THE INSTITUTE OF CERTIFIED PUBLIC

ACCOUNTANTS OF PAKISTAN (ICPAP)

Stage Specialization Course Code SP-602 (Solution)

Examination Winter-2012 Course Name Advanced Auditing and Assurance
Time Allowed 03 Hours Maximum Marks 100

NOTES:
1) All questions are to be attempted.
2) Answers are expected to the precise, to the point and well written.
3) Neatness and style will be taken into account in marking the papers.

Question No 1:-

a) Outline the steps for performing the systems audit of ‘preparation of

dividend warrant’ introduced by an organization as part of the programs
for the computerization of company’s secretarial functions.

Regarding the Systems Audit of the Computer Application “Preparation of

Dividend Warrants” the Systems Development Methodology adopted in the
Computer Department would have to be verified for the following reasons:
1. Are the best practices being followed for the development of the
program and whether the Librarian is having records for the various
versions of the program? For example, we need to verify the version
number of the Dividend Warrant preparation program. The purpose of
verifying the version number is to ensure that in a live environment only
the correct latest version of the program is used. Also verifying the
procedures for Change Management will assure us those changes to
programs is made only under the specific authorization of the user
endorsed by appropriate authority within the Computer Department.
2. Verifying the procedures becomes all the more important if Dividend
Warrant processing is given to third parties.
3. The control practices followed by the third party Service Provider should
be verified. Having verified the Management Controls. Environmental
Control and Organizational Controls, the further steps to be followed for
performing the Systems Audit of dividend preparation applications
would be the following.

The steps are involved are:

1. Verify Input Controls
The input will consist of the details of the various shareholders. The
Mater Data would contain the name, address, nominee, or joint
account holding details, as also income-tax status. Before the Dividend
Warrant application program could be run in live environment the
 steps that would be taken would be to ensure all master records have
been corrected, up to and including Share Transfers as approved by
the last Share Transfer Meeting, and also all correspondence received
regarding change of address, income-tax status etc.

2. Providing Parameters
The program needs to be provided with certain parameter details like
percentage of dividend being declared, income-tax to be deducted for
the various types of Shareholders, e.g. Corporate Body, Non-Resident
individuals, individuals.

3. Checking Exemption from Tax Deducted at Source (From 15-H)

In the case of individuals not being liable to tax, whether Form 15-H
has been provided and whether the same has been entered in the
computer correctly. For this purpose, the computer listing of all of the
cases where Form 15-H is purportedly have been provided should be
printed out and this list should be physically verified with a hard
copy of the 15-H forms. This would ensure two things:
- The individuals, who would have had to pay tax, would have tax
deducted.
- Only those who have provided Form 15-H would be enjoying the
privilege of not having the tax deducted.

Verifying the above would ensure the correctness of input regarding:

a) Shareholding:
b) Names and addresses: and
c) Tax status.

The application program/preparation of Dividend Warrants should be

tested for these purposes.
The Systems Auditor should request for the appropriate computer
program to be loaded on a separate computer. He should prepare an
exhaustive Test Pack. The Test Pack will consist of a comprehensive
data so that the logic of the program is extensively checked.
The program would now need to be tested. The computer, which has
got a copy of the program loaded, would need to be utilized for
loading this Test Data. The loading of Test data is done by creating a
file of shareholders as envisaged in the Test Pack. After loading of the
Test Pack, the necessary commands for commencing the processing
should be given (this procedure can easily be picked up by discussing
with the regular users of the Computer). Once the program commences
processing, it would be processing one record at a time, as each of the
records (detail of the shareholders) would need to be verified for its
correctness and completeness. It the first record in the Test Data is
 processed, the computer should come out with an error message to say
“No Shareholding”.
- For the second record, the message should say “minor but no
guardian”.
- The Shareholder has no valid income-tax status.
- The shareholding is negative.
- Control totals do not tally – Control total.

Note: The contents of the error messages would also require to be fed
into the program so that appropriate message as programmed would
be picked up.
If for any reason, the results are not in line with the results as expected
if the program were to function properly, we need to perform the
following steps.
1. Ensure the Test Data has been entered into the Machine correctly.
(This can be done by taking out a print out of the test pack and
compare it with what was envisaged to be fed into the computer).
2. Note down the type of malfunctioning of the computer Program,
for example, if record number 1 is processed without giving an error
message, the program is not testing for nil balance of the shareholder,
i.e. the Master file contains details of Shareholders who have ceased to
be shareholders as they have sold out all their holdings.

At the end of the testing of the program and after evaluating the
results, the Systems Auditor is able to conclude as to what types of
“bugs” are in the program. Bugs, as we know are mistakes in the
program.
The auditor should discuss this with the User Department and then
discuss it with the developers of the program. Till such time as the
program bugs are removed, that version of the program cannot be
used, as it is not bug free. The Systems Auditor is required to prepare
and submit a report based on his findings.

b) “Internal control refers to the design and utilization of all the means
whereby management is enabled most effectively to safeguard the
company’s assets, administrate the current operations and plan for the
future.” In the light of this statement, state the main components and
objectives of an internal control structure in an organization.

Internal control is an important tool of management to achieve organizational

objectives effectively. It does not restrict itself to the accounting functions
only, but extends to the administrative and other function also. With the
effective utilization of internal control structure prevailing in the
organisation, management can most effectively safeguard the company’s
assets, administrate the current operations and plan for the future.
Internal control structure has three major components viz.
 1. Control environment: The collective effect of various on establishing
and enhancing, the effectiveness of specific policies and procedures.
2. Accounting systems: The methods and records established to identify,
assemble, analyse, classify, record, and report an entity’s transactions
and to maintain accountability for the related assets and liabilities.
3. Control Procedures: Policies and procedures that the management has
established to provide reasonable assurance that specific entity
objectives will be achieved.

The following are the main objectives of internal control structure:

1. To ensure the orderly and efficient conduct of business,
2. To ensure that transactions are executed in accordance with
management’s general or specific authorization,
3. To ensure that transactions are promptly and correctly recorded,
in the appropriate accounts and in the accounting period in which
executed, so as to permit preparation of financial information
within a frame work of recognized accounting policies,
4. To ensure that access to assets is permitted only in accordance
with management’s authorization and recorded assets are
compared with the existing assets at reasonable intervals and
appropriate action is taken with regard to any differences,
5. To ensure accountability for assets,
6. To ensure that the policies laid down are adhered to,
7. To ensure a confidence of reliability to the users of information,
8. To ensure timely corrective actions through feedback information,
9. To detect errors and frauds.

(10+10 =20 Marks)

Question No 2:-
a) Write a note on Organisational need for management audit.
b) Distinguish between management audit, financial audit and internal audit.

(10+10 =20 Marks)

Answer:-
a) Organisational Need for management audit
In connection with the control of overall performance, management audits
are becoming increasingly significant. Just as most companies make it a point
to have their accounts audited at least once a year, some of the more
progressive companies have recognised the importance of management
audit. These audits are substantially different from those performed by
Chartered Accountants and are not concerned with the verification of
financial data. They are performed either for the top management or the
stockholders, or for owners. Management audit provides a device for
surveying the management of the enterprises critically and objectively from
 the broadest possible point of view. They start where the balance sheet audit
ends and are concerned with the examination of the organization and the
operations of the enterprise from every aspect. At time, such an audit is
undertaken by the management itself and sometimes outside aid is called
upon.

The growing number of professional managers, the continuing separation of

ownership form management and the wider distribution of stockholders will
sooner or later make a certified management audit mandatory as in the case
of an audit by a Chartered Accountant. A prerequisite to this development is
that generally recognized principles of making the certification have achieved
professional status with necessary professional training and proper
accredition.
Management Audit can be perceived as effective as management services of
consultancy firms because the auditor will become an active adviser by
offering solutions for management problems and help in the lookout for a
successful organizational existence and growth.
b) Distinction between Management Audit, Financial Audit and Internal
Audit

Management Audit Financial Audit Internal Audit

Nature & Purpose

Management audit is The auditors review Internal audit is basically
concerned with finding the financial concerned with ensuring
out the efficacy of the statements of a control of various
control system in company to express an operations and effective
operation. It reviews opinion as to whether control measures.
whether the policies lay they reflect a true and Internal audit is
down and decisions fair view of its state of complementary to
taken were in affairs and working statutory audit.
organization’s interest period. The main
and were effective. The purpose of an
purpose of independent financial
management audit is to audit is to determine
assess whether the whether the financial
integrated management statements represent
systems, which are fairly the actual
required to fulfill the financial position and
contractual and legal working results of an
obligations for the organisation.
company to its
customers and
community, are being
effectively implemented
and the true and fair
presentation of the
results of such and
examination is attained.

Scope
The management audit The auditor’s Normally covers audit of
concentrates upon the certificate depends on routine financial
main sources of verification of the transactions to ensure
decision-making in a Profit and Loss that no irregularities
firm, which can achieve Account and Ledger would occur within the
effective and impressive Accounts with organization in any area
results for profitability. reference to original where finance is involved
It covers mainly documentary and to judge the efficacy
management areas. evidence. of systems of internal
control.

Features
Audit of management Looking into the Covers mainly financial
policies and their correctness of financial transaction, through can
adequacies to meet data and records along be extended to
corporate objectives. with correctness of the management areas in the
Audit of procedures, accounting procedures absence of management
organization and followed. Seeing that audit.
methods to confirm established accounting
proper implementation systems and
of policies and rules. procedures have been
complied with.

Management audit Seeing that financial a) Routine check of

covers the entire gamut statements have been financial
of activities whether prepared following the transactions
operations, general or established procedures b) Ensuring efficiency
control activities for and that the same of performance
which only the top display a true and fair c) Preventing
management is view of the business irregularity
responsible for. transactions as also of d) Continuous audit
the position of the for internal
concern as on a reporting, through
particular date. can be conducted by
outside agencies
e) Requirement under
CARO
f) Ensuring internal
control measures
are followed and are
effective.
Areas
Organisation, methods, All cash transactions- Sales, purchase, receipts,
procedure, controls, receipts and payments, payments, stores and
techniques, systems and wages and salaries, stock, production and
functional areas such as purchase and sales, performance efficiencies,
purchase, production, stocks and work-in- including physical
sales, personnel and progress, physical performance
inventory management. verification of assets (quantitative and
(current and fixed). qualitative) and physical
verification of assets.

Qualifications of
Auditor
The statue does not lay The qualifications It is performed by the
down any qualification required for employees of the
for a management appointment of company, drawn from
auditor, but he must be statutory auditor have internal audit
a senior person with been specified under department. There is no
enough experience Ordinance 1984 of the statutory qualification.
since management Companies Act, 254. Auditor should be a man
audit covers all the of experience and
functional areas of intelligence, with a
management. The logical mind and
qualifications of a analytical approach. His
management auditor exposure has to be in
are difficult to be areas of
prescribed. Ideally, a accounts/finance. It is a
candidate with multi- continuing audit which
disciplinary approach is goes on the year round,
best suited for the job. It at specified and regular
could also be a team of intervals.
persons specializing in
different disciplines.

Periodicity
There is no such Statutory financial It is a continuous process.
defined period. It audit is conducted
purely depends on the every year.
management. Normally
it is held once in 2-3
years.

Reporting
The management audit The financial auditor The internal audit report
report is meant for top has to make a report to is meant for top
management. The the members of the management. A copy of
report is submitted to company i.e. share- the report department
managing director or holders. concerned.
executive director
through at times the
report is submitted to
an audit committee of
the board of directors.
Question No 3:-
You are the manager in charge on the audit of Hexa Garments Limited (HGL).
The company is listed on the Karachi Stock Exchange and has nine directors.
It is engaged in the manufacture and sale of fancy garments through its own
retail outlets. You are considering the following matters in respect of the audit
for the year ended December 31, 2009:
a) The diluted earnings per share of Rs. 36.60 has been calculated without taking
into account the share options held by three directors. To justify the above
calculations, these directors have confirmed in writing that they do not intend
to exercise the share option. Had the share options been considered, the
diluted earnings per share would have been Rs. 35.60. The review of
subsequent events revealed that four of the remaining directors had exercised
their share options following the balance sheet date.
The share options are available upto December 31, 2010.
b) According to the draft financial statements the total assets of the company are
valued at Rs. 375 million. These include value of ten retail outlets amounting
to Rs. 175 million. The valuation is based on historical cost less accumulated
depreciation. During the year ended December 31, 2009, the management
had decided to revalue all the retail outlets. The value appointed by the
management has not been able to complete the assignment to date. However,
he has submitted two interim reports as described below:

Interim Report

First Second

Date of report 31/12/09 20/02/10

Number of shops revalue 3 4

Book value as on 31/12/2009 (Rs. in 40 60

million

Revalued amount (Rs. in million 70 100

c) During the year HGL has developed two new brands “Deebal” and “Kalachi”
and has launched an aggressive marketing campaign for their promotion. The
company has recognized the cost incurred on the campaign amounting to Rs.
10 million as an intangible asset. It is being written off over the estimated
useful life of the brands i.e. four years.

Required:
Discuss the matters that may be of significance to you as an auditor, in respect
of the above issues. Also explain their implications on the audit report.

(6+8+6=20 Marks)
Answer:-
a) Matters significant to the Auditor
i. According to IAS-33, for the purpose of calculating diluted earnings
per share, an entity shall assume the exercise of dilutive options of the
entity. The IAS does not allow any exception to this rule.
ii. Whether the share options given to the directors have been properly
disclosed in the financial statements.
iii. The exercise of share options after the close of year needs disclosure as
a non-adjusting event.
Implications on the audit report
i. If the directors do not agree to amend the diluted earnings per share,
the audit report should be modified in this respect on the ground of
disagreement.
ii. If proper disclosure relating to exercise of share option has not been
made, the audit report should be modified due to non-disclosure of
material information.
b) Matters significant to the Auditor
i. According to IAS-16 Property, Plant and equipment, if an item of
property, plant and equipment is revalued, the entire class of
property, plant and equipment to which that asset belongs shall be
revalued.
ii. The increase due to revaluation of 7 of the 10 retail shops amounts to
Rs. 70 million, which represents 18.67% of total assets and is therefore
material to the statement of financial position. A disclosure will be
required.
iii. The auditor should ask the management either to defer the
revaluation to a period when all information related to all the shops is
available from the valuer or revalue all the shops by requesting the
valuer to submit his final report prior to audit completion.
Implication on the Audit Report:
If the management refuses to disclose the information about the outcome of
valuation exercise, the audit report should be modified on the ground of
disagreement with qualified” opinion.
c) Matters significance to the Auditor
i. According to IAS-38, internally generated brands shall not be
recognized as intangible assets. Hence, the capitalization of internally
generated brands is a contravention to the requirement of IAS-38.
ii. The intangible asset is material as it represents 2.7% of total assets.
Implications on the Auditor’s Report
If the financial statements are not revised in accordance with IAS, the audit
report should be qualified on the ground of disagreement with qualified
opinion due to material misstatement.
Questions No 4:-
a) Select the best answer for each of the following items and give
reason for your choice.
As part of their audit, CPAs obtain a representation letter from their
client. Which of the following is not a valid purpose of such a letter?
1) To increase the efficiency of the audit by eliminating the need
for other audit procedures.
2) To remind the client’s management of its primary responsibility
for the financial statements.
3) To document in the audit working papers the client’s
responses to certain verbal inquires made by the auditors
during the engagement.
4) To provide evidence in those areas dependent upon
management’s future intentions.

b) “Understanding the relationship between risk and control is important in

information systems audit.” (12+8=20 Marks)
Understanding Risks Controls
Understanding the relationship between risk and control is important in I.S.
the auditor must be able to identify different types of risks and the controls
used vis-à-vis those required to mitigate these risks.
Risks that threaten the I.S. cannot be eliminated. They can be mitigated by
appropriate security. This security is to be implemented within the
framework of controls envisaged by the management. I.S. auditor has to
evaluate their adequacy and appropriateness to mitigate risk. Weaknesses
that exist are to be reported by the I.S. Auditor to understand the process and
procedure of reviewing and evaluating controls.
Threats can be outcome of poor control or no control. A threat is some action
or event that can lead to a loss (a risk). “The potential that a given threat will
exploit the vulnerabilities of an asset or group of assets to cause loss or
damage to them” is considered as risk. The result of threat analysis is
vulnerabilities. The risk of a threat exploiting a vulnerability leads to impact
i.e., result of loss of any sort on account of risk. Exposure is the potential loss
on account of the actualizing of the risk. Risk assessment identifies the
elements of risk and combines them to give the overall view of the risk.
For example fire is a threat to a computer center. This is an inherent
vulnerability which cannot be entirely eliminated but can be mitigated by e.g.
prohibiting smoking, encasing all electrical wiring, having fire proof walls or
fire proof cabinet for storing all the software and data, installing smoke
detection system or fire extinguishers. These measures shall mitigate the risk
of fire. Further, the company may obtain insurance for loss of assets/profits.
This is called as risk transfer. The remaining risk termed residual risk has to
be accepted by the management.
 The loss due to fire is termed exposure. The impact of fire is the loss to the
company due to disruption of business, loss of customers, loss of assets etc.
while assessing risk the I.S. Auditor has to consider the various types of
threats, vulnerabilities, risk exposure and the probability of their occurrence.

A common method used to quantify risk is as follows: calculate the impact

against probability of each treat. e.g. if the loss on account of fire is Rs. 5 lakhs
and the probability of its occurrence is 0.2% then the potential risk exposure
would be: 5,00,000  2/100 = Rs. 1,000.

If the expected loss is Rs. 20, 00,000 and the probability of occurrence is 2%
then the exposure would be: 20, 00,000  2/100 = Rs. 40,000
Control assessment: After the risks have been identified, existing controls can
be evaluated or new controls can be designed to ensure that the risk is
maintained at the acceptable level.
At the time of evaluation is should be considered whether controls are
preventive or detective, manual or programmed and formal.

Question No 5:-
You are the manager in-charge on the annual audit of Decimal World Limited
(DWL) for the year ended December 31, 2009. DWL is a leading manufacturer
of electrical appliances. 35% of its shares are held by Binary Pakistan Limited
(BPL). However, with the help of some consenting shareholders, BPL has
been able to nominate 5 out of 8 directors on the Board.
During the planning phase of the audit you became aware of the following
matters:
a) A foreign investor has made a public offer to purchase 51% shares of DWL at
a price of Rs. 13 per share. The share price has ranged between Rs. 12 to Rs. 14
per share during the past six months.
b) The company’s statement of financial position includes a deferred tax asset of
Rs. 30 million on account of unutilized tax losses which have accumulated
during the loss making period 1999-2004. The management is of the view that
future taxable profits would be sufficient to utilize the available tax losses.
c) DWL has established an e-commerce division to sell its products through
internet. This new division is administered centrally by the head office. This
step has been quite successful as the online sales have risen to 20% of the total
sales during the year.

Required:
Identify and explain the audit risks which the auditor should consider
while planning the audit of DWL. Also highlight the key areas on which
the auditor should place emphasis upon, to address the above risks.
(6+7+7=20 Marks)
Answer:-
a) Audit risk: Pressure to maintain the earnings
 i. The management of DWL is under pressure to maintain the earnings
of the company in order to keep the share price of the company over
Rs. 12.5 so that the offer of foreign investor will not attract the small
investors.
ii. The areas requiring the auditors attention are as follows:
 Revenues are recorded correctly as to amount and period.
 Inventories are properly valued and recorded in the correct
period.
 All expenses and provisions are recorded correctly as to amount
and period.
b) Audit risk: Recoverability of deferred tax assets
i. Under IAS-12, deferred tax assets can only be recognized when it is
probable that taxable profits will be available against which the
deductible temporary differences can be utilized. The company will
therefore need to show that future profits will be generated for the
unutilized tax losses to be offset against. If this is not possible, the
deferred tax asset should be limited to the amount of profits that can
be measured with reasonable certainty.
ii. The main areas which require auditors attention are as follows:
 The income tax provisions related to carry forward of tax
losses and their adjustment against future profits.
 Amount of future profits and reasonableness of such forecast.
c) Audit risk: Issues relating to e-commerce sales
i. Risk of non-compliance with taxation, legal and other regulatory
issues
ii. Risk of technological failure resulting in business interruption
iii. Loss of transaction integrity
iv. Risk of frauds by customers and employees
v. Risk of application of improper accounting policies in respect of
capitalization of costs such as website development, translation of
foreign currencies, allowances for returns, revenue recognition. etc.
vi. The main areas which require auditors attention are as follows:
 The effect of e-commerce model on the existing accounting
policies
 The adequacy of internal controls in place.
 Process alignment. It refers to the way various IT systems are
integrated with one another and thus operate, in effect, as one
system.
 Key security issues and how the management intends to
address them
 Legal issues and opinion of the legal advisors.

********************************