, documenting, supervision and review of internal
audit work should be considered. This could include consideration of internal
audit manuals, work programmes and working paper.

4. Whether there is likely to be effective communication between the

internal auditors and the external auditor
Communication will be most effective where internal audit are free to
communicate openly with external audit. This may include regular meetings
between internal and external audit, access to internal audit reports and being
kept informed of any significant matters affecting the work of either the
external or internal auditors.

If the result of this overall review is that the work of internal auditors is likely to
be adequate for the purposes of the audit, then further work is required before
external audit can place reliance on a specific piece of internal audit work.

5.6.3 Using specific work of the internal auditors

Secondly when external audit is considering placing reliance on specific work
performed by the internal auditors, they must evaluate whether:
a. ’The work was performed by internal auditors having adequate technical
training and proficiency;
b. The work was properly reviewed, supervised and documented;
c. Adequate audit evidence has been obtained to enable the internal auditors to
draw reasonable conclusions;
d. Conclusions reached are appropriate in the circumstances and any reports
prepared by the internal auditors are consistent with the results of the work
performed; and
e. Any exceptions or unusual matters disclosed by the internal auditors are
properly resolved‘. (ISSAI 2610.12)

120
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Only if the results of this evaluation are satisfactory can the external auditor place
reliance on the specific piece of work carried out by internal audit.

Exercise 5.8: What are benefits of external audit being able to place reliance on
the work of internal audit?

Try to think in terms of the benefits to both the auditors and the client.

Exercise 5.9: For each of the following scenarios, explain what (if any) impact
this would have on the external auditor’s ability to place reliance on the work of
internal audit. Your answer should include reference to the requirements of ISSAI
1610.

Note Each of the scenarios should be considered independently.

Determining whether and to what extent to use the work of internal

auditors
1. During a conversation with the Chief Executive he reveals to you (the external
audit manager) that internal audit were not permitted to examine the new
payroll system that was introduced during the year as ’Our staff are far too
busy doing proper work to spend time answering their questions– I honestly
don’t understand why we have internal auditors and I have told my managers
to ignore any recommendations as they are much better placed to know what
needs to be done than internal audit!‘.
2. You are the new external audit manager to a local hospital and you set up a
meeting with the Head of Internal Audit. In this meeting he confides in you that
due to recent budget cuts both the former internal audit managers were made
redundant and two further experienced members of staff have taken early
retirement. As a result of this, there is now only one other qualified member of
internal audit and the remainder of the team are trainees. There are no plans
to replace any of the members of staff who have left at this time.
3. The Head of Internal Audit at your client has recently been replaced and you
have a meeting with their replacement where she informs you that ’I know that
you held regular meetings with my predecessor but to be quite frank I have
never found such meetings to be very useful and I am far too busy to spare

121
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

the time for tea and biscuits! I will of course contact you should anything
significant arise.‘

Using specific work of the internal auditors

1. You have obtained a copy of the internal audit file for a recent audit of the non-
current assets system. The work was carried out by a junior member of the
internal audit function. Whilst reviewing the file you find no evidence that it has
been reviewed by anyone within internal audit.
2. You are hoping to place reliance on a recent piece of internal audit work on the
payroll system. Whilst reviewing the file you note that their testing identified
that nine out of 10 leavers tested had not been removed from the payroll
system. The overall opinion given in the payroll system report was ‘substantial
assurance’ meaning that ‘there is a sound system of internal control designed
to achieve the system objectives and provide reasonable assurance that the
processes covered are reliable’ and no recommendations were made.
3. You are reviewing internal audit’s work on the trade payables system. You note
that of the 50 invoices selected for testing only 30 were actually obtained. No
additional sampling was done. The auditors found no errors within the 30 tested
and gave the overall opinion of ‘substantive assurance’.

Determining whether and to what extent to use the work of internal

auditors
1. During a conversation with the Chief Executive he reveals to you (the external
audit manager) that internal audit were not permitted to examine the new
payroll system that was introduced during the year as “Our staff are far too
busy doing proper work to spend time answering their questions– I honestly
don’t understand why we have internal auditors and I have told my managers
to ignore any recommendations as they are much better placed to know what
needs to be done than internal audit!”.
2. You are the new external audit manager to a local hospital and you set up a
meeting with the Head of Internal Audit. In this meeting he confides in you that
due to recent budget cuts both the former internal audit managers were made
redundant and two further experienced members of staff have taken early
retirement. As a result of this, there is now only one other qualified member of
internal audit and the remainder of the team are trainees. There are no plans
to replace any of the members of staff who have left at this time.
122
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

3. The Head of Internal Audit at your client has recently been replaced and you
have a meeting with their replacement where she informs you that ’I know that
you held regular meetings with my predecessor but to be quite frank I have
never found such meetings to be very useful and I am far too busy to spare
the time for tea and biscuits! I will of course contact you should anything
significant arise.‘

Using specific work of the internal auditors

1. You have obtained a copy of the internal audit file for a recent audit of the non-
current assets system. The work was carried out by a junior member of the
internal audit function. Whilst reviewing the file you find no evidence that it has
been reviewed by anyone within internal audit.
2. You are hoping to place reliance on a recent piece of internal audit work on the
payroll system. Whilst reviewing the file you note that their testing identified
that nine out of 10 leavers tested had not been removed from the payroll
system. The overall opinion given in the payroll system report was ‘substantial
assurance’ meaning that ‘there is a sound system of internal control designed
to achieve the system objectives and provide reasonable assurance that the
processes covered are reliable’ and no recommendations were made.
3. You are reviewing internal audit’s work on the trade payables system. You note
that of the 50 invoices selected for testing only 30 were actually obtained. No
additional sampling was done. The auditors found no errors within the 30 tested
and gave the overall opinion of ‘substantive assurance’.

5.7 Additional relevant ISSAIs

5.7.1 Introduction
In addition to the ISSAI requirements already outlined in this chapter there are a
number of other ISSAI that are relevant when obtaining audit evidence.

5.7.2 ISSAI 2540 (Auditing, accounting estimates, including fair value

accounting estimates, and related disclosures)
Many balances or transactions in a set of financial statements will be accounting
estimates as the matter being presented to the users of the financial statements
is inherently judgmental. Examples include: an estimate of how much money an

123
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

organization might be able to recover from an investment in a failed bank; or the

likely amount of a fine by a regulator when a case is still on-going.

Just as accountants can only present an estimate about the future based on the
best current information available (such as expert advice, statistical analysis and
precedents in similar circumstances), an auditor can only test whether the estimate
is reasonable and defensible in the circumstances. The ISSAI which addresses this
is ISSAI 2540 (ISA 540 - Auditing accounting estimates, including fair accounting
estimates, and related disclosures).

The ISSAI firstly requires the auditor to assess the risk of material misstatement
due to estimation uncertainty and then determine an appropriate audit response
to such risks.

In the following exercise we will consider what responses might be appropriate to

address such inherent uncertainty:

Exercise 5.10: Imagine you are auditing an organization which has a large
number of credit accounts receivable. Some of them are likely to default on
payment, while others may only make partial payment. No-one knows for certain
who will default in the future or the total value of any future defaults. Accordingly,
the organization makes an estimate.

Suggest methods by which you could test the reasonableness of such an estimate.

5.7.3 ISSAI 2560 (Subsequent events)

Financial statements may be affected by certain events that occur after the date
of the financial statements. In the language of the ISSAI, these are ’subsequent
events‘.

Subsequent events can require adjustment or disclosure within the financial

statements, to ensure that the statements do not mislead the user.

ISSAI 2560 states that ’the auditor shall perform audit procedures designed to
obtain sufficient appropriate audit evidence that all events occurring between the
date of the financial statements and the date of the auditor’s report that require
124
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

adjustment of, or disclosure in, the financial statements have been identified‘.
These procedures will include:
▪ review of any procedure at the organization to identify subsequent events that
may affect the financial statements;
▪ the auditors making enquiries with management and those charged with
governance on whether any events had occurred between the end of the
financial accounting period and the audit date;
▪ reading of minutes of meetings after the end of the financial accounting period
to identify any significant events; and
▪ reviewing the latest management accounting reports if any have been produced
since the end of the financial accounting period.

5.7.4 ISSAI 2570 (Going concern)

It is usual for financial statements to be prepared on a going concern basis. This
means that the organization is considered to be able to continue in business for
the foreseeable future.

As with all audit evidence, auditors are required to obtain sufficient appropriate
audit evidence regarding the appropriateness of management’s use of the going
concern assumption in preparing the financial statements and consider the
implications of this evidence for the auditor’s report.

5.8 Audit documentation

5.8.1 The purpose of audit documentation
The quality of audit documentation is almost as important as the quality of the
evidence that is documented. At all stages of the audit, judgements and
assumptions are being made, decisions are being taken as to what work is (and is
not) required, and evidence is being evaluated. Proper documentation of this
process is vital to clarify what is being done and why.

Additionally, audit work must be documented at all stages of the audit so that the
reviewer can follow the logical flow from strategic audit planning through to
assignment completion and reporting. This provides assurance that conclusions
are soundly based.

125
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Audit documentation should:

▪ help control the audit;
▪ facilitate quality review;
▪ prove findings;
▪ provide evidence in the case of a dispute;
▪ improve efficiency by standardisation; and
▪ meet the professional requirements of ISSAI 2230.

ISSAI 2230 (Audit documentation)

ISSAI 2230 states that ’the auditor shall prepare audit documentation that is
sufficient to enable an experienced auditor, having no previous connection with
the audit, to understand:
a. The nature, timing and extent of the audit procedures performed…
b. The results of the audit procedures performed, and the audit evidence
obtained; and
c. Significant matters arising during the audit, the conclusions reached thereon,
and significant professional judgments made in reaching those conclusions‘.
(ISSAI 2230.8)

These requirements are interpreted differently in different organizations. Some

organizations will maintain only enough information for a qualified auditor to re-
perform the tests, whilst other organizations keep everything that is physically able
to be photocopied or scanned.

Exercise 5.11
Requirements:
a. A government department leases office accommodation. It pays rent and
discloses the sums paid in its financial statements.
i. Define the applicable financial statement assertions with regard to this class
of transaction; and
ii. Design a substantive test for each of those assertions.

b. For the trade payables figure in the statement of financial position of a major
government department:
i. Define the applicable financial statement assertions with regard to this
account balance; and
126
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

ii. Design a substantive test for each of those assertions.

Exercise 5.12
Requirements:
For the audit of a payroll system identify:
i. Six possible control objectives.
ii. One possible control to address each identified control objective.
iii. One possible test for each identified control.

Exercise 5.13: You are supervising the audit of the Ordnance Survey (OS), which
is the National Mapping Authority. Your team is currently reviewing the OS’s
purchases system in preparation for interim audit, and you have just received a
written summary of the OS’s systems, as follows:

‘On receipt of an invoice by the head office accounts team, the invoice is matched
to and filed with the relevant Goods Received Note (GRN), using the purchase
order number marked on the invoice. The purchases ledger clerk enters invoices
onto the system in batches. A batch control sheet is used, which details the number
of invoices and the total value to be entered. Each invoice is stamped as "recorded"
once the details have been entered onto the system. The purchase ledger manager
inspects the file of invoices monthly to ensure that all invoices have been recorded.

Suppliers are required to submit monthly supplier statements, which are reconciled
to the suppliers ledger account by the purchases ledger manager. The purchase
ledger is reconciled to the purchase ledger control account on a monthly basis.
The list of payments is sent to the accountant by the purchase ledger manager,
who agrees the details of each payment to the relevant invoice and signs each
invoice to authorize payment. If any individual payment is for more than £10 000
or total payments are for more than £100 000, a second signatory is required.
Payments are made by the cashier's office by bank transfer on a weekly basis.
Invoices are stamped as "paid", and returned to the purchases ledger team who
record the payment and file the invoices (separately from invoices not yet paid).
The purchase ledger manager checks GRNs on a monthly basis to ensure that
invoices have been received and paid on a timely basis.’

127
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Requirements:
a. Describe five techniques that can be used for substantive tests of detail, and
provide a practical example for each one.
b. Identify five internal controls that the OS operates in its purchases system as
described above, and for each control describe an audit test that you could
perform to establish if the control is operating effectively.

Exercise 5.14: You are conducting the audit of a depot which acquires and stores
small-scale capital items for the Ministry of Defense. From your discussions with
the management accountant, you establish that:

A capital expenditure budget is prepared annually. Local staff can authorize capital
expenditure up to £10 000, as long as it is within their budget. Managers’ approval
is required for amounts above the £10 000 threshold. Capital expenditure proposal
forms are required to be completed but this is not always done, particularly when
items are required in an emergency, and there is no formal policy in respect of
obtaining quotes for major items of expenditure. There is a property, plant and
equipment register which is reconciled to the nominal ledger on a monthly basis.
No other checking procedures involving the non-current asset register are
undertaken.

Requirements:
a. Identify three substantive audit procedures that you might carry out on these
assets, and explain the reason for each procedure.

Identify five tests of internal control that you might carry out on the system

128
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 5.1: In order to assess the sufficiency of audit evidence the auditor
should consider:
i. Persuasiveness
ii. Risk
iii. Materiality
iv. Relevance

A. (ii) and (iii)

B. (i) and (iii)
C. (i), (ii) and (iii)
D. All of them

Quiz Q # 5.2: Which of the following is the least reliable form of evidence?
A. The auditor reperforms the bank reconciliation
B. The auditor observes the bank reconciliation procedure
C. The bank statement
D. The bank reconciliation performed by the client

Quiz Q # 5.3: Which of the following is NOT a technique that could be used to
test controls?
A. Analytical procedures
B. Observation
C. Inquiry
D. Inspection

Quiz Q # 5.4: Which method of audit sampling involves the auditor selecting the
sample without following a structured technique in an attempt to ensure that all
items in the population have a chance of selection?
A. Random
B. Haphazard
C. Systematic
D. Block

129
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 5.5: Which of the following statements relating to external

confirmations is TRUE?
A. Positive confirmation requests are requests that the confirming party responds
only if they agree with the information in the request.
B. Negative confirmation requests are requests that the confirming party responds
only if they disagree with the information in the request.
C. Positive confirmations provide less persuasive audit evidence than negative
confirmations.
D. Both forms of confirmation provide equally persuasive audit evidence.

130
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

CHAPTER 6 – FORMING AND REPORTING THE AUDIT OPINION

Syllabus aim
▪ Discuss the use of audit evidence and apply audit evidence to form an audit
opinion.
▪ Discuss the preparation of working papers to document audit finalization
procedures performed.

Learning outcomes and content

▪ Identify and discuss the issues that an auditor would consider when assessing
control weaknesses or whether unadjusted misstatements are material,
individually or in aggregate:
o The size and nature of misstatements
o Communications with management and those charged with governance
o Protocols relating to the correction of errors or addressing control
weaknesses

▪ Identify audit finalization procedures:

o Final analytical procedures
o Subsequent events review
o Going concern review

▪ Identify the requirements for the audit close-down process and discuss audit
reporting
o Overall review of audit evidence
o Communication within the audit function
o Audit opinion on the financial statements
o Reporting to stakeholders on identified weaknesses in internal controls

131
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

6.1 Forming and reporting the audit opinion

As we have seen in earlier chapters, the purpose of the extensive audit procedures
described is to allow the auditor to give an opinion on the truth and fairness of a
set of financial statements, based upon sufficient, appropriate evidence.

In this chapter we will look at the procedures the auditor would undertake when
forming their audit opinion and the ways in which auditors report the results of
their work.

6.2 Finalizing the audit including communication and forming the audit
opinion
6.2.1 Analytical procedures
You should recall that:
▪ Analytical procedures are mandatory when carrying out risk assessment
procedures (Chapter 4).
▪ Analytical procedures are applicable, but not mandatory, as a substantive
test (Chapter 5).

ISSAI 2520 (ISA 520 - Analytical procedures) states that further analytical
procedures are mandatory near the end of the audit.

This may sound like a repetition of the analytical procedures carried out at earlier
stages of the audit but it should be borne in mind that:
The further analytical procedures required by ISSAI 2520 near the end of an audit
are more ’top-down‘ and look more at the overall soundness and coherence of the
financial statements.

6.2.2 Review of subsequent events

ISSAI 2560 refers specifically to events that occur after the period being audited,
but before formal issue of the auditor’s opinion or the publication of the financial
statements. The impact on the audit work was referred to in Chapter 5. Here, we
consider the impact on the reporting.

The auditor’s response can depend on the timing of the event coming to the
attention of the auditor:

132
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Between the date of the financial statements and the auditor’s report:
The auditor must consider the implications of such events and the way in which
the audited body (if necessary) amends its financial statements, when forming the
audit opinion.
After the auditor’s report but before the financial statements are issued:
The range of possible actions in different circumstances is particularly complex and
may depend on the law but can include the following:
▪ Issuing a new audit opinion.
▪ Modifying the audit opinion.
▪ ‘Dual dating’ with a further opinion on the financial statements being restricted
to any late amendments.
▪ The auditor taking steps to prevent assurance being taken from their audit
opinion.

After the financial statements have been issued:

▪ If management issue revised statements then the auditor can issue a new audit
opinion.
▪ If the auditor is not satisfied that the organization is taking steps to inform
those who have received the financial statements and/or making any required
amendments known to them, then the auditor should take steps to prevent
assurance being taken from their audit opinion.

6.2.3 Going concern review

In Chapter 5 we determined that the audit must always be undertaken as if the
entity is a going concern, unless there is reason to think otherwise. ISSAI 2570
(ISA 570 – Going concern) provides the procedures required to determine whether
the organization meets the assumption criteria of a going concern.

ISSAI 2570 also includes procedures for reporting where there is significant
material uncertainty about the ability of the organization to continue as a going
concern.

The auditor is required to:

▪ Add an emphasis of matter paragraph to the audit report, per ISSAI 2706 (ISA
706 – Emphasis of matter paragraphs and other matter paragraphs in the
133
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

independent auditor’s report), if this uncertainty is adequately presented and

disclosed.
▪ Give a qualified or adverse opinion, per ISSAI 2705 (ISA 705 – Modifications to
the opinion in the independent auditor’s report), if such an uncertainty is not
adequately presented and disclosed.

Similarly, an adverse opinion should be given when the financial statements are
presented on a going concern basis and, in the auditor’s opinion, it is not
appropriate to do so.

6.2.4 Evaluating misstatements

At the outset of an audit the auditor will have determined audit materiality. You
should recall from Chapter 3 that:
▪ ’Misstatements, including omissions, are considered to be material if,
individually or in the aggregate, they could reasonably be expected to influence
the economic decisions of users taken on the basis of the financial statements‘.
ISSAI 2200.6 (ISA 200 – Overall objectives of the independent auditor and the
conduct of an audit in accordance with international standards on auditing)
▪ A misstatement can be judged to be material due to its size or nature. and
▪ Misstatements can occur as a result of either fraud or error.

As the auditor obtains sufficient appropriate audit evidence it is likely that they will
come across some misstatements, though many of these may be trivial. The
treatment of such misstatements is largely addressed by ISSAI 2450 (ISA 450 -
Evaluation of misstatements identified during the audit).

The ISSAI states that such misstatements should firstly be accumulated (ISSAI
145.5).

This is important as, as we saw in Chapter 3 when considering ’performance

materiality‘, misstatements that are not individually material might become so
when aggregated; each misstatement cannot be considered in isolation.

6.2.5 Communication and correction of misstatements (management)

The ISSAI also requires, where this is allowed by law, the auditor to:

134
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ ’Communicate on a timely basis all misstatements accumulated during the audit

with the appropriate level of management‘ (ISSAI 2450.8). And
▪ ’Request management to correct those misstatements‘. (Ibid)

It is clearly preferable to allow the audited body an opportunity to correct its

financial statements than for the statements to be published, complete with easily
corrected errors and a qualified audit opinion attached.

However, it is important to note that:

▪ It is not the responsibility of the auditor to correct the financial statements
themselves.
▪ Nor can they compel the audited body to correct their own financial statements.
The auditor’s authority is to report on the financial statements, not to compel
their correction.
▪ There may be circumstances where management may be unable to correct
misstatements, perhaps due to a lack of adequate accurate accounting
information, even when they are quite willing to do so.

Where management agree to correct misstatements, ’the auditor shall perform

additional audit procedures to determine whether misstatements remain‘. (ISSAI
2450.7)
Where management refuse to correct some or all misstatements, the auditor is
required to:
▪ ’Obtain an understanding of management’s reasons for not making the
corrections’. (ISSAI 2450.9)
▪ ’Take that understanding into account when evaluating whether the financial
statements as a whole are free from material misstatement‘. (Ibid)
▪ ’Request a written representation from management… whether they believe
the effects of uncorrected misstatements are immaterial, individually and in
aggregate, to the financial statements as a whole‘. (ISSAI 2450.14)

If management respond with a written representation, this can be included in the

final reporting. This effectively gives management an opportunity to present their
reasons for presenting the financial statements the way they have. For example,
they may have interpreted accounting standards or their own accounting policies
in a different way.
135
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

The auditor may choose to accept the views of management but the opinion they
are obliged to give is of course their own opinion, based on audit evidence and
their own professional judgement. Audit objectivity and independence are clearly
of crucial importance when such matters of judgement are contested by
management.

6.2.6 Communication and correction of uncorrected misstatements

(those charged with governance)
ISSAI 2450 goes on to prescribe the steps that should be taken when considering
uncorrected misstatements. The auditor is required to:
▪ ’Reassess materiality determined… to confirm whether it remains appropriate
in the context of the entity’s actual financial results’. (ISSAI 1450.10) and
▪ ‘Determine whether uncorrected misstatements are material, individually or in
aggregate‘. (ISSAI 1450.11)

The auditor is then required to undertake a communication process with those

charged with governance, similar to that detailed above relating management. The
auditor is required:
▪ Where permitted to do so in law, to ’communicate... the effect that they,
individually or in aggregate, may have on the opinion in the auditor’s report‘.
(ISSAI 1450.12)
▪ To ’request that uncorrected misstatements be corrected‘. (Ibid)
▪ Where appropriate to ’request a written representation from… those charged
with governance whether they believe the effects of uncorrected misstatements
are immaterial, individually and in aggregate, to the financial statements as a
whole‘.

Any written representation received from management can be included in final

reporting to effectively allow those charged with governance to consider whether
they are content to allow misstatements that have not been corrected by
management to remain uncorrected, with the knowledge that any uncorrected
misstatements considered material by the auditor are very likely to result in a
modified audit opinion.

136
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

6.2.7 Approach to inconsistent evidence

ISSAI 2500 (ISA 500 - Audit evidence) requires the auditor to obtain sufficient
appropriate audit evidence to be able to draw reasonable conclusions on which to
base the auditor’s opinion. (ISSAI 2500.4)

The auditor performing the audit will obtain evidence from a range of sources and
for a range of purposes. They will analyze the various types of evidence for
consistency and use the evidence to form an opinion.

ISSAI 2500 states that if ’audit evidence obtained from one source is inconsistent
with that obtained from another…..the auditor shall determine what modifications
or additions to audit procedures are necessary to resolve the matter, and shall
consider the effect of the matter, if any, on other aspects of the audit‘. (ISSAI
2500.11)

In practical terms, this is likely to mean conducting further procedures to

understand both:
1. The evidence that is to be relied upon: Clearly if one of two inconsistent
results is corroborated by additional evidence then that result becomes more
persuasive. You should also recall from Chapter 5 that different sources of audit
evidence are seen as differing in their inherent reliability, for example,
information generated independently of an audit client is seen as more reliable
than information generated by the client.

2. The wider implications of any inconsistency: An unreliable source of

evidence might indicate a range of issues, from internal control issues in a key
financial system to, in the case of representations from management, the
possibility that the auditor has been deliberately mislead.
ISSAI 2230 (ISA 230 - Audit Documentation) also requires that ’If the auditor has
identified information that contradicts or is inconsistent with the auditor’s final
conclusion regarding a significant matter, the auditor should document how the
auditor addressed the contradiction or inconsistency in forming the final
conclusion‘. (ISSAI 2230.18)

137
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

6.2.8 Overall review of audit evidence

Part of the close-down process for completing the audit will include a supervisory
review of the audit evidence. This forms part of the quality control process referred
to in ISSAI 2220 (ISA 220 – Quality control for an audit of financial statements).

A supervisory review will be performed by a senior member of the audit team. The
review consists of consideration whether, for example:
▪ The work has been performed in accordance with professional standards and
applicable legal and regulatory requirements.
▪ Significant matters have been raised for further consideration.
▪ Appropriate consultations have taken place and the resulting conclusions have
been documented and implemented.
▪ There is a need to revise the nature, timing and extent of work performed.
▪ The work performed supports the conclusions reached and is appropriately
documented.
▪ The evidence obtained is sufficient and appropriate to support the auditor’s
report. and
▪ The objectives of the engagement procedures have been achieved.

6.2.9 Overall review of audit evidence

Part of the close-down process for completing the audit will include a supervisory
review of the audit evidence. This forms part of the quality control process referred
to in ISSAI 2220.

A supervisory review will be performed by a senior member of the audit team. The
review consists of consideration whether, for example:
▪ The work has been performed in accordance with professional standards and
applicable legal and regulatory requirements.
▪ Significant matters have been raised for further consideration.
▪ Appropriate consultations have taken place and the resulting conclusions have
been documented and implemented.
▪ There is a need to revise the nature, timing and extent of work performed.
▪ The work performed supports the conclusions reached and is appropriately
documented.
▪ The evidence obtained is sufficient and appropriate to support the auditor’s
report. and
138
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ The objectives of the engagement procedures have been achieved.

A formal audit report should only be given to the client when the senior member
of the audit team has completed their review and are satisfied that sufficient
appropriate evidence has been obtained to support the opinion.

It is important that auditors review their work to see what they can learn to help
improve audit procedures in the future. This, the final part of the review process,
is sometimes known as debriefing. It is an opportunity to support good practice
and professional development by:
▪ Identifying what went well, what went less well and lessons learned.
▪ Identifying experiences, knowledge or audit practices which would be of value
to future audits.
▪ Identifying development needs for individuals and the audit function as a
whole.

6.2.10 Forming the audit opinion

ISSAI 2700 (ISA 700 - Forming an opinion and reporting on financial statements)
requires the auditor to form and communicate a clear opinion on the financial
statements, based on the audit evidence obtained.

Specifically, when considering the financial statements, the ISSAI (ISSAI 2700.10-
12) requires the auditor to consider whether:
▪ The financial statements are prepared, in all material respects, in accordance
with the applicable financial reporting framework.
▪ The financial statements are free from material misstatement, whether due to
fraud or error
▪ Sufficient appropriate audit evidence has been obtained
▪ Uncorrected misstatements are material, individually or in aggregate

If the first three conditions have been met and any uncorrected misstatements are
judged to not be material then this enables an unmodified audit opinion to be
given.

139
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

6.3 The auditor’s report

6.3.1 Form and content of the auditor’s report
The auditor’s report on the financial statements must provide a clear expression
of opinion and this is based on the conclusions drawn from the audit evidence
gathered.

The form and content of the auditor’s report is set out by ISSAI 2700.

ISSAI 2700 specifies that the auditor’s report must contain the following (ISSAI
1700.21-42):
▪ Title
▪ Addressee (who the report is addressed to)
▪ Introductory paragraph (largely concerned with the scope of the audit – the
entity and statements audited etc.)
▪ Management’s responsibilities for the financial statements
▪ Auditors responsibility
▪ Auditor’s opinion
▪ Other reporting responsibilities
▪ Signature of the auditor
▪ Date of the auditor’s report
▪ Auditor’s address

Note: the actual format of the opinion is likely to be affected by national law and
regulation on financial reporting.

Arguably the most important section is the auditor’s opinion on the financial
statements and we will now look in some detail at the different forms this may
take.

6.3.2 Forms of the audit opinion

The two essential forms of an auditors’ opinion are either:
▪ Unmodified or
▪ Modified

140
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

6.3.3 Unmodified audit opinion

An unmodified opinion is effectively a ’clean‘ audit opinion and is given when the
requirements set out in 6.2.9 have been met.

Presentation: The auditor’s opinion is presented as ’the financial statements

give a true and fair view‘.

6.3.4 Modified audit opinions

ISSAI 2705 (ISA 705 - Modifications to the opinion in the independent auditor’s
report) describes the ways in which an audit opinion may be modified.

A modified opinion means that the auditor cannot affirm that the accounts are true
and fair. This can be on one of two bases:
▪ The auditor concludes that, based on the audit evidence obtained, the
financial statements as a whole are not free from material misstatement. or
▪ The auditor is unable to obtain sufficient appropriate audit evidence to
conclude that the financial statements as a whole are free from material
misstatement.

All financial statements will contain errors and omissions. Whether or not an
unmodified opinion may be given will depend on the auditor’s assessment of the
severity, or materiality, of those errors and omissions.

The auditor will come to a conclusion as to whether the errors and omissions they
have found are:
▪ Material or
▪ Material and pervasive

Material: As we have seen already ’misstatements, including omissions, are

considered to be material if, individually or in the aggregate, they could reasonably
be expected to influence the economic decisions of users taken on the basis of the
financial statements‘. (ISSAI 2320.2)

Pervasive: Pervasive effects on the financial statements are those that, in the
auditor’s judgment:

141
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Are not confined to specific elements, accounts or items of the financial

statements. or
▪ Are confined to specific elements, accounts or items of the financial statements,
but represent or could represent a substantial proportion of the financial
statements. or
▪ In relation to disclosures, are fundamental to users’ understanding of the
financial statements.

Categories of modified opinion: Modified audit opinions can be categorised in

one of four ways:
▪ Qualified – on the basis of misstatement
▪ Qualified – on the basis of an inability to obtain sufficient appropriate audit
evidence
▪ Adverse
▪ Disclaimer

Qualified Opinion – misstatement: This is given when the auditor concludes

that the financial statements are materially misstated.
They might conclude that the level of monetary error in a balance was material or
that the body had failed to apply an accounting standard correctly, resulting in a
misstatement.
The auditors should describe their concerns and also attempt to quantify the
impact the error or omission has had on the accounts if it is practical to do so.

Their opinion would be phrased as ’Except for the effects of the matter(s)
described in the Basis for Qualified Opinion paragraph, the financial
statements give a true and fair view‘. (This indicative wording is abridged
from the illustrative modified auditor’s reports attached as an Appendix to ISSAI
2705)

Qualified opinion – Inability to obtain sufficient appropriate audit

evidence: This is given where the auditor is unable to obtain sufficient appropriate
audit evidence on which to base the opinion, but the auditor concludes that the
possible effects on the financial statements of undetected misstatements, if any,
could be material but not pervasive.

142
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

If the audited body has no evidence to support a disclosure in the financial

statements and there are no alternative audit procedures which could be used to
substantiate it, then the auditor is unable to express an unmodified opinion.

The auditor is not saying that the amount is materially misstated but are saying
they can’t express an opinion as whether or not it is.

The auditor would explain the circumstances of the limitation on the scope of their
audit in the basis of their opinion.

As with misstatement, the auditor should describe their concerns and also attempt
to quantify the impact the error or omission has had on the accounts, if it is
practical to do so, though clearly a lack of audit evidence may mean that it is not.

The opinion would be phrased as ’Except for the effects of the matter(s)
described in the Basis for Qualified Opinion paragraph, the financial
statements give a true and fair view‘. (Ibid)

Adverse opinion: An adverse auditor’s opinion is given when the auditor

concludes that misstatements, individually or in the aggregate, ’are both material
and pervasive to the financial statements‘. (Ibid)

Once again the auditor is required to explain their concerns and to attempt to
quantify, if possible, the effect it has had on the accounts.

An adverse opinion would be phrased ’Because of the significance of the

matter(s) discussed in the Basis for Adverse Opinion paragraph, the
financial statements do not give a true and fair view‘. (Ibid)

Disclaimer opinion: The auditor shall disclaim an opinion when unable to obtain
sufficient appropriate audit evidence on which to base the opinion and concludes
that the possible effects on the financial statements of undetected misstatements,
if any, could be both material and pervasive.

A disclaimer opinion would be phrased ’Because of the significance of the

matter(s) described in the Basis for Disclaimer of Opinion paragraph, we
143
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

have not been able to obtain sufficient appropriate audit evidence to

provide a basis for an audit opinion. Accordingly, we do not express an
opinion on the financial statements‘. (Ibid)

The options available to the auditor when giving a modified audit opinion are
summarized below:
Financial statements Inability to obtain
are materially sufficient, appropriate
misstated audit evidence
Material but not
Qualified opinion Qualified opinion
pervasive
Material and
Adverse opinion Disclaimer
pervasive

6.3.5 Emphasis of matter

Occasionally auditors will identify an aspect of the financial statements which is
adequately measured and disclosed but which they feel is so fundamental to a
proper understanding of the financial statements that users should have their
attention drawn to it.

In these circumstances ISSAI 2706 requires the auditor to include an emphasis of

matter paragraph in their report.

This does not qualify the auditor’s opinion in this respect and an emphasis of
matter paragraph would specifically refer to the fact that the auditor’s opinion is
not qualified. An example of a situation that might give rise to an emphasis of
matter could include an uncertainty relating to the future outcome of exceptional
litigation or regulatory action.

Exercise 6.1: What type of opinion do you think an auditor would give on a set
of financial statements in the following circumstances? For the purposes of this
exercise, assume that in each case the audit is being conducted within an ISSAI
framework:

144
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

1. A municipality providing social housing has failed to apply accounting standards

correctly in that it has made provisions for cost overruns in respect of a building
scheme which will commence in the next financial year.
2. As a result of a fire which destroyed much of the paper records a Government
Agency has been unable to provide evidence to support their end of year
financial statements.
3. A public hospital has failed to include certain year end accruals in its Income
and Expenditure statement resulting in an overstatement of their surplus of £35
000. The audit plan shows that monetary materiality was set at £500 000 at
the planning stage.
4. A municipality has made severance payments to ex-employees in excess of the
amounts authorized under the statutory redundancy scheme. The auditors are
aware of at least £45 000 which has been overpaid but there may be more.
The total expenditure of the municipality is £200m per annum.
5. A college has failed to apply a recently issued financial reporting standard.
Furthermore, it has not kept sufficient records to support any figures that would
be required to comply with the standard.

Note: That these are public sector examples, so the regularity of the financial
statements is an important consideration.

6.4 Other communications

Deficiencies in internal control: ISSAI 2265 (ISA 265 - Communicating
deficiencies in internal control to those charged with governance and
management) requires the auditor to communicate:
▪ With those charged with governance regarding any ’significant deficiencies‘ in
internal control along with an explanation of the possible effects of such
deficiencies’. (ISSAI 2265.9 & 11) and
▪ With management regarding both ’significant deficiencies‘ and any ’other
deficiencies‘ in internal controls, where the auditor feels that they are of
sufficient importance to warrant management’s attention’. (ISSAI 2265.10)

In some ways this may seem very close to the role of internal audit which was
introduced in Chapter 1 and which you will study in greater depth in Chapter 7. It

145
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

is important to remember that, unlike an internal auditor, an auditor of financial

statements:
▪ has a responsibility to give an opinion on financial statements;
▪ only examines internal control in the pursuit of that goal; and
▪ thus only examines internal controls that are considered relevant to the audit.

Highlighting weaknesses in internal control can thus be seen as a fortuitous ‘by-

product’ of an audit of financial statements; it is certainly not a purpose or
objective of such an audit.

It is also notable that ISSAI 2265 does not require the auditor to recommend
improvements in internal control, whereas internal auditors are normally expected
to contribute to enhanced organizational performance by making
recommendations.

Exercise 6.2: This question covers some of the material in this chapter whilst also
helping you revise some of Chapter 3.

Requirement:
a. Define materiality and describe, using examples, two ways in which external
auditors will consider their judgement of materiality.
b. Explain the meaning of the term ‘pervasive’.
c. Describe the circumstances in which an unmodified audit opinion is given.
d. Describe the four circumstances in which modified audit opinions are issued
and state the presentation of each type of modified opinion.

Exercise 6.3: This is a fairly challenging question which covers some of the
material in this chapter whilst also helping you revise a number of earlier chapters.

You are the audit manager responsible for the audit of a municipality authority in
a large city. Much of the audit will relate to car parking, which is a significant
source of cash income. The audit team has asked you to brief the audit team
carefully on the risks that might be associated with such an audit. She is
particularly concerned about the associated fraud risks
The audit team leader feels that analytical procedures at the planning stage of the
audit will be critical to evaluating such risks and that your staff need to be fully
146
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

aware of the implications if fraud were suspected or identified in the course of the
audit. You decide to prepare notes ahead of your next team meeting.

Requirements:
a. Identify and explain inherent risks that are associated with cash-handling, other
than money laundering.
b. Explain the role that analytical procedures play in an audit risk-assessment
process.
c. Detail an example analytical procedure that could be used to assess the risk
that fraud may be a high risk within the parking department. You should explain
how the results of the analytical procedure could be interpreted.
d. Describe the implications for the audit opinion if the effect of any identified
fraud were:
i. Material
ii. Material and pervasive
e. Explain the responsibilities of an auditor of financial statements, with regards
to detecting any fraud present at an audit client.

147
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 6.1: On reviewing audit evidence obtained an auditor discovers errors

and omissions which they consider could reasonably be expected to influence the
economic decisions of users taken on the basis of the financial statements and
which are confined to specific elements, accounts or items of the financial
statements.

Which of the following statements best describes these errors and omissions?
A. Neither material nor pervasive
B. Material but not pervasive
C. Pervasive but not material
D. Material and pervasive

Quiz Q # 6.2: Which of the following is NOT a correct auditor response to

management’s refusal to correct misstatements?
A. The auditor should obtain an understanding of management’s reasons for not
making the corrections.
B. Request a written representation from management as to whether they believe
the misstatements to be immaterial to the financial statements as a whole.
C. Request that a note informing users of the potential misstatement is inserted
into the financial statements.
D. Evaluate whether the financial statements as a whole are free from material
misstatement.

Quiz Q # 6.3: Which of the following statements about the use of analytical
procedures in external audit is TRUE?
A. Analytical procedures must be used as part of risk assessment procedures, as
a substantive procedure and near the end of the audit.
B. Analytical procedures must be used as part of risk assessment, but their use as
a substantive procedure and near the end of the audit is optional.
C. Analytical procedures must be used as part of risk assessment and as a
substantive procedure but their use near the end of the audit is optional.
D. Analytical procedures must be used as part of risk assessment and near the
end of the audit, but their use as a substantive procedure is optional.

148
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 6.4: The client has requested that the external auditors do not confirm
accounts receivables (a material balance) with customers because of concerned
about increasing conflicts with customers over amounts owed. The auditors used
alternative audit procedures and were satisfied that they were not materially
misstated. No other issues were identified. The audit opinion is most likely to be:
A. Qualified due to an inability to obtain sufficient appropriate audit evidence
B. Disclaimer
C. Adverse
D. Unmodified

Quiz Q # 6.5: Which of the following statements about financial statements

misstatements is TRUE?
A. The auditors cannot provide an audit opinion unless all misstatements are
corrected.
B. It is the responsibility of the auditors to ensure that the financial statements
are free from misstatement.
C. Once management have corrected any misstatements, the auditor’s work is
complete.
D. The auditors cannot compel management to correct the financial statements.

149
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

CHAPTER 7 – INTERNAL AUDITING

Syllabus aim
▪ Identify and explain the scope, regulatory and ethical environment within which
audits are performed.
▪ Explain the role of internal audit and describe the performance on internal audit
tasks.

Learning outcomes and content

▪ Explain the provisions relating to audits within current public services and
private sector legislation
o General requirements relating to the provision of internal and external audit
services

▪ Explain the scope of internal and external audits:

o Basic tenets and concepts of internal and external audit work
o Power and authority available to internal and external auditors

▪ Explain the corporate governance requirements and their impact on audit work:
o Contribution of internal and external auditors to corporate governance, in
particular through their relationship with the Audit Committee.

▪ Explain the scope and contribution of internal audit work to an organization:

o Scope of internal audit activity within the public services and the private
sector
o Role of internal audit as a contributor to the management of an organization
o Organization of internal audit function; outsourcing options
o The impact of regulatory and professional frameworks, including on the
conduct of internal audit
o Application of ethical principles to internal audit work
o Public Sector Internal Audit Standards
o Independence and objectivity
o Internal audit planning and Internal audit reports

▪ Demonstrate internal audit techniques used in the review of internal control

and explain the contribution of specialist internal audit engagements:

150
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

o Internal audit of internal control

o Contract audit
o Fraud investigation
o Performance audit

151
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

7.1 Internal auditing

The previous chapters have focused on the work of auditors of financial
statements. This chapter will consider the work of internal auditors, beginning with
the frameworks that internal auditors must comply with. We will then go on to
consider in detail the work of internal audit.

7.2 Recap
7.2.1 Key points
Internal audit was introduced in earlier chapters, to recap on some of the key
points from these chapters:
▪ Internal audit is defined by the Chartered Institute of Internal Auditors (IIA) as
’an independent, objective assurance and consulting activity designed to add
value and improve an organization’s operations (Although the Institute’s name
changed when it was granted a Royal Charter in 2010, it continues to use this
acronym). It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control and governance processes‘ (Public Sector Internal
Audit Standards (2013))
▪ Internal audit contributes to the improved management of an organization
through both:
o assurance – advising on how well internal systems and processes are
working; and
o consultancy – advising on how to improve such systems and processes
where necessary.

7.3 Internal audit frameworks

7.3.1 Law, regulation and the requirement for internal audit
Internal audit is typically either a statutory or regulatory requirement for public or
not-for profit sectors. It is often a condition of grant funding in some other sectors,
making it a de facto requirement. You should familiarize yourself with the legal
and regulatory framework in your own country.

152
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

7.3.2 Standards in internal audit

ISSAIs: It would be untrue to think that ISSAIs have no application to internal
auditors. Although there is normally no requirement to do so, many of the ISSAIs
can be directly translated into an internal audit context.
▪ For instance, if internal auditors are conducting a sample as part of their
investigation then they might benefit from considering the requirements of
ISSAI 2530 (ISA 530 - Audit sampling).
▪ However, other ISSAIs will have little or no application to the day-to-day work
of internal auditors, for example ISSAI 2700 (ISA 700 - The auditor’s report on
financial statements). Internal auditors do not provide such reports and so
much of this standard is irrelevant to them.
▪ Institute of Internal Auditors: The IIA is a membership-based professional
body for internal audit practitioners across all sectors. They issue their own
International Standards for the Professional Practice of Internal Auditing, which
are binding on their own membership.

CIPFA Statement of Professional Practice (SOPP) on Auditing: This SOPP,

approved by the CIPFA Council in 2002, sets out the professional responsibilities
and obligations of individual members who are responsible for carrying out either
internal or external audits, wherever they may work.

CIPFA members in either internal or external audit positions are required to comply
with the SOPP and failure to do so may be regarded as grounds for disciplinary
action.

Public Sector Internal Audit Standards (PSIAS): The PSIAS were issued by
CIPFA on 1 April 2013 and are applicable to all internal audit service providers,
whether in-house, shared services or outsourced, in the majority of the public
sector in the UK.

These standards were devised from the IIA standards but aligned to consider the
circumstances of internal audit in the public sector. These standards were
developed for the UK and as such are only applicable there, however, it is possible
to use these standards to underpin the work of internal audit in the public sector
elsewhere.

153
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Specific standards: Some organizations or sectors may apply their own

standards and these may be required by law or regulation. For example, there
might be standards specific to government ministries in one country, though these
are often based on generic standards such as those issued by the IIA. You should
familiarize yourself with any such standards that apply to your own organization.

7.3.3 Ethics, independence and objectivity

Many of the underlying principles of good practice are the same as for the audit
of financial statements. It should be noted that the Code of Ethics issued by
INTOSAI (ISSAI 30) which you studied earlier, in Chapter 2, does not directly apply
to internal audit; it is specifically intended to apply to external auditors.
▪ The sources of ethical guidance would stem from: Membership, by the
individual internal auditor, of a professional body. For example, CIPFA members
would be bound by the CIPFA Statements of Professional Practice (SOPP)
relating to Auditing (2002) and Ethics (2011). The IIA is not an IFAC member
but its own members would be bound by its own Code of Ethics.
▪ Operating within a particular sector of the public services, governed
by sector-specific guidance. For example, The PSIAS includes a Code of
Ethics in Section 4, which provides guidance to internal auditors regarding their
conduct.

Many of the underlying principles are much the same. Internal auditors should act
diligently, professionally and with integrity at all times. An internal auditor should
protect his or her actual and perceived objectivity and independence as an auditor,
taking steps to avoid or remove any actual or perceived conflicts of interest.

Exercise 7.1: Do you think it would be easier or harder for internal auditors to
protect their independence and objectivity than external audit?

Make a note of your overall conclusion and the reasons why you reached them.

You should read the suggested answer in the solutions pack before continuing.

The issues you are likely to have identified in Exercise 7.1 are recognized and
addressed by the CIPFA SOPP on Audit:

154
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

’Where internal audit is part of the audited body and so not carried out by an
external agency, members acting as internal auditors should display an
independent and objective attitude of mind, as they cannot be financially and
operationally independent of the audited body However, organizational
arrangements should ensure that independence of internal auditors is not
compromised. Internal auditors should be independent from the activities they
audit‘. (CIPFA SOPP on Auditing 2002, Paragraph 15)

The focus on displaying an ’independent and objective frame of mind‘ stresses

again the importance to all auditors of audit scepticism.

For individuals, internal auditors must have an impartial, unbiased attitude, and
avoid any conflict of interest.

The requirement for internal auditors to be independent from the activities they
audit tends to imply two common principles:
▪ Internal audit should not assume or carry out any executive functions within
the audited body. And
▪ Given the likely scope for internal recruitment, no-one should audit a function
they had an executive role in for a given period.

It is also best practice for internal audit to have:

▪ The same unrestricted access to the records, assets and personnel as external
auditors.
▪ The ability to determine their own priorities, in consultation with management.
▪ Personnel with an objective attitude of mind.

The focus on organizational arrangements is also important. Whether it is achieved

through the support of an empowering and independent audit committee or
through management arrangements, it is vital that internal audit has its
independence and objectivity protected and its powers of investigation and review
fully supported.

7.3.4 Internal audit and corporate governance

You may wish to refer back to Chapter 2 to review its content relating to corporate
governance in general and the audit committee in particular. The relationship
155
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

between internal audit and the audit committee is a crucial one for the internal
audit service itself and for the good governance of the organization in general.
Typical features of this relationship would be as follows:
▪ The audit committee would play a critical role in determining the role and scope
of the internal audit service, empowering it to carry out these functions and
protecting its independence within the organization.
▪ Internal audit would normally present an annual audit plan for approval by the
committee. Internal audit would then report to the committee periodically on
progress against the plan.
▪ As noted in Chapter 2, audit committees typically monitor internal control. The
work of internal audit will clearly be of vital importance to the committee in
doing so. Internal audit will report their audit findings, usually on a summarized
basis, to the committee.
▪ As we also noted in Chapter 2, many organizations make governance
disclosures which include a statement on the strength and effectiveness of
internal control. Again, the findings of internal audit, communicated through
the audit committee, would clearly be a key consideration when preparing such
a statement.

7.3.5 The planning framework

Before reading this section, you may wish to review Chapters 3 and 4, with
particular focus on the way in which external auditors assess risk and plan an audit
of financial statements. When comparing the way in which external and internal
auditors plan, it is important to consider their very different aims:
▪ An external auditor plans to be able to conduct a single, annual audit to ISSAI
standards, gathering sufficient appropriate audit evidence to allow an opinion
on the truth and fairness of the organization’s financial statements.
▪ The internal auditor plans to be able to conduct several audit assignments that
allow them to maximize the assurance they can offer to the organization on its
internal control and other functions, make recommendations for improvement
and form an annual assurance opinion to report to the board (or other
appropriate committee) as part of the governance framework.

To an extent then, external audit planning is output-driven and internal audit is

input-driven.

156
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

In other words, the external auditor must achieve a single goal and plan and
deploy resources to do so professionally and effectively.

The internal auditor typically has a given budget or fee and, within that resource
constraint, seeks to maximize the benefit that the internal audit service can provide
in a way that is consistent with the goals of the organization.

Internal audit planning is thus typically based on prioritization and a risk-based

plan.
This risk-based plan would then provide a basis for three further types of internal
audit plans:
▪ A long-term or strategic plan (3-5 years): This would set out the long-term
role of internal audit in supporting good governance, risk management and
internal control in the organization. It would often set out a risk-based approach
to cyclical audits. For example, critical areas could be audited annually while
lower-risk systems could be audited on a rolling three year cycle.
▪ The annual plan: Setting out the audit engagements to be conducted in the
coming year – often the financial year of the organization. This would typically
include both staff plans and resource budgets.
▪ The plans for individual audits: Containing the audit aims, procedures
planned, timings and the staff allocated to that engagement.

7.3.6 Internal audit reporting

In Chapter 6 we considered the way in which auditors of financial statements
report their findings. The arrangements for internal auditors reporting are, again,
less clearly prescribed than those for external auditors and are largely at the
discretion of the audit client, though this section sets out some of the key
considerations.

When undertaking audit engagements and producing reports, it is key that the
internal auditor remembers that internal audit is a management support tool and
its purpose is to help the organization to accomplish its objectives through a
systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance processes.

157
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

To whom should internal auditors report? This is an important consideration

as:
▪ The choice of reporting line or lines may have a significant impact on the
independent status of audit.
▪ It may also have an impact on the seriousness with which audit findings are
taken and the authority with which they are supported within the organization.
▪ There may be significant variations in expertise with regards to finance, audit
and specific functions or services within the organization.
▪ There may also be significant variations in terms of the time and attention that
various parties can be expected to give to internal audit, given their other
duties.

Exercise 7.2: With these considerations, consider the pros and cons of reporting
to each of the following:
▪ The operational manager whose service has been audited
▪ The Chief Executive
▪ The Finance Director
▪ An audit committee

How should internal audit report? Internal auditors normally issue a written
report. Its contents are a matter to be agreed between auditor and audit client but
they typically include:
▪ An introduction and background, setting out the aims and scope of the audit
▪ The audit approach adopted and detailed findings
▪ Overall conclusions and an opinion or assurance rating
▪ Recommendations in the form of an action plan where comments or responses
from the client can be recorded

The audit report is clearly the key output of an internal audit service and its
greatest single opportunity to add value to a client. Its content and presentation
should be very carefully considered, particularly when making recommendations.
Effective recommendations should be constructive, proportionate and practical.
Auditors should bear in mind that internal control comes at cost and any
recommendation must offer a clear net benefit to the audit client, rather than
being ’controls for the sake of controls.

158
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

It is also regarded as best practice to discuss findings and proposed

recommendations with service managers at the end of fieldwork or at least before
a final report is issued.

This allows the auditor to:

▪ Reduce the risk of error in the audit report.
▪ Tap into the expertise of service managers, who may be able to propose
possible improvements that might not be apparent to the auditor.
▪ Identify and, if possible, address any concerns the service managers might have
regarding any draft conclusions or recommendations, before they are finalized
and reported formally.

However, although it is best practice to work constructively and cooperatively with

service managers, the auditor must maintain their independence at all times. If
necessary they must insist on reporting findings and making recommendations
even if they are likely to be unwelcome.

7.3.7 Organization of the internal audit function

Internal audit services can be delivered in a number of ways using different service
models.

An internal function of the organization

▪ Staffed by their own employees.
▪ The internal audit team may be part of the finance team, the central services
team or some other corporate service.
▪ Usually forms part of the back-office with only internal clients who work for the
same organization.

Outsourced, for example, to a private profit-making firm

▪ This is where all functions of the internal audit team are delivered by a
commercial provider of internal audit services, often an accountancy firm.
Internal Audit would be provided under a service contract with the audit staff
being employed by the provider.

159
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

A consortium arrangement or a similar ’shared services‘ arrangement

▪ This is popular where a number of smaller organizations are each unable to
support a viable, effective internal audit service on their own.
▪ There are various models, but most operate with a ‘host’ public sector
organization as the employer, with services being provided to the partners
under service level agreements for an agreed daily rate or annual contribution.
▪ All the employees are paid by the host organization and governed by their
employment terms and conditions.

There are also examples of some combination of the above, for example having a
core team of ‘generalist’ audit professionals employed by the organization (or ‘host’
organization in a shared service) but hiring external specialists for a period when
these are required. This is sometimes referred to as ‘right-sourcing’.

Exercise 7.3: Identify the advantages and disadvantages that each option might
bring for the client organization.

7.4 Internal audit and internal controls

7.4.1 Comparison with the work of external auditors
Perhaps the most prominent role for internal audit is the audit of internal control.
The fundamental techniques for evaluating internal control, identified in Chapter
5 are largely applicable here.

There are, however key differences between the work of internal auditors and
external auditors.
▪ Firstly, the reasons why external auditors and internal auditors would review
internal control are quite different.

The external auditor has a duty to give an opinion on the financial statements.
In most cases they have no obligation to review internal control and do so
simply as a means to an end as it is often an efficient and effective means of
forming an opinion on the financial statements. For the internal auditor, on the
other hand, the review of internal control is an end in itself as they will normally
have been appointed for the purpose of providing assurance to the client
regarding, among other things, the strength of internal control.

160
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Secondly, the scope of internal audit will normally be much broader.

This is linked to the first point; the external auditor will normally only be
interested in an organization’s internal control to the extent to which it has a
bearing on the material accuracy of the financial statements. The internal
auditor, as a service to the organization itself, would potentially be interested
in all of its control activities, including but not limited to those which might have
a material impact on the financial statements of the organization.

Many of this wider class of control activities would have little or no direct impact
on the financial statements but still be of considerable interest to management.

One example would be the controls over the accuracy and completeness of a
key marketing database, which may be critical to the competitive strategy of
the organization but have no direct impact on financial administration.

Other control activities might have an impact on the financial statements that
is small enough to be considered immaterial by the external audit but which
would still be of considerable concern to the management of the organization,
who wish to see the organization run as well as possible.

For example, weak controls that might leave the organization vulnerable to
petty expense frauds might never be examined in detail by external audit (the
effects of control failure are likely to be immaterial) but in all likelihood the
organization’s management would want to be aware of such a threat.

7.4.2 Control objectives and audit testing

In Chapter 5 we considered the design and evaluation of internal controls that
would be of greatest concern to the external auditor, due to their potential impact
on the financial statements. We will now consider a wider range of control
objectives and controls that would be of interest to the management of the
organization and thus their internal auditors, even if they would not necessarily
have a material impact on the financial statements.

A suggested, though not necessarily exhaustive, list of wider controls objectives is

shown on the following pages.
161
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ The first eight objectives (up to ’regularity‘) are critical to the material accuracy
of financial data and financial statements.
Such objectives would thus be of interest to the audited organization, the
internal auditor and the auditor of financial statements. Indeed you should note
the similarity to the financial statement assertions set out in ISSAI 2315.
▪ The remaining objectives have limited bearing on the material accuracy of the
financial statements.
They would thus be of limited direct interest to auditors of financial statements,
though a general impression of poor control would of course affect their overall
risk assessment.

They would be of more interest to the audited organization and the internal
auditor, who have an interest in general sound administration which is not
limited to the production of materially accurate financial statements.

They would be of more interest to the audited organization and the internal
auditor, who have an interest in general sound administration which is not
limited to the production of materially accurate financial statements.
Control
Description
Objective
Completeness All transactions, events, assets, liabilities and equity interests
that should have been recorded have been recorded
Recorded transactions, events assets, liabilities and equity
Accuracy/
interests have been recorded appropriately and at the correct
valuation
value
Classification/ Transactions, events, assets, liabilities and equity interests are
allocation classified and allocated correctly
Transactions and events have been recorded in the correct
Cut-off
accounting period
Existence Assets, liabilities and equity interests exist
Rights and The entity holds or controls the rights to assets, and liabilities
obligations are the obligation of the entity
Only valid payments are made e.g. no payments to ‘false’
Validity
creditors/employee

162
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Transactions are “intra vires” – within legal powers and spent in

Regularity
accordance with intended purpose. Applicable in public services.
Substantiation All transactions can be substantiated by reference to the records
of the organization
Timeliness Prompt recording and processing of data
The assets (physical or intangible e.g. electronic data) of the
Security
organization are secure
Transactions are right and proper as well as reasonable.
Propriety Conform to ethical/appropriate standards. Particularly important
in public services
Authority Internal rules/regulations and policies are followed
Value for Resources are obtained or applied in ways that secure economy,
Money efficiency and effectiveness

In the exam you could be asked, from the perspective of internal audit, to:
▪ Define control objectives with specific reference to a given activity of the
organization.
▪ Control objectives are an important benchmark by which the auditor can
appraise and evaluate the design of a control.
▪ Suggest controls which would help in achieving such objectives.
▪ Internal audit would typically make recommendations for improvements in
internal control.
▪ Suggest tests of control which could be applied.
▪ Internal auditors conduct tests of control to test the consistent operation of
management’s intended controls.

The following exercises will help you practice such techniques and approaches.

Exercise 7.4
a. In the table below, develop detailed systems control objectives for a system for
paying and recording salaries of employees at a public hospital. You should aim
to have at least one detailed objective for each of the general objectives
discussed above.

163
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

b. Next, for each control objective, design an internal control that would ensure
the objective is achieved. Controls can be either manual controls or computer-
based controls.

Note: Some controls may help to achieve more than one objective.

Detail objective Control

Completeness
Accuracy/ Valuation
Classification/
allocation
Cutoff
Existence
Rights and
obligations
Validity
Regularity
Substantiation
Timeliness
Security
Propriety
Authority
Value for money

Exercise 7.5: Before you start Exercise 7.5 you should review the suggested
answer for Exercise 7.4.

In the table overleaf, you have been presented with five detailed objectives, each
with a suggested control, drawn from the suggested answer.

You are required, for each of these, to propose a relevant test of control and a
relevant substantive procedure.

You should refer back to Chapter 5 if you are unsure of these terms or how to
design such tests. Bear in mind that:

164
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Tests of control test only the operation of a control procedure. They are not
concerned with testing the ‘end result’. You should thus focus on testing the
control described.
▪ Substantive procedures only test the ‘end result’. They are not concerned
with testing the operation of related controls. You may find it helpful to consider
how the auditor could gain direct evidence of the achievement of a control
objective.

Control objective: All salary payments Control: Reconciliations between the

and adjustments are recorded number of payments recorded on the
(Completeness) ledger and the bank payment system
Substantive procedure: Test of control:
Control objective: All liabilities recorded Control: A sample of the liabilities is
at the year-end apply to the hospital and reviewed by the payroll manager to
no other organization confirm they relate to the hospital
(Rights and obligations)
Substantive procedure: Test of control:
Control objective: The hospital can Control: Data from the payroll system
provide evidential support for all salary is backed up to a remote server
and other payments over the last 6 years
(Substantiation)
Substantive procedure: Test of control:
Control objective: Payments are only Control: All non-salary payments are
made for work which is consistent with the reported to the Chief Executive on a
legal authority of the hospital quarterly basis Control
(Regularity)
Substantive procedure: Test of control:
Control objective: Salary costs are kept Control: Chief accountant monitors
to the reasonable minimum budgeted vs actual staff costs for each
(Value for Money) clinical department
Substantive procedure: Test of control:

165
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

7.5 Performance audits

7.5.1 Introduction
Performance audits, sometimes referred to as value for money (VFM) reviews, are
concerned with the audit of economy, efficiency and effectiveness. Performance
audits can be undertaken by internal audit in both the public and private sector
and also by external audit in the public sector.

7.5.2 Economy
Acquiring resources of appropriate quality and quantity at the lowest cost.

Economy is sometimes described as being the measure of inputs. These inputs

may be in the form of goods (e.g. printing materials, medicines, computers or
vehicles) or services (e.g. staff time).

Note that already issues of quality are introduced into our definitions. If one light
bulb costs twice as much as another but lasts three times as long it is still more
economical in the long run even though the unit price is higher.

The quantity of inputs you acquire is also an issue. It is not just the purchase price
of an item that makes up its cost. Bulk buying may bring you a discount but if that
is eaten up by the costs of storing all the extra materials you have purchased it
may not be more economical. For example, the biggest cost of EU agricultural
intervention buying is not the cost of the butter or beef or milk – it is the cost of
storing it. This is why it is sometimes ‘better’ to simply dump the excess of
intervention stocks.

7.5.3 Efficiency
’Maximizing the useful output from the resources used, or minimising the level of
work in producing a given level of output‘.

This can also be thought of as the relationship between the level of inputs to and
the level of outputs from a system or process.

There are two ways of looking at efficiency:

166
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Maximizing the outputs from a given level of inputs – e.g. with finite staffing,
accommodation, IT facilities etc. a local authority would seek to process as
many planning applications as possible in as short a time as possible.
▪ Minimizing the inputs needed to produce a given level of outputs – e.g. if you
have 10,000m2 of office space to clean you want to do it using the least amount
of cleaners’ time, equipment and cleaning materials.

7.5.4 Effectiveness
The extent to which objectives are achieved.

Effectiveness is about what is achieved as a result of the process. It is about the

relationship between the outputs and the outcomes of the system.

7.5.5 Equity
In addition to these three ‘E’s, a fourth ‘E’ being equity is applied in some places:

The extent to which services are available to and reach all people that are intended
to

Exercise 7.6: Whether conducted by state external auditors or by internal

auditors, performance audits are seen as being more relevant to and important in
the public sector.
Why do you think this is the case?

7.6 Contract audits

7.6.1 Common characteristics of contracts subject to audit
In legal terms, quite informal arrangements may constitute a contract. A legal
contract will arise from many ordinary work activities such as ordering sundry
purchases, contracts of employment, letting properties to tenants, and similar
activities.

Auditors encounter such contracts during routine audit work but they are not all
the subject of a separate, specialist contract audit.

167
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

However, there are common characteristics that are likely to bring certain
contracts to the attention of auditors:
▪ There is a legal contract document: Such a formal document is drawn up,
usually by the audit client, and signed on behalf of the contractor who will do
the work or provide the service.
▪ Contract is material to the organization’s operations: It is common for
organizations’ standing orders or financial regulations to specify the level of
expenditure at which formal contracts are required. Contracts of a low value or
infrequent nature, such as sundry purchases, are unlikely to be reviewed as
part of an individual contract audit as described in this section.
▪ Contracts involving capital expenditure: The typical example would be capital
works contracts for building of roads, a new hospital or a leisure centre. These
types of contracts frequently take place over a period of time, usually with a
specified start date, duration and possibly dates for interim payments or stages
of completion.
▪ Contracts involving revenue expenditure of a material and ongoing nature:
Such contracts might include front-line services such as refuse collection or
payment of housing benefit, or support services such as internal audit or estates
management.

Contract audit, therefore, is concerned with high-value, long-term, legally

enforceable, written contracts that are usually of a complex nature.

7.6.2 The stages of a contract audit

In the past, internal auditors tended to focus on checking interim and final
payments before they were paid to the contractor. This was seen as unsatisfactory
as it tended to address failings in a major contract after they had already occurred
and it could be seen as compromising audit independence as it arguably made
internal audit part of the internal control framework.
More recently it has been recognised that internal auditors can add value at the
various stages of contract arrangements.

There are five main stages in the contract lifecycle:

Stage 1 Pre-tendering: This is where the client will:
▪ define the requirement need/make-or-buy;
▪ develop the specification;
168
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ produce the business case.

The audit testing at this stage would examine the processes for carrying out these
activities, how it was done, by whom, whether they had the appropriate skills, and
whether the specification was likely to generate appropriate tenders.

Stage 2 Tendering: This is where the client will undertake:

▪ market management;
▪ the procurement process.

The audit testing at this stage would primarily look at compliance with the Public
Sector Procurement Rules (if auditing a public body), and compliance with the
organization’s own procurement policy or strategy. The auditor may also look at
use of existing procurement frameworks and whether appropriate contract award
criteria have been used. The specification of the contract awarded is a key risk. If
the specification does not contain enough detail of what, how and when, then
there is a high risk that the desired outcomes will not be achieved. The way in
which the contract performance will be managed and monitored is also a critical
part of the specification.

Stage 3 Mobilization: This is the transition stage where the client will get ready
for the contract management delivery.

The audit testing at this stage would focus on the risks around handover, health
and safety processes and training of the contractor to ensure service delivery is of
the required standard. The auditor may also look at the plans for contract
management and monitoring once the contract commences.

Stage 4 Contract management: This is the stage where the client undertakes
the regular service performance management activities specified in the contract.

At this stage of a contract, the auditor would be examining the evidence of contract
monitoring meetings and default notices to provide assurance that progress is
being made, targets are being reached and milestones are met. Auditors should
also be concerned with the actions being taken against a contractor if the
performance specification is not being met.

169
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Stage 5 Post-contract management: This is the stage where the contract is

at completion and the client will be concerned with:
▪ claims and dispute resolution;
▪ payments management;
▪ service delivery review;
▪ exit strategy.

The auditor may examine the processes and controls around ensuring that
documentation is complete and that any guarantees or warranties are in place and
enforceable. Cost completion statements may be examined, but should not be the
key focus for the internal auditor. The focus of a post-contract audit review is likely
to be on whether the objectives of the contract have been met, and whether any
lessons learned have been documented and transferred to the appropriate officers
involved in future contracts.

7.7 Fraud investigations

7.7.1 Internal audit and fraud
Before considering fraud investigations we should first consider the general
responsibilities of internal auditors with regards to fraud.

The IIA state that ‘internal auditors must have sufficient knowledge to evaluate
the risk of fraud and the manner in which it is managed by the organization, but
are not expected to have the expertise of a person whose primary responsibility is
detecting and investigating fraud’. (IIA International Standards for the Professional
Practice of Internal Auditing 1210.A2, (January 2013).

This differs from common perceptions. The specific responsibilities of internal

auditors will be laid down by the client organization though the overall
responsibility for managing fraud risk lies with the client management.

However, it is common for internal audit to assist management in their

responsibilities in the following ways:
▪ Always having regard to the possibility of malpractice.
▪ Seeking to identify internal control weaknesses that may hinder the prevention
or detection of fraud.

170
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Investigating fraud where empowered to do so.

7.7.2 Fraud investigations

Fraud investigations are audit investigations of the utmost sensitivity. They may
lead to criminal proceedings and/or disciplinary activities and the professional duty
of care is at its highest.

The auditor's methods, procedures and professional judgements may come under
very close scrutiny if a case is brought to court.

It is a specialist area and not one that all internal audit services undertake. The
scope and role of internal audit is determined by the audit client and so the client
decides whether to involve internal audit in fraud investigations; some might prefer
to pass suspicions onto the police immediately.

Concerns about a suspected fraud could be brought to the attention of the internal
auditor by various means:
▪ Identified in routine internal audit work
▪ A tip-off given to internal audit: This could be internal (e.g. an employee) or
external (e.g. a member of the public).
▪ Passed on by external audit: E.g. if a concern was identified which did not
appear to be material to financial statements.

The nature and purpose of fraud investigations: When investigating an

allegation, internal audit's objectives are to:
▪ Collect sufficient evidence to prove or disprove suspicion – objectivity and a
focus on evidence are both critical.
▪ Provide evidence admissible for a disciplinary hearing and/or criminal
proceedings.
▪ Minimise possible losses to the organization, where a fraud is suspected to be
on-going.

Audit professionalism is likely to come under close scrutiny so any fraud

investigation requires experienced staff, led by management, with specialist
knowledge and past experience of such work. As with any audit work, careful
planning and high standards in recording and review are required.
171
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Given the nature of the matters under investigation, professional and ethical
standards become of absolutely critical importance and the need for audit
scepticism becomes heightened further – as fraud is deliberately deceptive, great
care needs to be taken not to rush to seemingly obvious conclusions.

Likely investigatory actions:

▪ If it's a ’tip-off‘ the auditor must sceptically consider the reliability of the source,
whether they have any actual evidence and in turn the reliability of such
evidence.

The informant should be asked if they are they willing to go 'on the record' and
appear in court if it goes that far.

▪ Internal audit could investigate the prior history of an employee under suspicion
and area in which they work.

They would consider whether there had been any prior allegations, concerns
or unusual behaviors and whether control weakness or irregularities have been
found by past internal audit reviews of the service. They could also consider
other areas of the suspect’s work, the other systems or assets they have access
to and the areas where they have worked in the past.

▪ Carry out a spot cash count if cash fraud is suspected.

This should be supervised with ideally two auditors and two staff being present
as witnesses.

▪ Carry out a ’guise‘ audit - appearing as a customer where cash/receipting fraud

suspected.

The aim is simply to observe whether the suspect follows proper

cash/receipting procedures or does anything suspicious, such as not giving a
receipt, not putting cash in the till straight away or charging the wrong amount.

The auditor needs to:

172
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

o Beware of alerting the suspect. That means trying not to look or act too
obviously like an auditor!
o Beware of ‘entrapment’. The auditor should never do anything that could be
seen to encourage or tempt someone into committing a crime they would
not otherwise have committed. The auditor should just act as a normal
member of the public 'off the street' would behave.

▪ Internal audit would normally seek to ascertain full extent of fraud and its
financial value.
This will be important for a number of reasons such as correcting accounting
records, emphasizing the true costs of poor internal control and providing
evidence for disciplinary/criminal proceedings. If financial records are poor/
unreliable, some form of estimation might be needed.
▪ Internal audit might recommend that management suspend a suspect,
although they should have no power to do so themselves.
▪ Consider with management whether police should be involved, prior to
interviewing.

If there is compelling evidence or auditors have concerns about their skills to

conduct a sensitive, complex enquiry they may prefer to pass the matter
straight to the police at this stage.

Interviewing in suspected fraud cases: Evidence to date may be suggestive

of guilt but an interview allows the suspect to explain their actions, which may be
misunderstood, entirely innocent or just down to a genuine error which is, of
course, not fraudulent.

There will be legal requirements for evidence to be admissible and you should
familiarise yourself with the requirements that apply in your own country.

The presence of a second auditor is essential to record the interview and act as a
witness. The presence of a ‘friend’ of the suspect is strongly encouraged, again to
act as a witness and possibly to advise the suspect.

Concluding suspected fraud cases: At the end of any fraud investigation the
auditor should:
173
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

▪ Make recommendations to the client about improvements to internal control,

to help prevent reoccurrences.
▪ Advise the client to correct their accounting records as far as is possible.
▪ Liaise with the external auditor about any effects on present and past financial
statements. The external auditor would also want to know how prevalent fraud
was as this will, to an extent, inform their audit risk assessment.

Exercise 7.7: You are an internal auditor with a large public hospital. You are
currently engaged in reviewing the audit papers of an inexperienced colleague who
has recently undertaken an audit of petty cash. The petty cash system under audit
is managed by the nursing staff of a convalescent home which houses elderly post-
operative hospital patients. The home itself is a converted dwelling located in a
housing estate some distance from the main hospital site.

Requirements:
a. Discuss the applicability of International Standards of Supreme Audit
Institutions (ISSAI) to the audit conducted by your colleague.
b. Describe FIVE control objectives relevant to a petty cash system, which you
would expect the auditor to have identified.
c. Describe FIVE suitable controls which you would expect the auditor to have
identified with respect to the petty cash system.
d. Describe your responsibilities generally as an internal auditor regarding
fraudulent practices and in planning audit work with a view to detecting fraud.

Exercise 7.8: This exercise covers some of the material in this chapter whilst also
helping you to revise some of Chapter 5.

Requirements:
a. Describe the components of Value for Money (VFM).
b. Suggest the conditions that are necessary to ensure the internal audit function
is effectively independent from the organization it audits.
c. ISSAI 1610 (Using the work of internal auditors) sets out the circumstances
under which external auditors may rely upon the work of internal auditors.

174
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Describe suitable factors which external auditors will take into consideration when
judging their level of reliance on internal audit reports, and briefly explain how
such reliance is likely to benefit the client organization.

175
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 7.1: Which of the following is NOT considered best practice?

A. A head of internal audit with an executive role.
B. The same unrestricted access to the records, assets and personnel as external
auditors.
C. The ability to determine their own priorities, in consultation with management.
D. Personnel with an objective attitude of mind.

Quiz Q # 7.2: Which of the following is the correct definition of ’economy‘?

A. Ensuring that the output from any activity is achieving the desired result.
B. Maximizing the useful output from the resources input.
C. Acquiring resources of appropriate quality and quantity at the lowest cost.
D. Minimizing the level of inputs needed to produce a given level of output.

Quiz Q # 7.3: Which of the following is NOT an internal audit objective when
investigating a suspected fraud?
A. To collect sufficient evidence to prove or disprove the suspicion of fraud.
B. To provide evidence admissible for a disciplinary hearing and/or criminal
proceedings.
C. To implement appropriate control measures to ensure that similar frauds do
not occur in the future.
D. To minimize possible losses to the organization, where a fraud is suspected to
be on-going.

Quiz Q # 7.4: Which of the following internal audit control objectives is also
critical to external audit’s opinion on the material accuracy of financial data and
financial statements?
A. Existence
B. Timeliness
C. Security
D. Authority

176
Study Notes-P3-AUDIT AND ASSURANCE, CPSA, SAO

Quiz Q # 7.5: Maintaining independence and objectivity is vital to effective

reporting of internal audit findings. With this objective in mind, place the following
four options for internal audit reporting in order of preference from most to least
preferred.
W. The operational manager whose service has been audited;
X. The Chief Executive of the organization;
Y. The Finance Director of the organization;
Z. The audit committee.

A. W, X, Y, Z
B. Z, Y, X, W
C. Z, X, Y, W
D. X, Z, W, Y

177