MODULE 1

UNIT 1 - Core Concepts of a Risk-Base Approach to Conducting A Quality Audit

Auditing is an independent examination. The word “audit” comes from the Latin word
audire which means “to hear.” In the Middle Ages, accounts or revenue and expenditure were
“heard” by the auditor.

An audit includes examining, on a test basis, evidence supporting the amounts and
disclosures in the financial statements. An audit also includes assessing the accounting principles
used and significant estimates made by management, as well as evaluating the overall financial
statement presentation.

Audit scope, defined as the amount of time and documents which are involved in an
audit, is an important factor in all auditing. The audit scope, ultimately, establishes how deeply
an audit is performed. It can range from simple to complete, including all company documents.

The objective of an audit is to form an independent opinion on the financial statements of

the audited entity. The opinion includes whether the financial statements show a true and fair
view, and have been properly prepared in accordance with accounting standards.
The basic principles of auditing are confidentiality, integrity, objectivity, and
independence, skills and competence, work performed by others, documentation, planning, audit
evidence, accounting system and internal control, and audit reporting.

The fundamental ethical principles that apply to all services that professional accountants in
public practice provide are: integrity, objectivity, professional competence and due care, confidentiality,
professional behavior and technical standards.

ETHICAL ISSUES RELATED TO AUDITING

 Responsibilities. In carrying out their professional duties, CPAs should exercise sensitive
professional and moral judgments in all their activities.
 The Public Interest. ...
 Integrity. ...
 Objectivity and Independence. ...
 Due Care. ...
 Scope and Nature ...

The five main principles of ethics are usually considered to be: Truthfulness and
confidentiality. Autonomy and informed consent. Beneficence.

A financial statement audit is the examination of an entity's financial statements and

accompanying disclosures by an independent auditor. ... The purpose of a financial statement
audit is to add credibility to the reported financial position and performance of a business.
 In the United States, Certified Public Accountants (CPA) are legally eligible to conduct
the auditing and provide opinion on financial statements. The following are the six phases
involved in the financial statement audit.

Financial statements comprise three important written records: the cash flow statement,
the income statement and the balance sheet. Companies furnish financial statements to provide
information on their financial performance and well-being. Financial statements undergo an
auditing process before they come out to the public. Auditing is a process of inspecting to ensure
compliance to various regulations. External auditors examine financial statements to verify if the
information furnished by the organization fairly reflects its financial position.

The purpose of the financial statement audit is to verify if the organization has followed
Generally Accepted Accounting Principles (GAAP) standards while reporting the financial
information. In the United States, Certified Public Accountants (CPA) are legally eligible to
conduct the auditing and provide opinion on financial statements. The following are the six
phases involved in the financial statement audit.

Audit Planning

Audit planning is a phase where the audit team develops a course of action and guidelines
to perform the audit. The audit team would also list down the responsibilities of each party
through an engagement letter. According to PricewaterhouseCoopers (PWC), the planning phase
would involve activities such as determining the audit procedures, verifying the compliance with
interdependence requirements and building the audit team. The time and efforts required for
audit planning are directly proportional to the size and complexity of the business.

Gain an Understanding on Internal Controls

Internal controls refer to mechanisms, procedures, rules and guidelines an organization

follows to prevent financial misstatements or fraud. Internal controls enhance the accountability
of the internal teams and the accuracy of financial reporting. One of the widely used examples of
internal control is to have passwords restricting access to accounting software and digital
records. In this stage, the audit team would verify and gain an understanding of various internal
controls that the organization has adopted to report financial data. Based on the efficiency of the
organization’s internal controls, the audit team would develop further audit procedures to
identify misstatements in financial reporting.

Risk Assessment

Auditors need to be well informed about the complexity of the operational environment
of the organization before the risk assessment process begins. External auditors use their
experience and knowledge to identify any possible material misstatements. Risk assessment
requires a high degree of judgment and a significant level of prior experience by auditors.
Auditors use their judgment, assumptions and the information collected during the second phase
to identify transactions, areas, disclosures and statements that could be materially misstated.
While assessing risks, the auditing team asks questions like:

 Are internal controls operating perfectly?

 Are controls reviewed on regular basis?
 What could go wrong?
 Is there a loophole in the existing internal control mechanism?
 What is the likely impact if a particular internal control has a loophole?

Auditors aim to identify inherent risks and control risks whose output is the material
misstatement. Inherent risk arises when a transaction is susceptible to material misstatement –
like transactions that involve estimation or guesswork. For example, an estimation of a legal
obligation or an estimation of fire damage involve high inherent risk because they need value
judgements by management. If the estimation is wrong, it results in a financial misstatement.
Control risk arises when an internal control mechanism fails to do its job.

Perform Controls Testing

The fourth phase in financial statement audit focuses on testing the controls to check if
they are effective in preventing financial misstatements. Well-run businesses have systems and
controls in place to ensure accuracy in financial reporting. Increasing labor costs and complex
business environments have encouraged organizations to implement automated internal controls
to reduce and prevent financial fraud. Audit teams assess the effectiveness of these controls by
altering the situations, timing and complexities.

If the audit team believes that the internal controls are effective and reliable, the need for
showcasing the substantive evidence would be reduced. But even if the internal controls are
highly effective, the audit team will gather a varying degree of substantive evidence to showcase
that. And this brings us to the next phase: gathering substantive evidence for the effectiveness of
internal controls.

Conduct Substantive Evidence Procedures

Substantive procedures are conducted to substantiate that there are no discrepancies in

financial reporting. Through substantive evidence, audit teams ensure they will not make
incorrect conclusions about material misstatements. The purpose of substantive procedures is to
avoid the detection risk.

Two types of substantive procedures are used to gather substantive evidence: analytical
procedures and tests of detail. Analytical procedures make use of the relationships between
various accounting and non-accounting data to substantiate the assertions. For instance, the audit
team can use industry data and economic data to draw a relationship with the organization’s
financial data to substantiate its transaction-related assertions. As reported by Corporate
Financial Institute, there are five transaction-level assertions – occurrence, accuracy, cut-off,
completeness and classification.
 In a test of detail, the audit team makes use of financial statements, account balances,
transactions and disclosures as pieces of evidence to show that the material misstatements don’t
exist. This procedure is more reliable than the analytical procedure.

As part of substantive testing, the auditor gathers evidence through a combination of:

 Physically inspecting the short-term and long-term assets, which include inventory and
machines.
 Evaluating financial records to support various transactions.
 Examining the transactions made with business partners like suppliers and customers. For
example, the audit team obtains confirmations from customers, suppliers and the bankers
of these partners to check if the transactions have happened.
 Comparing the components of financial statements with external market information.
 Checking if there are any mistakes in calculations.

Finalize the Financial Statement Audit and Report

Upon completing the previous five phases, the audit team develops a standard unqualified
report indicating their judgment about disclosure procedures of the organization. According to
PricewaterhouseCoopers, auditors use the results of the control tests, exercise their professional
judgment and substantive evidence to form an overall conclusion on the financial statements.

The auditing team would interact with the representatives of the organization, including
senior executives and accountants, throughout all six phases of financial statement audit. The
audit team challenges the management's assertions on individual transactions and disclosures in
order to clarify doubts and gather evidence. For public limited companies, shareholders’
approval is needed to appoint auditors. The auditing firm would reflect the shareholder’s
interests while evaluating the internal controls and financial disclosure procedures adopted by the
public limited companies.

UNIT 2 - Preliminary Engagement Activities

The auditor should undertake the following activities at the beginning of the current audit
engagement:

a)    Performing procedures required, regarding the continuance of the client relationship and
the specific audit engagement;
b)    Evaluating compliance with relevant ethical requirements and;
c)    Establishing an understanding of the terms of the engagement.

The auditor's consideration of client continuance and relevant ethical requirements, including
independence, occurs throughout the audit engagement as conditions and changes in circumstances
occur. Performing initial procedures on both client continuance and evaluation of relevant ethical
requirements (including independence) at the beginning of the current audit engagement means that
they are completed prior to the performance of other significant activities for the current audit
engagement. For continuing audit engagements, such initial procedures often begin shortly after (or in
connection with) the completion of the previous audit.

  Performing the preliminary engagement activities, which are specified in above, at the beginning
of the current audit engagement assists the auditor in identifying and evaluating events or
circumstances that may adversely affect the auditor's ability to plan and perform the audit engagement.

There are four phases of an audit:

1--accepting the audit engagement
2--planning the audit
3--performing audit tests
4--reporting the findings

The audit engagement decision is the result of two sets of decisions: the prospective client’s and
the proposed audit firm’s. We focus on the decision of the auditing firm. Client acceptance/retention
decisions are critical due to three forces reshaping the audit environment:
1--society’s expectations about the independent auditor’s role in maintaining the
integrity of the securities markets are increasing;

2--legal liability expansion underscores the importance of the auditors’ assessments of

the risk components of an audit; and

3--advances in information technology are changing the nature of the attestation

process.

Accepting the Engagement

In 1992, the AICPA recommended the use of an engagement risk approach in client
acceptance/retention decisions. Engagement risk consists of three components:
1--client business risk-the risk associated with the client’s survival and profitability;
2--audit risk-the risk that the auditor may unknowingly fail to appropriately modify his
opinion on financial statements that are materially misstated; and
3--auditor business risk-the risk of potential litigation costs from an alleged audit failure
and the risk of other costs such as fee realization and reputational effects.

Much of the examination of factors that would affect audit risk are actually occurring in the pre-
engagement process. Client business risk, audit risk, and auditor business risk are included in the written
risk assessment policies of the Big 5.

Boynton Johnson, and Kell outline a six-step process in deciding whether to accept an
engagement:
1--evaluating the integrity of management
- material errors and irregularities (and fraud) are more likely when
management is dishonest. How does the auditor get data on management’s
honesty?
2--identifying special circumstances and unusual risks
- here the auditor focuses on identifying the intended users of financial
statements. The auditor’s legal liability exposure may vary based on the
intended statement users, especially under common law negligence.

- those client firms which face potential significant legal claims and/or financial
distress raise the probability of an auditor lawsuit. The auditor should talk to
management and creditors, review credit reports, and filings with regulatory
agencies.

- the auditor should also look for the absence or poor quality of accounting
records, weak internal controls, and restrictions imposed by the client on the
auditor.

3--assessing competence to perform the audit AU section 150.02--first general

standard.
- which personnel will be assigned to the audit? The answer to this question
determines the amount and type of supervision necessary. The nature of the
auditee and its business will affect staffing decisions.

- consultants and specialists should be used by the auditor when needed.

- can the specialist’s work effect the type of audit report issued?

4--evaluate independence
- look at the second general standard of GAAS

- Rule 101 of the Code of Conduct requires and defines independence

5--determine the auditor’s ability to use due care

- consider the third general standard of GAAS

- Two factors to consider in assessing the ability to use due care:

1. The timing of the appointment
- the earlier the appointment for the engagement the better for
the auditor. It leaves more time for planning.
- auditor business risk may be increased by acceptance of an
engagement near or after the close of the client’s fiscal year.

2. The scheduling of field work

- interim work done 3 to 4 months before the end of a client’s
fiscal year greatly assists the auditor in planning audit
procedures
- good audit planning necessitates the use of a time budget.
Estimated hours for each staff member should be in the time
 budget. This also allows preparation of an estimated audit fee.
The deployment of client personnel can have a noticeable
influence on client audit fees.

6--preparing the engagement letter

GAAS does not require engagement letters. Why bother?
An engagement letter is a contract between the auditor and client. The
specific terms should be set down on paper:
1--the financial statements to be audited
2--the purpose of the audit

3--the professional standards to be followed by the auditor

4--wording related to the nature and scope of the audit
5--a clear statement that the audit may not detect all
irregularities
6--the legal duties of accountants to report illegal client acts
should be noted
7–apprising management that it is responsible for the
preparation of the financial statements and the maintenance
of internal controls
8–the basis on which fees will be computed and any billing
arrangements
9–a request for the client to confirm the terms of the
engagement by signing and returning a copy of the letter to
the auditor

Planning the Audit

Consider the first standard of field work (adequate planning and proper supervision).
The amount of audit planning is a direct function of the size and complexity of the client. It is also an
inverse function of the auditor’s knowledge of and experience with the client.
The following steps are involved in audit planning:
1--obtaining an understanding of the client’s business and industry
Figure 7-5 provides an overview of the numerous aspects of a client’s business that an auditor must
understand to perform effectively in an audit. Key issues to focus on are:

–senior management
–management goals and objectives
–entity resources of all types including financial, asset-based, human, information and intangible
–products and services, markets, customers, and competition
–regulatory forces
–core processes and operating cycle
–investing and financing cycle
The auditor also should not forget the importance of learning about “related parties.” Related parties
are defined by SFAS #57 as affiliates of the enterprise, trusts for the benefit of employees, principal
owners of the enterprise, management, other parties with which the enterprise may deal if one party
controls or can significantly influence the management or operating policies.
In reviewing industry and business data, do not forget to review the articles of incorporation, bylaws, B
of D meeting minutes, reports to regulatory agencies, and contracts the firm has signed. The auditor
should also learn such things as marketing and distribution practices and methods of inventory valuation
that are unique to the industry.
Public companies are required under SFAS #14 to disclose segment information for different lines of
business in the financial statements. AU section 435 sets forth guidelines for auditing segment
information.
The auditor should tour plant facilities. A tour gives an understanding of physical safeguards over assets.
The CPA should also review the company’s policies dealing with such things as disposal of a portion of
the business, credit policies, loans to and from affiliates and officers, and accounting policies for
recording assets and recognizing revenues.
The auditor should talk with members of the audit committee and/or board of directors.
Why?

Also, the existence of related parties is important because transactions with related parties must be
disclosed in the financial statements if they are material. The auditor usually requires more competent
evidence for related party transactions. AU section 334 indicates that certain auditing procedures should
be used to ascertain the existence of related parties transactions.
What are some of these auditing procedures?
GAAP requires disclosure of the nature of related-party relationships; a description of transactions and
amounts due from and to related parties.
Performing Analytical Procedures
AU section 329 defines analytical procedures as “evaluations of financial information made by a study of
plausible relationships among both financial and nonfinancial data.”
Why are analytical procedures used?
1--to obtain a better understanding of the client and its industry
2--to detect financial difficulty
3--to assist in planning the nature, timing, and extent of other auditing procedures
The following steps should be pursued in the planning phase of the audit:
1--decide which computations and analyses will be made

A) These can include common size statements and internal and industry ratio analyses. The auditor must
determine whether the client uses the same accounting methods as the remainder of its industry.
Different accounting methods can affect comparability.
B) Comparison of the current year balance in an account with the balance of the preceding year
C) Scanning details that make up journals, ledgers, and lists for unusual items
2--develop expectations
An expectation is an estimate of an account balance based on the auditor’s analysis of the trend of the
account, related financial ratios, and explicit financial models of factors that affect the account. Proper
application of analytical procedures in accordance with SAS 56 requires the development of an
expectation. This is true regardless of the audit phase in which analytical procedures are used. The
expectation is compared with the recorded amount to assess the potential for misstatement.
Auditors commonly use three broad types of analytical procedures to form an expectation:
1--trend analysis--the comparison of a current account balance or item with a trend in two or more prior
periods’ balances
2--ratio analysis--the comparison of a ratio calculated for the current year with a related ratio for a prior
year, an industry average or budget
3--model-based procedures--the use of client operating data and relevant external data (industry and
general economic information) to develop an expectation for the account balance. Two main types of
procedures--reasonableness and regression analysis.
Model-based procedures differ from ratio and trend analyses in two key ways:
1--while expectation formation is implicit in trend and ratio analyses, expectation formation is explicit in
model-based procedures
2--model-based procedures use operating and external data in addition to financial data to develop
expectations

Trend analysis is the weakest because it relies on data for only a single account. Ratio analysis is more
likely than trend analysis to identify potential misstatement. In ratio and trend analysis, the presumption
is that the balance or ratio should compare with the prior year or with the industry average. This brings
out an assumption that underlies the use of analytical procedures--that past data relationships continue
in the future. Model-based procedures are likely to be much more effective at signalling misstatement.
The modelling approach is more effective because it links financial data directly to relevant operating
data. In effect, model-based procedures are a direct test of the consistency between the operating and
financial data--an important test in many types of financial statement assertions such as completeness.
An example is the test or rental revenues for a real estate management firm. The use of an analytical
procedure to form an expectation of rental revenues based on capacity, occupancy rates and rental
charges should provide reliable evidence about the accuracy and completeness of recorded rental
revenues.
Precision is the auditor’s measure of the potential effectiveness of an analytical procedure. Effectiveness
refers to the procedure’s ability to identify accounts with or without misstatement, i.e., to correctly
identify whether a given fluctuation in an account balance or ratio results from a misstatement.
Precision of an expectation is affected by several factors:
The auditor’s consideration of the degree of precision needed for an expectation depends on whether
the analytical procedure is used in planning, as a substantive test, or in the final review. Precision is most
important in the substantive testing phase because the procedure is relied on to provide audit
assurance.
3--do the computations, analyze the data and pick out significant differences

A) identification of unexpected changes or the absence of expected changes may be a warning about
potential misstatements in the financial statements B) an auditor must decide the threshold required for
various accounts or line items to be further investigated. This involves the concept of materiality.

UNIT 3 - Planning the Audit and Development of Overall Audit Strategy

Planning the Audit

Consider the first standard of field work (adequate planning and proper supervision). The
amount of audit planning is a direct function of the size and complexity of the client. It is also an inverse
function of the auditor’s knowledge of and experience with the client. The auditor should obtain an
understanding of the client’s business and industry.
 The auditor also should not forget the importance of learning about “related parties.” Related
parties are defined by SFAS #57 as affiliates of the enterprise, trusts for the benefit of employees,
principal owners of the enterprise, management, other parties with which the enterprise may deal if
one party controls or can significantly influence the management or operating policies. In reviewing
industry and business data, do not forget to review the articles of incorporation, bylaws, B of D meeting
minutes, reports to regulatory agencies, and contracts the firm has signed. The auditor should also learn
such things as marketing and distribution practices and methods of inventory valuation that are unique
to the industry. Public companies are required under SFAS #14 to disclose segment information for
different lines of business in the financial statements. AU section 435 sets forth guidelines for auditing
segment information.

The auditor should tour plant facilities. A tour gives an understanding of physical safeguards
over assets. The CPA should also review the company’s policies dealing with such things as disposal of a
portion of the business, credit policies, loans to and from affiliates and officers, and accounting policies
for recording assets and recognizing revenues. The auditor should talk with members of the audit
committee and/or board of directors.

Also, the existence of related parties is important because transactions with related parties must
be disclosed in the financial statements if they are material. The auditor usually requires more
competent evidence for related party transactions. AU section 334 indicates that certain auditing
procedures should be used to ascertain the existence of related parties transactions.

What are some of these auditing procedures?

GAAP requires disclosure of the nature of related-party relationships; a description of
transactions and amounts due from and to related parties.

Performing Analytical Procedures

AU section 329 defines analytical procedures as “evaluations of financial information made by a
study of plausible relationships among both financial and nonfinancial data.”

Why are analytical procedures used?

1--to obtain a better understanding of the client and its industry
2--to detect financial difficulty
3--to assist in planning the nature, timing, and extent of other auditing procedures

The following steps should be pursued in the planning phase of the audit:
1--decide which computations and analyses will be made
A) These can include common size statements and internal and industry ratio analyses. The
auditor must determine whether the client uses the same accounting methods as the
remainder of its industry. Different accounting methods can affect comparability.

B) Comparison of the current year balance in an account with the balance of the preceding year
C) Scanning details that make up journals, ledgers, and lists for unusual items

2--develop expectations
An expectation is an estimate of an account balance based on the auditor’s analysis of the trend
of the account, related financial ratios, and explicit financial models of factors that affect the account.
Proper application of analytical procedures in accordance with SAS 56 requires the development of an
expectation. This is true regardless of the audit phase in which analytical procedures are used. The
expectation is compared with the recorded amount to assess the potential for misstatement.
Auditors commonly use three broad types of analytical procedures to form an expectation:
1--trend analysis--the comparison of a current account balance or item with a trend in two or
more prior periods’ balances
2--ratio analysis--the comparison of a ratio calculated for the current year with a related ratio
for a prior year, an industry average or budget
3--model-based procedures--the use of client operating data and relevant external data
(industry and general economic information) to develop an expectation for the account
balance. Two main types of procedures--reasonableness and regression analysis.

Model-based procedures differ from ratio and trend analyses in two key ways:
1--while expectation formation is implicit in trend and ratio analyses, expectation formation is
explicit in model-based procedures
2--model-based procedures use operating and external data in addition to financial data to
develop expectations

Trend analysis is the weakest because it relies on data for only a single account.
Ratio analysis is more likely than trend analysis to identify potential misstatement. In
ratio and trend analysis, the presumption is that the balance or ratio should compare
with the prior year or with the industry average. This brings out an assumption that
underlies the use of analytical procedures--that past data relationships continue in the
future. Model-based procedures are likely to be much more effective at signaling
misstatement.

The modeling approach is more effective because it links financial data directly
to relevant operating data. In effect, model-based procedures are a direct test of the
consistency between the operating and financial data--an important test in many types
of financial statement assertions such as completeness.

An example is the test or rental revenues for a real estate management firm.
The use of an analytical procedure to form an expectation of rental revenues based on
capacity, occupancy rates and rental charges should provide reliable evidence about the
accuracy and completeness of recorded rental revenues.

Precision is the auditor’s measure of the potential effectiveness of an analytical

procedure. Effectiveness refers to the procedure’s ability to identify accounts with or
without misstatement, i.e., to correctly identify whether a given fluctuation in an
account balance or ratio results from a misstatement.

Precision of an expectation is affected by several factors: The auditor’s

consideration of the degree of precision needed for an expectation depends on whether
the analytical procedure is used in planning, as a substantive test, or in the final review.
 Precision is most important in the substantive testing phase because the procedure is
relied on to provide audit assurance.

3--do the computations, analyze the data and pick out significant differences
A) identification of unexpected changes or the absence of expected changes may be a
warning about potential misstatements in the financial statements
B) an auditor must decide the threshold required for various accounts or line items to be
further investigated. This involves the concept of materiality.

UNIT 4 - Performance of Risk Assessment Procedures

Risk assessment procedures – The audit procedures performed to obtain an

understanding of the entity and its environment, including the entity's internal control, to identify
and assess the risks of material misstatement, whether due to fraud or error, at the financial
statement and assertion levels.

Understanding audit risk assessment procedures

Risk assessment is the foundation of an audit. For auditors, it is how we come to

understand your company and plan our audit procedures to provide the most reliable information
for you and the users of your financial statements. What is risk assessment? I will help you
understand what is involved and make the audit risk assessment procedures run as parallel as
possible with your daily responsibilities.

Audit risk assessment procedures are performed to obtain an understanding of your

company and its environment, including your company’s internal control, to identify and assess
the risks of material misstatement of the financial statements, whether due to fraud or error.
These procedures usually take place before your fiscal year has been completed and include
various procedures, such as inquiries with management and other selected employees, analytical
procedures, observations of controls in operation and inspection of documents to show controls
have been implemented.

Audit, review or compilation: what’s the difference?

While obtaining an understanding of your company is self-explanatory, our goal in

understanding your company’s internal control is to evaluate whether you (management), with
the oversight of those charged with governance, have created and maintained a culture of honest
and ethical behavior, as well as assessing whether the control environment contains any
deficiencies in established processes. We also look to identify company risks relevant to
financial reporting, in addition to estimating the significance of those risks and their likelihood of
occurring, to help decide what audit procedures need to take place to address those risks.

While our inquiries with management help us get an understanding of internal controls,
we also need to see examples of these being performed. Walkthroughs are performed, with the
help of your company personnel, to observe segregation of duties along with inspecting certain
documents (invoices, purchase orders, etc.) that are used as supporting evidence for the operation
of key controls that impact financial reporting. Analytical procedures are also performed, which
are comparisons (usually multiple-year) of significant financial statement line items (revenues,
payables, etc.), and financial ratios derived from those line items. These are compared to our
expectations based upon discussions with key management personnel and other available
industry information to identify any other areas of risk related to the financial statements that
may impact the audit.

In summary, if an audit is the main course, then risk assessment is the appetizer. It
provides us with information that is used not only for the year under audit, but future years to
come. Audit risk assessment procedures are a vital part to any audit and treated as such by us
and, hopefully, your company as well.

Risk Assessment Procedures in Audit

This International Standard on Auditing (ISA) deals with the auditor’s responsibility to
identify and assess the risks of material misstatement within the financial statements, through
understanding the entity and its surroundings which incorporates the entity’s control.

The following risk assessment procedures should be following in an audit:

Understanding the entity and its environment:

The auditor shall obtain an understanding of the following factors:
Relevant industry and different external factors such as the applicable financial reporting
framework. The nature of the entity consists of its operations, its ownership and governance
structures, the types of investments that the entity is making and plans to make, which include
investments in special-purpose entities; and the manner that the entity is established and how it is
financed, to permit the auditor to recognize the classes of transactions, account balances, and
disclosures in the financial statements.

The entity’s selection and understanding of accounting policies. The auditor should
evaluate whether the entity’s accounting policies are appropriate for its enterprise and consistent
with the applicable financial reporting framework. The entity’s goals and strategies, and those
related commercial enterprise risks that may result in risks of material misstatement.

The size and assessment of the entity’s financial performance.

Obtaining an understanding of Internal Control:
The auditor must acquire enough understanding of each component of internal control
over financial reporting to become aware of the types of potential misstatements. The nature,
timing, and extent of procedures that might be important to gain an understanding of internal
control depend upon the size and complexity of the company and the company’s nature of
documentation of its internal control over financial reporting.
Obtaining an understanding of internal control consists of comparing the design of
controls which can be applicable to the audit and determining whether the controls were
implemented. Internal control over economic reporting can be described as consisting of
components that consist of the control environment, the organization’s assessment process,
information and communication, control activities, and tracking of controls.

Components of Internal Control:

Control environment:
The auditor should obtain an understanding of the client’s control environment. Along
with obtaining this information, the auditor shall evaluate whether management has created and
maintained a culture of honesty and ethical conduct and the strengths in the control environment
elements collectively provide the appropriate basis for the other components of internal control
and whether those other components are not undermined through deficiencies in the control
environment.

Monitoring of Controls:
The auditor should obtain an understanding of the significant activities that the company
uses to display the effectiveness of its internal control over financial reporting and how the
organization initiates corrective actions related to its controls.
The auditor may carry out walkthroughs as part of obtaining information on internal
control over financial reporting. In order to perform a walkthrough, the auditor follows a
transaction from origination through the company’s processes.
Walkthrough procedures include a combination of inquiry, observation, an inspection of
relevant documentation, and re-performance of controls.

Performing Analytical Procedures:

The auditor should perform analytical procedures that are designed to enhance the
auditor’s understanding of the client’s business and the significant transactions and events that
have occurred since the prior year-end and become aware of areas that could constitute specific
risks relevant to the audit.

Identifying and Assessing Risks of Material Misstatement:

Risks of material misstatement at the financial statements level and assertion level should
be determined by the auditor.
In identifying and assessing risks of material misstatement, the auditor should discover
risks of misstatement using information obtained from performing risk assessment procedures
and decide whether any of the identified risks of material misstatement are significant risks.
Factors Relevant to Identifying Fraud Risks:
The auditor must evaluate whether the information obtained from the risk assessment
procedures indicates that one or more fraud risk factors are present and should be considered in
identifying and assessing fraud risks.

Further Consideration of Controls:

When the auditor has decided that a significant risk, including a fraud risk, exists, the
auditor should evaluate the design of the company’s controls that are meant to address fraud
risks and other significant risks and decide whether those controls were properly implemented.

Revision of Risk Assessment:

When the auditor obtains audit evidence during the course of the audit that may challenge
the audit evidence on which the auditor originally based his or her risk assessment, the auditor
must revise the risk evaluation and modify audit approaches in response to the revised risk
assessments.

OVERVIEW OF RISK ASSESSMENT METHODS

The following methods can be used to do a risk assessment:

1. Use a what-if analysis to identify threats and hazards. What-if questions are asked about
what could go wrong and about what would happen if things do go wrong. This type of analysis
is a brainstorming activity and is carried out by people who have knowledge about the areas,
operations, and processes that may be exposed to hazardous events and conditions.

2. Use a checklist of known threats and hazards to identify your threats and hazards. The value
of this type of analysis depends upon the quality of the checklist and the experience of the user.

3. Use a combination of checklists and what-if analysis to identify your threats and hazards.
Checklists are used to ensure that all relevant what-if questions are asked and discussed, and to
encourage a creative approach to  risk assessment.

4. Use a hazard and operability study (HAZOP) to identify your threats and hazards. If you need
to do a thorough analysis, this method is for you. However, it requires strong leadership and is
costly and time consuming. It also assumes that you have a very knowledgeable
interdisciplinary team available to you, one with detailed knowledge about the areas, operations,
and processes that may be exposed to hazardous events and conditions.

5. Use a failure mode and effect analysis (FMEA) to identify potential failures and to figure out
what effect failures would have. This method begins by selecting a system for analysis and then
looks at each element within the system. It then tries to predict what would happen to the system
as a whole when each element fails. This method is often used to predict hardware failures and is
best suited for this purpose.
6. Use a fault tree analysis (FTA) to identify all the things that could potentially cause a
hazardous event. It starts with a particular type of hazardous event and then tries to identify
every possible cause.

OVERVIEW OF RISK ASSESSMENT STEPS

Comprehensive risk assessments:

a. Identify the range of hazards, threats, or perils:
1. Identify the hazards, threats, or perils that impact or might impact your
organization.
2. Identify the hazards, threats, or perils that impact or might impact your
infrastructure.
3. Identify the hazards, threats, or perils that impact or might impact the
surrounding area.

b. Determine the potential impact of each hazard, threat, or peril by:

1. Estimating the relative severity of each hazard, threat, or peril.
2. Estimating the relative frequency of each hazard, threat, or peril.
3. Estimating the vulnerability to each hazard, threat, or peril.
a. Estimate how vulnerable your people are to each hazard, threat, or peril.
b. Estimate how vulnerable your operations are to each hazard, threat, or
peril.
c. Estimate how vulnerable your property is to each hazard, threat, or peril.
d. Estimate how vulnerable your environment is to each hazard, threat, or
peril.

c. Categorize each hazard, threat, or peril according to how severe it is, how frequently
it occurs, and how vulnerable you are.

d. Develop strategies to deal with the most significant hazards, threats, or perils.
1. Develop strategies to prevent hazards, threats, or perils that impact or might
impact your organization and its people, operations, property, and
environment.
2. Develop strategies to mitigate hazards, threats, or perils that impact or might
impact your organization and its people, operations, property, and
environment.
 3. Develop strategies to prepare for hazards, threats, or perils that impact or
might impact your organization and its people, operations, property, and
environment.
4. Develop strategies to respond to hazards, threats, or perils that impact or might
impact your organization and its people, operations, property, and
environment.
5. Develop strategies to recover from hazards, threats, or perils that impact or
might impact your organization and its people, operations, property, and
environment.

UNIT 5 - Designing Overall Responses and Further Audit Procedures

In simple terms, control tests involve checking that a client's control is working, whereas
a substantive test involves ignoring client systems and just checking the numbers. An example:
Companies try to ensure their cashbooks and bank statements are accurate by reconciling them.

The four types of test of controls include:

Inquiry.
Observation.
Inspection.
Re-performance.

Substantive Procedures Defined

A substantive procedure is a process, step, or test that creates conclusive evidence
regarding the completeness, existence, disclosure, rights, or valuation (the five audit assertions)
of assets and/or accounts on the financial statements. To qualify as a substantive procedure,
enough documentation must be collected so that another competent auditor could conduct the
same procedure on the same documents and make the same conclusion.

Importance
Most of the work auditors do is aimed at conducting substantive procedures. If you've
ever worked at an organization that has been audited by external or internal auditors, you likely
remember the requests for documentation, reports, and other original information. While this
may not be the most fun if you are the one being audited, it is important to remember that the
auditors are hired by someone in authority to provide an objective assessment of the
completeness, existence, disclosure, rights, or valuation of some asset or account.

If an auditor presents such an assessment, and then ends up being wrong, they look pretty
bad. So, they don't just ask, 'Do you give receipts every time you accept cash?' Instead, they get a
copy of the detailed deposits and the receipt book and reconcile both until each bit of cash is
accounted for with an original receipt. Everyone understands that auditors can't be absolutely
sure their assessment is correct, but professional standards require them to document sufficient
evidence to provide reasonable assurance of their conclusions.

There are many different procedures that auditors conduct that are substantive and some
they conduct that aren't substantive. Not every procedure an auditor conducts has to be
substantive; but, where non-substantive procedures are used, auditors should report the
limitations of their work.

Substantive Procedures in Auditing

Substantive procedures are audit procedures performed to detect material misstatements
in the figures and presentation & disclosures reported in financial statements. They are designed
to generate evidence about the financial statement assertions.

Types of Substantive audit procedures

Tests of detail
Analytical procedures

Tests of detail: Tests of detail include verification on transactions, account balances and
disclosures.
Analytical Procedures: Analytical procedures consist of evaluations of financial information
through analysis of plausible relationships among financial as well as non-
financial data. Analytical procedures also encompass investigation of identified
fluctuations or relationships that are inconsistent with other relevant information
or that differ from expected values by a significant amount.

Examples of substantive audit procedures for some account balances and account
transactions

List the substantive audit procedures that may be performed by an auditor to verify Payroll
From the payroll record:
1. Select a sample of newly appointed staff and check their salaries with the
appointment letter.
2. Select a sample of other staff (appointed in previous years) and check their
salaries with the increment letter.

In both the above cases check that allowances and deductions are in accordance with the
company’s policies or the relevant legal requirements.
3. Select a sample of payroll summaries and:
a. Check that payroll summary has been approved by an appropriate
authority.
b. Trace totals of payroll summaries to appropriate general ledger
accounts.
List the substantive audit procedures that may be performed by an auditor to verify material
purchase

Substantive Procedures for Raw material purchases:

1. Select a sample of transactions and carryout the following tests.
2. Check weather appropriate measures have been taken as per the company’s policy to ensure
that purchases are made from most competitive sources.
3. Check the relevant invoices.
4. Match invoices with goods receiving notes to ensure that goods have been received for all
billings made by supplier.

5. Match supplier’s invoices with purchase orders to ensure that:

a. Purchases were duly authorized.
b. Rates and quantities mentioned on the invoice are same as those mentioned on the
purchase order.
6. Check posting of supplier’s invoices to creditor’s accounts/ general ledger.
7. Perform cut-off procedures on purchases.
8. Perform analytical procedures on purchases made during the year by comparing current year
purchases with the last year and investigate significant differences, if any.