CPA PROGRAM

ADVANCED AUDIT AND

ASSURANCE
FIFTH EDITION

Pdf_Folio:i
Published 2019 by John Wiley & Sons Australia, Ltd,
42 McDougall Street, Milton Qld 4064,
on behalf of CPA Australia Ltd,
ABN 64 008 392 452
First published January 2010, reprinted with amendments July 2010, Updated January 2011, reprinted July 2011, updated
January 2012, reprinted July 2012, Updated January 2013, reprinted July 2013, updated January 2014, reprinted July 2014,
Updated January 2015, updated January 2016
Second edition published November 2016
Third edition published January 2018
Fourth edition published January 2019
Fifth edition published November 2019
© 2010–2020 CPA Australia Ltd (ABN 64 008 392 452). All rights reserved. This material is owned or licensed by CPA
Australia and is protected under Australian and international law. Except for personal and educational use in the CPA
Program, this material may not be reproduced or used in any other manner whatsoever without the express written
permission of CPA Australia. All reproduction requests should be made in writing and addressed to: Legal, CPA Australia,
Level 20, 28 Freshwater Place, Southbank, VIC 3006, or [email protected].
Edited and designed by John Wiley & Sons Australia, Ltd
Printed by Blue Star Print
ISBN 9780730381877
Authors
Brian Clarke (Consultant)
David Gilchrist (Professor, Accounting and Finance (UWA Business School), University of Western Australia)
Dessalegn Mihret (Senior Lecturer, Faculty of Business and Law, Deakin University)
Roger Simnett (Scientia Professor, School of Accounting, University of New South Wales/ Chair and CEO of the Australian
Auditing and Assurance Standards Board)
Caroline Spencer (Managing Partner, Vista Advisory)
Tiffany Tan (CPA Australia)
Ken Trotman (Scientia Professor, School of Accounting, University of New South Wales)
Reviewers
Kirsty Meredith (University of the Sunshine Coast)
Prerana Agrawal (The University of Western Australia)
Advisory panel
Roger Simnett (AuASB, UNSW)
Peter Carey (Deakin University)
Claire Grayston (CPA Australia)
David Gowland (CPA Australia)
Brian Clarke (Independent Consultant)
Susan Fraser (Independent Consultant)
Dean Newlan (Independent Consultant)
Ram Nagarajan (CPA Australia)
Seng Thiem Teh (CPA Australia)
Kenny Yeoh (Baker Tilly Monteiro Heng, Kuala Lumpur, Malaysia)
Lee Li Tan, PwC (Kuala Lumpur, Malaysia)
Jessey Chin, PwC (Kuala Lumpur, Malaysia)
Pei Pei Chiam (Deloitte PLT, Kuala Lumpur, Malaysia)
Zulkifflee Bin Mohamed (Universati Tun Abdul Razak, Kuala Lumpur)
Uma Devi Uturaju (Sunway University Malaysia)
Foo Yin Fah (Sunway University Malaysia)
CPA Program team
Yvette Absalom Adam Moretti
Victoria Altomare Ram Nagarajan
David Baird Venkat Narayanan
Shubala Barclay Isha Nehru
Nicola Drury Shari Serjeant
Jeannette Dyet Paul Shantapriyan
Yani Gouw Alisa Stephens
Kristy Grady Zina Suyat
Geraldine Howley Tiffany Tan
Elise Literski Seng Thiam Teh
Julie McArthur
Pdf_Folio:ii

Helen Willoughby
ACKNOWLEDGEMENTS
The Advanced Audit and Assurance 2019 edition includes the International Code of Ethics for
Professional Accountants, 2018 Edition of the International Ethics Standards Board for Accountants
(IESBA), published by the International Federation of Accountants (IFAC) in July 2018 and is used with
permission of IFAC. Contact [email protected] for permission to reproduce, store or transmit, or to
make other similar uses of this document.
The International Code of Ethics for Professional Accountants, 2018 Edition of the International Ethics
Standards Board for Accountants (IESBA), published by the International Federation of Accountants
(IFAC) in July 2018, is used by CPA Australia with permission of IFAC. Such use of IFAC’s copyrighted
material in no way represents an endorsement or promotion by IFAC. Any views or opinions that may be
included in the Advanced Audit and Assurance 2019 edition are solely those of CPA Australia, and do not
express the views and opinions of IFAC or any independent standard setting board supported by IFAC.

MODULE 1
Tables 1.1–1.5, 1.7 and 1.7; Figures 1.10 and 1.11: © CPA Australia; Figure 1.9: © Adapted from Rozario,
A.M., 2019. Three essays on audit innovation: using social media information and disruptive technologies
to enhance audit quality (Doctoral dissertation, Rutgers University-Graduate School-Newark). Figure
1.2: © Auditing and Assurance Standards Board, 2016; Table 1.2: © CPA Australia; Figure 1.9: ©
Adapted from Rozario A M, 2019. ‘Three essays on audit innovation: using social media information
and disruptive technologies to enhance audit quality’ (Doctoral dissertation, Rutgers University-Graduate
School-Newark); Figures 1.2 and 1.4: © Auditing and Assurance Standards Board, 2016; Extract: © Audit
Office of New South Wales; Extracts: © External Reporting Board 2019; Extract: © Ernst & Young;
Extracts: © John Wiley & Sons Australia Ltd.

MODULE 2
Extract: © Association of Chartered Certified Accountants; Tables 2.5, 2.8 and 2.9; Figures 2.14 and 2.15:
© CPA Australia; Figures 2.26 and 2.27: © CPA Canada; Figures 2.1, 2.5, 2.8, 2.10, 2.13, 2.22, 2.23, 2.24,
2.25, 2.28; Table 2.5; Extracts: © John Wiley & Sons Australia Ltd; Table 2.7: © Adapted from Knechel,
W R & Salterio, S 2017, Auditing: Assurance and Risk, 4th edn, Taylor & Francis, New York, pp. 163–5.

MODULE 3
Figure 3.5; Tables 3.3, 3.5 and 3.6: CPA Australia; Table 3.4, Figures 3.4 and 3.10; Extracts: © John Wiley
& Sons Australia Ltd; Extract: © Adapted from Shabbir, M 2019, ‘Computer Assisted Audit Techniques
(CAATs) © Modern Audit Tool’, Mayur Batra Group.

MODULE 4
Extract: © Australian Securities & Investments Commission. Reproduced with permission; Extract: ©
AusGroup Ltd; Table 4.1; Figure 4.5: © CPA Australia; Extracts: © John Wiley and Sons Australia Ltd;
Extract: © Qantas; Extract: © Simavita Ltd.

MODULE 5
Figure 5.1; Table 5.2; Extracts: © Auditing and Assurance Standards Board, 2016; Figure 5.4; Extract:
Internal Control—Integrated Framework © 2013, Committee of Sponsoring Organizations of the
Treadway Commission 2013; Figures 5.5, 5.6, 5.11, 5.12: © CPA Australia; Figure 5.8; Extracts:
© Commonwealth of Australia 2019; Extract: Copyright © by The Institute of Internal Auditors, Inc.
All rights reserved; Extracts: © John Wiley and Sons Australia Ltd; Figure 5.3: © KPMG

Pdf_Folio:iii

ACKNOWLEDGEMENTS iii
BRIEF CONTENTS
Subject Outline vii

Module 1: The Auditing and Assurance Framework 1

Module 2: Planning the Audit of Historical Financial Information 66
Module 3: Performing the Audit of Historical Financial Information 169
Module 4: Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 225
Module 5: Other Assurance Engagements 288

Glossary 374
Westerways Case Study 381
Suggested Answers 421
Index 489

Pdf_Folio:iv
CONTENTS
Subject Outline vii
MODULE 1
The Auditing and Assurance
Framework 1
Preview 4
1.1 Assurance environment 4
The internationalisation of auditing 5
Regulation of auditing in Australia 7
Regulation of auditing in New Zealand 10
1.2 Assurance engagement framework 11
Ethical principles 11
Quality control standards 18
Description of assurance
engagements 25
Attestation and direct engagements 25
Reasonable and limited assurance
engagements 26
Scope of the framework 27
Elements of an assurance
engagement 28
1.3 Types of assurance engagements 39
Audits of financial statements 40
Audits of specialised areas 41
Review engagements 41
Historical non-financial reports
assurance 41
Future-oriented information assurance 42
Assurance on systems and processes 42
Assurance on aspects of behaviour 43
Performance of an activity 44
1.4 Application of standards 45
Application of ISAs 45
Application of ISREs 51
Application of ISAEs 51
Application of ISRSs 52
Australian perspective 52
1.5 Changing environment 53
Evolving business models 54
Climate-risk disclosure 54
Technological innovations 55
Review 62
References 64
MODULE 2
Planning the Audit of
Historical Financial
Information 66
Preview 68
2.1 Objectives of an audit of financial
statements 69
Overarching purpose 69
Pdf_Folio:v
Legal, regulatory, professional and ethical
requirements 72
2.2 Terms of engagements 83
Preconditions 83
Engagement terms and letter of
engagement 84
Changes to terms 84
2.3 Audit planning procedures 86
Guidance materials for planning an audit
of SMEs 86
Overall audit strategy 87
The audit plan 88
Financial statement assertions 91
Documentation 94
Materiality 95
Application of materiality concepts 96
Phases of an audit 99
2.4 Understanding the entity and its
environment 102
The entity’s industry, regulatory and other
external factors 102
Nature of the entity 103
The entity’s selection and application of
accounting policies 105
The entity’s objectives, strategies and
related business risks 105
Measurement and review of the entity’s
financial performance 108
2.5 The entity’s internal controls 109
Components of internal control 110
Internal controls in SMEs 112
Controls in an IT environment 113
2.6 Risk assessments for specific matters 121
Fraud risk 121
Auditing accounting estimates 126
Related-party risk 128
Going concern risk 129
Climate-related risk 130
Non-compliance with laws and regulations
(NOCLAR) 131
2.7 Risk assessment procedures 134
Methods used for risk assessment 134
2.8 Responding to assessed risks 159
Overall audit strategy 160
Approaches to assuring SMEs 163
Review 165
References 166
MODULE 3
Performing the Audit of
Historical Financial
Information 169
Preview 171
3.1 Key principles 171
Sufficient appropriate audit evidence 171
Financial statement assertions 172
Audit procedures 173
3.2 Tests of controls 174
Objectives of tests of controls 175
Tests of controls procedures 176
Using CAATs for tests of controls 178
Sampling techniques for testing
controls 184
3.3 Substantive audit procedures 186
Substantive analytical procedures 186
Relationship between substantive analytical
procedures and other audit
procedures 190
Tests of details 191
Using CAATs for substantive testing 197
Advanced audit data analytic
techniques 200
Sampling techniques in substantive
procedures 201
3.4 Evidence-gathering in an e-commerce
environment 204
Tests of controls in an e-commerce
environment 204
Substantive testing in an e-commerce
environment 205
Using CAATs in an e-commerce
environment 205
Advanced audit data analytic techniques
and continuous audit in an e-commerce
environment 205
3.5 Advanced evidence-gathering issues 207
Audit procedures for related parties 207
3.6 Using the work of other auditors
and experts 210
Component auditors 210
Internal auditors 211
Using the work of an auditor’s expert 213
Using the work of management’s
experts 213
3.7 Audit documentation 215
Security and confidentiality of
client data 215
Audit file organisation 215
Examples of audit working papers 216
3.8 Evaluation of audit evidence 219
Misstatements identified during
the audit 219
Sufficiency and appropriateness
of evidence 221
Review 222
References 223
MODULE 4
Conclusions and Reporting
Responsibilities for an Audit
of Historical Financial
Information 225
Preview 228
4.1 Completing the fieldwork 228
Pdf_Folio:vi
Significant areas 229
vi CONTENTS
Litigation and claims 231
Going concern 232
Management representation letter 235
Subsequent events 236
Performing analytical procedures 239
4.2 Final review 242
Final evaluation of materiality and
audit risk 243
Final review of working papers 245
Engagement quality control review 247
Final checklist 248
4.3 Preparing the audit report 251
Unmodified auditor’s report 251
Modified auditor’s report 262
4.4 Communication and reporting
responsibilities 277
Communicating with the entity 277
Reporting responsibilities 280
Review 285
References 287
MODULE 5
Other Assurance
Engagements 288
Preview 291
5.1 Audits of specialised areas 291
Special purpose financial statements 291
Single financial statements and specific
financial statement components 293
Summary financial statements 293
5.2 Review engagements 295
Review of interim financial information
performed by the auditor of the
entity 296
Review where the assurance practitioner is
not the auditor of the entity 298
Review of financial information for SMEs 298
Review of other historical financial
information — an Australian
perspective 299
5.3 Other assurance engagements — part 1 300
Overarching standard 300
Historical non-financial reports 303
Future-orientated information 311
5.4 Other assurance engagements — part 2 315
Systems and processes 315
Aspects of behaviour 327
5.5 Other assurance engagements — part 3 333
Performance of activity 333
5.6 Non-assurance services 366
Agreed-upon procedures 366
Compilation engagements 368
Review 370
References 371
Glossary 374
Westerways Case Study 381
Suggested Answers 421
Index 489
SUBJECT OUTLINE
INTRODUCTION
The purpose of this subject outline is to:
• provide important information to assist you in your studies
• define the aims, content and structure of the subject
• outline the learning materials and resources provided to support learning
• provide information about the exam and its structure.
The CPA Program is designed around five overarching learning objectives to produce future CPAs who
will:
• be technically skilled and solution driven
• be strategic leaders and business partners in a global environment
• be aware of the social impacts of accounting
• be adaptable to change
• be able to communicate and collaborate effectively.

BEFORE YOU BEGIN

Important Information
Please refer to the CPA Australia website for dates, fees, rules and regulations, and additional learning
support at www.cpaaustralia.com.au/cpaprogram.

SUBJECT DESCRIPTION
Advanced Audit and Assurance
The Advanced Audit and Assurance subject provides a body of knowledge for you to understand the nature
and diversity of audit and assurance engagements. The subject provides an insight on audit and assurance
processes, methodologies and procedures. It also examines the objectives of assurance engagements and
current and future developments in assurance engagements. The environment within which the auditor
or assurance practitioner operates and the respective roles of the private and public sector auditors and
internal audit are also discussed.
In the CPA Program, the professional responsibilities of accountants are discussed in the Ethics and
Governance subject. However, this subject emphasises the ethical and professional conduct of auditors.
The strategic business analysis techniques in the Advanced Audit and Assurance subject are further
discussed in the Strategic Management Accounting and Global Strategy and Leadership subjects in their
respective context. This subject and the Contemporary Business Issues subject also cover sustainability
reporting and assurance with an emphasis on businesses. Advanced topics in financial reporting that
complement the accounting knowledge of audit professionals are covered in the Financial Reporting
subject, and accounting for financial instruments is discussed in the Financial Risk Management subject.
This subject will introduce you to international pronouncements including the international standards
for audit, review and assurance engagements, the standard on quality control for audit firms and the code
of ethics. You will be taken through case studies to illustrate the strategic approach in audit engagements.
Contemporary developments in assurance engagements are discussed in this subject in the context of future
practice management opportunities.

Subject Aims
The aims of the subject are to address concepts related to:
• the foundational knowledge required to understand the nature and diversity of assurance engagements
• audit planning, including understanding the entity, assessing risk, developing the overall audit strategy,
developing the audit plan and application of information technology to planning of audit engagements
• performing the audit, including gathering and evaluating evidence, and application of information
technology to performance of audit engagements
• the audit conclusions and auditor’s reporting responsibilities and application of information technology
to concluding and reporting on audit engagements
• engagements other than audits of historical financial information and application of information
technology to other assurance engagements.
Pdf_Folio:vii

SUBJECT OUTLINE vii

SUBJECT OVERVIEW
General Objectives
On completion of this subject, you should be able to:
• understand and apply the framework for assurance engagements in audit and review engagements, and
other assurance engagements, and discuss the elements of an assurance engagement
• apply the standards to assurance engagements, and the fundamental ethical principles for the auditing
profession
• explain the responsibilities of management and the auditor in relation to an audit
• evaluate historical financial information by applying professional scepticism and judgement
• design audit processes and procedures to be undertaken by auditors in conducting audit and assurance
engagements
• evaluate the indicators of potential fraud and recommend a course of action
• apply the relevant auditing standards to the assessment for fraud and going concern in an audit of
financial statements
• evaluate the sufficiency and appropriateness of the audit evidence gathered
• apply the appropriate standards that relate to a range of engagement circumstances that impact the
auditor’s report and the auditor’s opinion
• evaluate circumstances that may give rise to modifications to the auditor’s report or the auditor’s opinion
• describe the various types of assurance engagements.

STUDY GUIDE
Module Descriptions
The subject is divided into five modules. A brief outline of each module is provided below.
Module 1: The Auditing and Assurance Framework
This module starts by providing an overview of the current assurance environment and outlining the
structure of the Framework that shapes auditing and other assurance engagements. The key matters
pertaining to an assurance engagement are introduced and the importance of professional scepticism
and professional judgment in collecting and evaluating evidence is emphasised. The various types of
assurance engagements are discussed and include references to the application of the relevant standards
to these engagements for different types of entities, including private sector, public sector, and small- and
medium-sized entities. This module concludes by outlining the impact a changing environment is having
on auditing due to evolving business models, enhanced disclosure requirements related to climate risks
and the incorporation of technological innovations,
Module 2: Planning the Audit of Historical Financial Information
This module outlines the general principles governing an audit of financial statements and discusses the
responsibility of personnel within the audit firm for the quality control of audits. The terms of audit
engagements and audit planning procedures are discussed including the overall audit strategy, financial
statement assertions, materiality and audit documentation. The focus then turns to the audit planning
procedures such as understanding the entity and its environment including the entity’s internal controls.
Given the increased emphasis by the profession on the detection of fraud, the auditor’s responsibility
to consider fraud in an audit of financial statements is discussed in some detail. Other risk assessments
for specific matters that have the potential to be significant risks are discussed, along with a variety of
techniques commonly used for conducting strategic analyses and analytical procedures to better understand
business risk and the audit implications. This discussion includes an overview of contemporary tools such
as data analytics and visualisations. The module concludes with a brief outline of how auditors may respond
to the assessed risks identified during the planning stage of the audit, depending on the overall audit strategy
determined by the auditor.
Module 3: Performing the Audit of Historical Financial Information
Module 3 considers the general principles underlying the evidence-gathering procedures in an audit.
Emphasis is placed on the need for auditors to obtain sufficient appropriate audit evidence on which to base
their opinion. Both tests of controls and substantive procedures are examined in detail. Examples are also
provided to demonstrate the application of the international auditing standards covering different aspects
of performing the audit to gather evidence. The use of audit data analytic techniques is also considered
as is the need to maintain audit documentation in relation to the conduct of the audit. In addition, the
Pdf_Folio:viii

viii SUBJECT OUTLINE

requirements relating to the security and confidentiality of the documents used in the audit are discussed.
Finally, the auditor’s requirement to evaluate the audit evidence to ensure sufficient appropriate audit
evidence is collected to inform their audit opinion is explained.
Module 4: Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information
Module 4 begins by outlining the auditor’s responsibilities involved in completing the fieldwork. Reasons
for obtaining a management representation letter is then discussed, before outlining the applicable audit
procedures performed to identify subsequent events and the evaluation of management’s treatment thereof.
Next, the use of analytical procedures to form an overall conclusion as to whether the financial statements
are consistent with the auditor’s understanding of the entity is explained and demonstrated. Next to be
discussed is the final review of all the evidence in order to ensure sufficient appropriate audit evidence is
obtained and to inform conclusions as to the truth and fairness of the financial statements. The types of
auditor’s opinions that are issued, and the circumstances in which they are issued is also explained in detail
and demonstrated through the use of examples. The final section covers a discussion of the the auditor’s
communication and reporting responsibilities to shareholders, regulatory bodies and those charged with
governance and management.
Module 5: Other Assurance Engagements
The module begins by describing some of the assurance services provided by auditors and includes a
discussion of various examples of these assurance services. This discussion includes the potential for
continuous assurance services due to the impact of information technology increasing the availability of
data. The role of internal audit in the provision of assurance services is discussed. This module discusses
how performance audits in the public sector are performed to comply with legislative requirements and to
assist accountability and improved performance in public administration. This module concludes with a
discussion on non-assurance services, including agreed-upon procedures, comfort letters and compilation
engagements. Agreed-upon procedures are commonplace, as they are designed to reflect the individual
circumstances of the clients and meet the needs of users, especially for SMEs that are not required to
produce audited financial statements.

Module Weightings and Study Time Requirements

Total hours of study for this subject will vary depending on your prior knowledge and experience of the
course content, your individual learning pace and style, and the degree to which your work commitments
allow you to work intensively or intermittently on the materials. You will need to work systematically
through the study guide, readings and case studies, attempt all the questions (including knowledge checks),
and revise the learning materials for the exam. The workload for this subject is the equivalent of that for a
one-semester postgraduate unit.
An estimated 15 hours of study per week through the semester will be required for an average candidate.
Additional time may be required for revision. The ‘Weighting’ column in the following table provides an
indication of the emphasis placed on each module in the exam, while the ‘Recommended proportion of
study time’ column is a guide for you to allocate your study time for each module.
Do not underestimate the amount of time it will take to complete the subject.

TABLE 1 Module weightings and study time

Recommended
proportion
Module of study time (%) Weighting (%)

1. The Auditing and Assurance Framework 20 20

2. Planning the Audit of Historical Financial Information 20 20

3. Performing the Audit of Historical Financial Information 20 20

4. Conclusions and Reporting Responsibilities for an Audit of Historical

Financial Information 20 20

5. Other Assurance Engagements 20 20

Pdf_Folio:ix

SUBJECT OUTLINE ix
Exam Structure
The Advanced Audit and Assurance exam is comprised of multiple-choice questions. Multiple-choice
questions include knowledge, application and problem-solving questions that are designed to assess
understanding of Audit and Assurance principles.

LEARNING MATERIALS
Module Structure
These study materials form your central reference in the Advanced Audit and Assurance subject. Where
advised, relevant sections of the CPA Australia Members’ Handbook and legislation are also examinable.
Module Map
A module map is at the beginning of each module. The module map outlines the topics covered in each
module and how this relates to the other modules.
Learning Objectives
A set of learning objectives is included for each module in the study guide. These learning objectives
provide a framework for the learning materials and identify the main focus of the module.
The objectives also describe what candidates should be able to do after completing the module.
Relevant Standards and Guidance Materials
The relevant standards and guidance materials table is at the beginning of each module and details both
the International and Australian Standards covered in each module.
Preview
The preview outlines what will be covered in the module and how it relates to other modules in the subject.
Study Material
The study material is divided into sections that will help you conceptualise the content and study it in
manageable portions. It is also important to appreciate the cumulative nature of the subject and to follow
the given sequence as closely as possible.
Examples
Examples are included throughout the study materials to demonstrate how concepts are applied to real-
world scenarios.
Study Material Activities
Question activities are included throughout the study materials to provide you with the opportunity, as you
progress through the subject, to assess your understanding of significant points and to stimulate further
thinking on particular issues. These questions are an integral part of your study and they should be fully
utilised to support your learning of the module content throughout the semester.
Completing the question activities should also form one part of your revision for the exam. It is evident
that candidates who achieve good results in the program and in their careers are those who are able to
think, review and analyse situations, and solve problems. The question activities will assist you to develop
these skills.
The question activities in the study materials are numbered and require you to prepare answers and
to compare those answers with the suggested answers at the end of the study guide. They test your
comprehension of specific sections of a module and provide immediate feedback on your performance
in comprehending the materials covered. Your answers to these questions do not contribute to your final
result, and you are not required to submit your answers for marking.
Key Points
The key points feature provides a summary of the main learning objectives covered in the part and details
the relevant content in this regard.
Review
The review section places the module in context of the other modules studied and summarises the main
points.
References
The reference list details all sources cited in the study guide. You are not expected to follow up this source
material.
Pdf_Folio:x

x SUBJECT OUTLINE
Suggested Answers
These are located at the end of the Study Guide and provide important feedback on the questions, examples
and case study activities included in the module learning materials. Consider them as model answers for
your reference. To assess how well you have understood and applied the material supplied in the text, it is
important to write your answer before you compare it with the suggested answer.

My Online Learning and your eBook

My Online Learning is CPA Australia’s online learning platform, which provides you with access to a
variety of resources to help you with your study. We suggest you view the video ‘Insights for a great
semester of study’ on My Online Learning, which will provide you with some insights on how to plan
your semester. It will also take you on a guided tour of My Online Learning to show you how (and when)
to access the range of resources available.
You will find a wide range of subject-level and module-level resources on My Online Learning. Subject-
level resources are those that apply to the entire subject. These resources can be used at any time but
are most useful when you’ve completed all the modules for the entire subject — whereas module-level
resources should be used while you work through a particular module in the Study guide.
You should refer to the journey map located on My Online Learning to see what module resources you
can access and in what order you should use them.
You can access My Online Learning from the CPA Australia website: cpaaustralia.com.au/myonline
learning.
Help Desk
For help when accessing My Online Learning, either:
• email [email protected], or
• telephone 1300 73 73 73 (Australia) or +61 3 9606 9677 (international) between 8.30 am and 5.00 pm
(AEST) Monday to Friday during the semester.
eBook
An interactive eBook version of the study guide will be available through My Online Learning. The eBook
contains the full study guide and features instructional media and interactive questions embedded at the
point of learning. The media content includes animations of key diagrams from the study guide and video
interviews with leading business practitioners.

GENERAL EXAM INFORMATION

The Advanced Audit and Assurance exam is three hours and 15 minutes in duration.
The Study Guide is your central examinable resource. Where advised, relevant sections of the CPA
Australia Members’ Handbook and legislation are also examinable.
For information on you what you can take into your exam, as well as your exam structure and mark
allocations, please refer to ‘Study Companion and Exam Mark Allocations’ in My Online Learning.

Pdf_Folio:xi

SUBJECT OUTLINE xi
P
df_Folio:xii
MODULE 1

THE AUDITING AND

ASSURANCE
FRAMEWORK
Module 1
The Auditing and Assurance Framework

• The internationalisation of auditing

Assurance environment
• Regulation of auditing in Australia

Assurance engagement framework
• Ethical principles
• Quality control standards
• Description of an assurance engagement
• Scope of the Framework
• Elements of an assurance engagement

• Audits
• Reviews
• Historical non-financial reports
Types of assurance engagements • Future-oriented information
• Systems and process
• Aspects of behaviour
• Performance of an activity

• Application of ISAs, ISREs, ISAEs

Application of standards and ISRSs
• Australian perspective

• Evolving business models

Changing environment • Climate-risk disclosure
• Technological innovations

Audits of historical financial Module 5

information Other assurance engagements

Module 2 Module 3 Module 4

Planning the Performing the Conclusions and
audit audit reporting
responsibilities

P df_Folio:1
LEARNING OBJECTIVES

After completing this module, you should be able to:

1.1 apply the International Framework for Assurance Engagements (the Framework) and the related standards
and other guidance to assurance engagements
1.2 apply the Code of Ethics for Professional Accountants to assurance engagements.

RELEVANT STANDARDS AND GUIDANCE MATERIALS

International standards Australian standards

IESBA International Code of Ethics for Professional APES 110 Code of Ethics for Professional Accountants
Accountants (including International Independence (including Independence Standards)
Standards)

International Framework for Assurance Engagements Framework for Assurance Engagements

n/a ASA 101 Preamble to Australian Auditing Standards

n/a ASA 102 Compliance with Ethical Requirements when

Performing Audits, Reviews and Other Assurance
Engagements

ISA 200 Overall Objectives of the Independent ASA 200 Overall Objectives of the Independent Auditor
Auditor and the Conduct of an Audit in Accordance and the Conduct of an Audit in Accordance with
with International Standards on Auditing Australian Auditing Standards (Compiled)

ISA 220 Quality Control for an Audit of Financial ASA 220 Quality Control for an Audit of a Financial Report
Statements and Other Historical Financial Information (Compiled)

ISA 230 Audit Documentation ASA 230 Audit Documentation (Compiled)

ISA 300 Planning an Audit of Financial Statements ASA 300 Planning an Audit of a Financial Report
(Compiled)

ISA 315 (Revised) Identifying and Assessing ASA 315 Identifying and Assessing the Risks of Material
the Risks of Material Misstatement through Misstatement through Understanding the Entity and Its
Understanding the Entity and Its Environment Environment (Compiled)

ISA 402 Audit Considerations Relating to an Entity ASA 402 Audit Considerations Relating to an Entity Using
Using a Service Organization a Service Organisation (Compiled)

ISA 510 Initial Audit Engagements — Opening ASA 510 Initial Audit Engagements — Opening Balances
Balances (Compiled)

ISA 540 (Revised) Auditing Accounting Estimates, ASA 540 Auditing Accounting Estimates and Related
and Related Disclosures Disclosures

ISA 600 Special Considerations — Audits of Group ASA 600 Special Considerations — Audits of a Group
Financial Statements (including the Work of Financial Report (Compiled)
Component Auditors)

ISA 610 (Revised) Using the Work of Internal ASA 610 Using the Work of Internal Auditors
Auditors

ISA 800 (Revised) Special Considerations—Audits of ASA 800 Special Considerations — Audits of Financial
Financial Statements Prepared in Accordance with Reports Prepared in Accordance with Special Purpose
Special Purpose Frameworks Frameworks (Compiled)

ISA 805 (Revised) Special Considerations — Audits ASA 805 Special Considerations — Audits of Single
of Single Financial Statements and Specific Financial Statements and Specific Elements, Accounts
Elements, Accounts or Items of a Financial or Items of a Financial Statement (Compiled)
Statement

ISA 810 (Revised) Engagements to Report on ASA 810 Engagements to Report on Summary Financial
Summary Financial Statements Statements

ISQC 1 Quality Control for Firms that Perform Audits ASQC 1 Quality Control for Firms that Perform Audits
and Reviews of Financial Statements, and Other and Reviews of Financial Reports and Other Financial
Assurance and Related Services Engagements Information, Other Assurance Engagements and Related
Pdf_Folio:2

Services Engagements

2 Advanced Audit and Assurance

 ISRE 2400 (Revised) Engagements to Review ASRE 2400 Review of a Financial Report Performed by
Historical Financial Statements an Assurance Practitioner Who is Not the Auditor of the
Entity

ISRE 2410 Review of Interim Financial Information ASRE 2410 Review of a Financial Report Performed by
Performed by the Independent Auditor of the the Independent Auditor of the Entity (Compiled)
Entity

n/a ASRE 2415 Review of a Financial Report: Company

Limited by Guarantee or an Entity Reporting under the
ACNC Act or Other Applicable Legislation or Regulation
(Compiled)

ISAE 3000 (Revised) Assurance Engagements ASAE 3000 Assurance Engagements Other than Audits or
Other than Audits or Reviews of Historical Financial Reviews of Historical Financial Information
Information

n/a ASAE 3100 Compliance Engagements

n/a ASAE 3150 Assurance Engagements on Controls

ISAE 3400 The Examination of Prospective Financial n/a

Information

ISAE 3402 Assurance Reports on Controls at a ASAE 3402 Assurance Reports on Controls at a Service
Service Organization Organisation

ISAE 3410 Assurance Engagements on Greenhouse ASAE 3410 Assurance Engagements on Greenhouse Gas
Gas Statements Statements

ISAE 3420 Assurance Engagements to Report on ASAE 3420 Assurance Engagements to Report on the
the Compilation of Pro Forma Financial Information Compilation Of Pro Forma Financial Information Included
Included in a Prospectus in a Prospectus

n/a ASAE 3450 Assurance Engagements involving

Corporate Fundraisings and/or Prospective Financial
Information

n/a ASAE 3500 Performance Engagements

n/a ASAE 3610/AWAS 2 Assurance Engagements on General

Purpose Water Accounting Reports

ISRS 4400 Engagements to Perform Agreed-Upon ASRS 4400 Agreed-Upon Procedures Engagements to
Procedures Regarding Financial Information Report Factual Findings

ISRS 4410 (Revised) Compilation Engagements n/a

n/a ASRS 4450 Comfort Letter Engagements

n/a APES 310 Client Monies

P df_Folio:3

MODULE 1 The Auditing and Assurance Framework 3

PREVIEW
This module begins by describing the assurance environment. The institutions behind the development
of the International Framework for Assurance Engagements (the Framework), which shapes auditing and
other assurance engagements, are introduced. The regulation of auditing in Australia is also outlined. Next,
the following key requirements of the assurance engagement framework are discussed:
• ethical principles
• quality control standards
• description of assurance engagements
• attestation and direct engagements
• reasonable and limited assurance engagements
• scope of the Framework
• elements of an assurance engagement.
The audit profession has developed its reputation, methodology and expertise through financial state-
ment audits and reviews and, in the public sector, on performance engagements. More recently, the
profession has expanded its range of assurance services to cover numerous situations where there is a
desire to have the credibility of a report enhanced for users.
Some of the common types of assurance engagements are discussed, including:
• audits and reviews of historical financial information
• other assurance engagements
– non-financial information (e.g. sustainability or business performance reports)
– future-oriented information (e.g. prospectuses)
– systems and processes (e.g. internal control)
– aspects of behaviour (e.g. compliance with regulations)
– performance of an activity.
Next, the module discusses the application of the standards, including:
• auditing standards that are applied to audits of historical financial information (i.e. audits of financial
statements)
• review engagement standards
• other assurance engagement standards
• related services engagement standards.
Lastly, this module introduces material to be covered in subsequent modules, discusses how the business
and regulatory environment is evolving and highlights potential impacts on the auditing profession largely
due to technological innovations.

1.1 ASSURANCE ENVIRONMENT

Assurance services are independent professional services that aim to improve the quality, relevance
and reliability of information necessary for decision making. The terms ‘auditing’ and ‘assurance’ are
sometimes confused. An audit is a specific type of assurance engagement that focuses on historical
financial information. That is, an audit is a subset of assurance engagements. As shown in table 1.1,
assurance services are divided between:
• audits of historical financial information
• reviews of historical financial information
• assurance engagements other than audits and reviews of historical financial information.
Further information on the structure and hierarchy of assurance standards is provided later in this
module.
The International Framework for Assurance Engagements (para. 7) defines assurance engagements as:
an engagement in which a practitioner aims to obtain sufficient appropriate evidence in order to express a
conclusion designed to enhance the degree of confidence of the intended users other than the responsible
party about the outcome of the measurement or evaluation of an underlying subject matter against criteria.
This definition provides five essential elements of an assurance engagement.
For an audit of financial statements, an auditor evaluates the presentation of the financial statements
against criteria (e.g. accounting standards) and expresses a conclusion (audit report) based on their findings.
The audit is designed to provide users (such as shareholders) with a reasonable level of confidence about
the truth and fairness of the financial statements.
Pdf_Folio:4

4 Advanced Audit and Assurance

 TABLE 1.1 Population of assurance services

Types of information

Historical financial information All other information

Level of assurance Reasonable Limited Reasonable or limited

provided

Examples Audit of financial Review of financial • Corporate social responsibility (CSR)

statements statements reports
• Greenhouse gas statements (GHG)
• Sustainability reports
• Water accounting reports
• Business performance measurement
• Integrated reports
• Future-oriented information
• Systems and processes
• Aspects of behaviour
• Performance of an activity

International ISAs 100–999 ISREs 2000–2699 ISAEs 3000–3699 International

standards International International Standards on Assurance Engagements
Standards on Standards on Review
Auditing Engagements

Source: CPA Australia 2019.

Auditing and assurance are governed by two separate but closely related sets of standards: auditing
standards that are concerned with audits of historical financial information; and assurance standards that
are concerned with all other types of assurance engagements. Both the International Standards on Auditing
and International Standards on Review Engagements continually evolve to keep pace with changes in
business and social expectations.
The demand for assurance services continues to grow and so does the range of assurance services offered
by public accountants. As a result, the role of regulators and regulation in maintaining the quality of the
assurance services is pivotal. Assurance engagement providers operate in a complex environment that is
subject to a number of important influences, such as the internationalisation of auditing and regulation.
This section will explain these influences on the provision of assurance services.

THE INTERNATIONALISATION OF AUDITING

Auditing has become an international market with a large increase in the number of multinational corpora-
tions as audit clients. The auditing profession, the auditing standard-setting process and the regulatory
process have also become internationalised. This internationalisation has led to the promulgation of
international assurance pronouncements to harmonise auditing practices across jurisdictions.
Figure 1.1 shows the structure and hierarchy of the international pronouncements, including the Inter-
national Standards on Quality Control and the International Framework for Assurance Engagements. The
Framework and Standards on Quality Control will be discussed in section 1.2. The types of assurance
engagements will be discussed in section 1.3, and the application of the standards will be discussed in
section 1.4.
The pronouncements shown in figure 1.1 govern assurance engagements conducted in accordance with
International Standards. However, they do not override the local laws and regulations that govern historical
financial statement audits or assurance engagements on other information that are required to be followed
in a particular country.
Regulatory agencies implement and enforce laws and regulations. Globally, regulators want greater
consistency in the delivery of quality audit services (Deloitte 2019). This includes increasing coordination
through the International Forum of Independent Audit Regulators (IFIAR) by ‘sharing knowledge,
collaborating and promoting consistency in the way auditing is regulated’ (Deloitte 2019). The main
regulatory agencies that have an impact on auditing and assurance engagements in a global setting include:
• International Federation of Accountants (IFAC)
• International Forum of Independent Audit Regulators (IFIAR)
• International Ethics Standards Board for Accountants (IESBA)
• International Auditing and Assurance Standards Board (IAASB).
Pdf_Folio:5

MODULE 1 The Auditing and Assurance Framework 5

 FIGURE 1.1 Pronouncements issued by the IAASB

IESBA Code of Ethics for Professional Accountants

Engagements Governed by the Standards of the IAASB

ISQCs 1–99 International Standards on Quality Control

International Framework for Assurance Engagements

Audits and Reviews of Other

Historical Financial Information Assurance Engagements

ISAs 100–999 ISAEs 3000–3699

International Standards International Standards on
on Auditing Assurance Engagements

Related Services

ISREs 2000–2699 ISRSs 4000–4699

International Standards on International Standards
Review Engagements on Related Services

Source: International Auditing and Assurance Standards Board (IAASB) 2018, Handbook of International Quality Control,
Auditing, Review, Other Assurance, and Related Services Pronouncements, 2018 ed., vol. 1, p. 4, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

International Federation of Accountants (IFAC)

The International Federation of Accountants (IFAC) is the global organisation for the accountancy
profession dedicated to serving the public interest by strengthening the profession. With headquarters
in New York, IFAC’s members are the associations of professional accountants from around the world.
CPA Australia, for example, is a member of IFAC. The IFAC council comprises one representative of each
member body. In 2019, IFAC had over 175 members from 130 countries and jurisdictions (IFAC 2019).

International Forum of Independent Audit Regulators (IFIAR)

There has been increased oversight of the auditing profession by independent audit regulatory authorities,
resulting in the formation in 2006 of the International Forum of Independent Audit Regulators (IFIAR),
which in 2018 had a membership of 55 independent public oversight bodies (such as the Australian
Securities and Investments Commission (ASIC) in Australia) from different countries (IFIAR 2019).

International Ethics Standards Board for Accountants (IESBA)

The International Ethics Standards Board for Accountants (IESBA’s) restructured code of ethics, the
International Code of Ethics for Professional Accountants (including International Independence Stan-
dards) (the Code), which was issued in April 2018, is the fundamental pronouncement for assurance
practitioners. The Code was developed with a view to enhancing ease of navigation, use and enforcement.
The Code states that ‘a professional accountant shall comply with the code’ (the Code, para. R100.3)
except for parts where laws and regulations in a specific jurisdiction preclude compliance. All other
standards and related guidance issued by the IAASB shall be applied in the context of the ethical framework
presented in the Code. Similarly, all standards other than the Code shall be applied in the context of the
International Standards on Quality Control (i.e. ISQC 1). It is not possible for a practitioner to comply
with the standards without first complying with the Code.
Pdf_Folio:6

6 Advanced Audit and Assurance

 You should look through the Code now to familiarise yourself with its content. The Code is available
online at https://www.ifac.org/system/files/publications/files/Final-Pronouncement-The-Restructured-
Code_0.pdf. However, it will be discussed further in section 1.2.

International Auditing and Assurance Standards Board (IAASB)

The International Auditing and Assurance Standards Board (IAASB) is:
an independent standard-setting body that serves the public interest by setting high-quality international
standards for auditing, quality control, review, other assurance, and related services, and by facilitating the
convergence of international and national standards (IAASB 2019).
The convergence of international and national standards enhances the quality and consistency of
practice throughout the world and strengthens the public’s confidence in the global auditing and assurance
profession.
The IAASB develops and issues standards for three types of assurance engagements: audits, review
engagements and other assurance engagements.
1. International Standards on Auditing (ISAs) — to be applied to the audit of historical financial
information.
2. International Standards on Review Engagements (ISREs) — to be applied to the review of historical
financial information.
3. International Standards on Assurance Engagements (ISAEs) — to be applied in assurance engagements
dealing with information other than historical financial information (e.g. prospectuses, sustainability
reports). Information that is ‘other than historical financial’ may be future oriented and/or non-financial.
The application of these standards will be discussed later in this module. As shown in figure 1.1,
the IAASB also issues International Standards on Related Services (ISRSs), which are not assurance
engagements (in that they are not designed to offer a degree of assurance), but which do utilise assurance-
type, evidence-gathering procedures (e.g. agreed procedures engagements to report factual findings). This
will be discussed in more detail in module 5.
In addition, the IAASB issue other pronouncements such as the International Framework for Assurance
Engagements and A Framework for Audit Quality. Both of these frameworks are discussed in section 1.2.

REGULATION OF AUDITING IN AUSTRALIA

This section describes Australian institutional arrangements surrounding the Australian auditing pro-
nouncements, which are based on the international pronouncements.
There are a number of regulators and institutions that have an impact on the audit process, either directly
or indirectly. They include the:
• Financial Reporting Council (FRC)
• Australian Securities and Investments Commission (ASIC)
• Accounting Professional and Ethical Standards Board (APESB)
• Auditing and Assurance Standards Board (AUASB)
• Companies Auditors and Liquidators Disciplinary Board (CALDB)
• Australian Securities Exchange (ASX)
• professional accounting bodies:
– CPA Australia
– Chartered Accountants Australia and New Zealand (CAANZ)
– Institute of Public Accountants (IPA).
Financial Reporting Council (FRC)
The Financial Reporting Council (FRC) is an independent statutory agency that was established in 1999 to
oversee the accounting standards-setting process. Its duties were expanded in 2005 to include the oversight
of the auditing standard-setting process and the monitoring of auditor independence. Its responsibilities
include appointing the members of the AUASB.
Australian Securities and Investments Commission (ASIC)
The Australian Securities and Investments Commission (ASIC) is an independent Commonwealth body
that was set up under the Australian Securities and Investments Commission Act 2001 (Cwlth) (ASIC Act).
ASIC carries out most of its work under the Corporations Act 2001 (Cwlth) (Corporations Act).
ASIC regulates the corporate markets and financial services sectors in Australia by overseeing activities
to protect investors. Their aim is to ensure investors have access to adequate information, are treated fairly
Pdf_Folio:7

MODULE 1 The Auditing and Assurance Framework 7

and have adequate avenues for redress. Of particular interest to auditors is the expanded role of ASIC
in recent years to include responsibility for reviewing the quality of audit work performed (Leung et al.
2019).
Its responsibilities with regard to the oversight of the auditing profession include registration of auditors,
enforcement of rules regarding auditor independence and use of auditing standards, and inspection of
audit firms.

Accounting Professional and Ethical Standards Board (APESB)

The Accounting Professional and Ethical Standards Board (APESB) is responsible for setting ethical
standards in Australia. It is funded by the professional accounting bodies in Australia (however, its
members are independent). It is responsible for setting standards on quality control, ethical conduct and
compliance with auditing and assurance standards.

Australian Auditing and Assurance Standards Board (AUASB)

The Australian Auditing and Assurance Standards Board (AUASB) was established in Australia as an
independent statutory agency under the ASIC Act. The AUASB’s mandate requires it to consider revisions
and improvements to the pronouncements initiated by the IAASB.
The Australian Framework for Assurance Engagements (Australian Framework) conforms with the
International Framework for Assurance Engagements (the Framework) with only minor differences.
Pronouncements are issued in Australia by the AUASB and are, in general, the same as the pronounce-
ments of the IAASB. However, they are not identical to the international pronouncements and differences
mainly arise to accommodate the requirements of Australian legislation. Differences also arise because
the Australian Auditing Standards (ASAs) include a small number of paragraphs that are not found in
the ISAs. These paragraphs are labelled Aus (e.g. Aus 14), and in most cases, Aus paragraphs impose
requirements on Australian auditors that are additional to those found in the international standards.
Figure 1.2 illustrates the AUASB standard-setting process and identifies the procedures followed when
International or Australian technical issues are identified and research and consultation with stakeholders
are undertaken prior to issuing a standard or other pronouncement.

FIGURE 1.2 The AUASB standard-setting process

Identify international Identify Australian

Add topic to the agenda
technical issue technical issue

Research and
consider issue

Submission Consult with Comments from

to IAASB stakeholders stakeholders

Issue standard or other Implementation and

pronouncement compliance

International Australian
stakeholders

Source: AUASB 2019, The Standard-Setting Process’, accessed August 2019, https://www.auasb.gov.au/About-the-AUASB/The-
standard-setting-process.aspx
Pdf_Folio:8

8 Advanced Audit and Assurance

 Table 1.2 shows the equivalent Australian pronouncements to the International pronouncements cover-
ing various aspects of audit and assurance engagements.

TABLE 1.2 Equivalent Australian pronouncements

IAASB (International) pronouncements AUASB (Australian) pronouncements

ISQC ASQC

ISA ASA

ISRE ASRE

ISAE ASAE

Source: CPA Australia 2019.

The Companies Auditors Disciplinary Board (CADB)

The CADB is a statutory body initially established as the Companies Auditors and Liquidators Disciplinary
Board (CALDB) in 1990. It hears applications from ASIC to determine whether auditors or liquidators
have breached the Corporations Act. It also has the power to impose a penalty if it determines that a
registered auditor or liquidator has failed to carry out duties properly or is not a fit and proper person to
be registered. Penalties include the cancellation or suspension of registration, an imposition of restrictions
on conduct, or an admonition (Leung et al. 2019).
CADB members are appointed by the Treasurer based on the requirements of the ASIC Act and have a
breadth of knowledge and experience encompassing the law, accounting and business (Leung et al. 2019).

The Australian Securities Exchange (ASX)

The ASX is also an important participant in the market, but it is not a regulator. The ASX became a public
company in 1998 and operates as the main national securities exchange for equities, derivatives and fixed-
interest securities. It facilitates capital raisings and trading for listed companies, settlement and capital
matching, and provides comprehensive market data and information to a range of users. The ASX describes
itself as ‘an integrated exchange’ offering ‘listings, trading, technology, data and post-trade services for a
wide range of asset classes, including equities, fixed income, commodities and energy’ (ASX 2018).
To list a company on the ASX, there are a number of Listing Rules designed to protect investors.
The Listing Rules are enforceable against listed entities under the requirements of the Corporations Act.
Listing Rules create obligations that are additional and complementary to the statutory obligations under
the Corporations Act. One particular example of the enhanced requirements under the Listing Rules is
Listing Rule 4.10.3, which requires an entity to make a statement of the extent to which their corporate
governance practices have followed the best practice recommendations of the ASX Corporate Governance
Council and disclose reasons for any non-conformity. Another example of enhanced requirements is in
relation to continuous disclosure, where Listing Rule 3.1 requires that once a company becomes aware of
any information that a reasonable person would expect to have a material effect on the price or value of
its securities, it should inform the market. The ASX has a role in maintaining the integrity of the capital
market.

Professional Accounting Bodies

Professional accounting bodies represent the interests of their members by lobbying governments and
provide the framework for self-regulation, where permitted by statute. Professional bodies also administer
training and examinations for students and members. There are three professional accounting bodies in
Australia. They are:
• CPA Australia
• Chartered Accountants Australia New Zealand
• Institute of Public Accountants (IPA).
CPA Australia
CPA Australia is a professional body with more than 164 000 members working as finance, accounting and
business professionals, academics, and public servants in Australia and around the world. CPA Australia’s
core services to their members include education, training, technical support and advocacy. To become a
CPA it is necessary to undertake the CPA Program and have three years of work experience mentored by
a member of CPA Australia.
Pdf_Folio:9

MODULE 1 The Auditing and Assurance Framework 9

Chartered Accountants Australia and New Zealand (CAANZ)
CAANZ is a professional body with more than 120 000 members working in public practice (including
the Big-4 and mid-tier chartered accounting firms), industry, academia and government. Its members work
in Australia, New Zealand and more than 100 other countries. To become a chartered accountant it is
necessary to undertake the Chartered Accountants (CA) Program, which combines study and mentored
work experience.
Institute of Public Accountants (IPA)
The IPA is a professional body with more than 35 000 members working in industry, commerce,
government, academia and public practice. To become an IPA member it is necessary to meet eligible
accounting qualifications equivalent to the IPA Program Stage 1 and industry experience equivalent to the
Mentored Experience Program. An alternative path is available for those who have a current membership
with an IFAC Member level body.

QUESTION 1.1

Several private and public sector organisations are associated with the public accounting profes-
sion. The following are functions pertaining to these organisations.
1. Hear applications from ASIC to determine whether auditors have breached the Corporations
Act.
2. Oversee the accounting standards-setting process.
3. Formulate auditing standards and audit guidance statements.
4. Regulate the distribution and trading of securities offered for public sale.
5. Establish a code of professional ethics.
6. Oversee the Australian Auditing and Assurance Standards Board.
7. Issue auditing standards.
8. Take punitive action against an independent auditor.
9. Establish quality control standards for audit work.
10. Undertake investigation of perceived breaches of the Corporations Act.
Indicate the organisation associated with each activity.

REGULATION OF AUDITING IN NEW ZEALAND

In the previous two sections we have described the regulation of auditors and institutional arrangements
around auditing pronouncements in the international setting and then some specific Australian differences.
Here we consider the New Zealand environment.
The External Reporting Board (XRB) is an independent Crown entity established under the Financial
Reporting Act 1993 with the following functions:
1. developing and implementing an overall strategy for financial reporting standards and auditing and
assurance standards (including developing and implementing tiers of financial reporting and assurance);
2. preparing and issuing accounting standards;
3. preparing and issuing auditing and assurance standards, including the professional and ethical standards
that will govern the professional conduct of auditors; and
4. liaising with national and international organisations that exercise functions that correspond with, or are
similar to, those conferred on the XRB (XRB 2019a).

The XRB consists of the New Zealand Accounting Standards Board (NZASB) and the New Zealand
Auditing and Assurance Standards Board (NZAuASB). The auditing and assurance standards issued by
the NZAuASB consist of four suites of standards:
1. Professional and Ethical Standards: these are the professional and ethical standards applying to assurance
practitioners issued by the XRB Board/NZAuASB.
2. International Standards on Auditing (NZ): apply to the conduct of audit engagements (reasonable
assurance) undertaken by assurance practitioners.
3. Review Engagement Standards: apply to the conduct of review engagements (limited assurance)
undertaken by assurance practitioners (XRB 2019c).
4. Other Assurance Engagement Standards: apply to the conduct of assurance engagements (other than on
df_Folio:10
P
historical financial information) undertaken by assurance practitioners.

10 Advanced Audit and Assurance

 The XRB Board has set key strategic objectives for the NZAuASB related to harmonisation as follows:
1. the adoption of international auditing and assurance standards as applying in New Zealand unless there
are compelling reasons not to; and
2. working with the Australian Auditing and Assurance Standards Board (AUASB) towards the establish-
ment of harmonised standards based on international standards (XRB 2019b).

The equivalent of the Australian regulator (ASIC) in New Zealand is the Financial Markets Author-
ity (FMA), which is an independent Crown authority responsible for ensuring public confidence in
New Zealand financial markets. Its responsibilities include:
• the licensing of New Zealand and overseas auditors and audit firms
• monitoring the audit firm performance
• performing quality reviews of New Zealand audit firms and auditors
• overseeing and monitoring accredited bodies to make sure they carry out their statutory duties.
Further details of the FMA’s role can be obtained from the Auditor Regulation and Oversight Plan
2019–2022 (FMA 2019).
The key points covered in this part, and the learning objectives they align to, are below.

KEY POINTS

1.1 Apply the International Framework for Assurance Engagements (the Framework) and the
related standards and other guidance to assurance engagements.
• The International Framework for Assurance Engagements distinguishes assurance engagements
from other engagements and provides a hierarchy of standards applicable to different engagements.
1.2 Apply the Code of Ethics for Professional Accountants to assurance engagements.
• All professional accountants have to comply with the fundamental ethical principles set out in
the Code.

1.2 ASSURANCE ENGAGEMENT FRAMEWORK

The International Framework for Assurance Engagements (the Framework) issued by the IAASB applies
to all assurance engagements. It helps in understanding the engagements to which ISAs, ISREs and ISAEs
apply. Engagements for non-assurance and related services including consulting engagements are outside
the scope of this Framework, but accountants undertaking such engagements must also adhere to the IESBA
Code of Ethics for Professional Accountants (the Code). The Framework is not a standard and does not
include any requirements for performance. The Framework refers to the applicable assurance standards
and the Code where requirements are prescribed. As such, this section will outline information contained
in the Framework as well as requirements of the Code and applicable standards. Matters contained in the
Framework that will be discussed in this section include:
• ethical principles
• quality control standards
• description of assurance engagements
• attestation and direct engagements
• reasonable and limited assurance engagements
• scope of the Framework
• elements of an assurance engagement:
– three-party relationship
– underlying subject matter
– criteria
– evidence
– assurance report.

ETHICAL PRINCIPLES
The Framework specifies that firms that perform assurance engagements must comply with the fun-
damental ethical principles outlined in IESBA’s Code. The Code’s conceptual framework (the Code,
s. 120) outlines circumstances in which threats to compliance with the fundamental principles may occur.
Pdf_Folio:11

MODULE 1 The Auditing and Assurance Framework 11

The Code’s conceptual framework also specifies how accountants may identify, evaluate and address the
threats by eliminating them or reducing them to an acceptable level.
The Code
IFAC established the IESBA to develop ethical principles for accountants. IESBA’s Code is the central
standard. The Ethics and Governance subject of the CPA Program examines the Code in depth. The aspects
of the Code that are of particular interest to assurance practitioners are discussed next. The Code is divided
into four parts.
• Part 1 introduces and describes the fundamental principles and conceptual framework.
• Part 2 applies to professional accountants in business.
• Part 3 applies to professional accountants in public practice.
• Part 4 covers independence standards for:
– 4A audits and review engagements
– 4B other assurance and non-assurance engagements.
After providing an overview of the fundamental principles included in Part 1 of the Code, this section
will focus on Part 3 ‘Professional accountants in public practice’, which includes professional accountants
in the auditing and assurance profession. Part 3 is extensive and describes many of the circumstances
and relationships that could be encountered by an assurance practitioner and the associated threats to
compliance with the fundamental ethical principles. This will be followed by a review of the independence
requirements outlined in Part 4 of the Code.
Part 2 is outside the scope of this study guide as it concentrates on the Code that relates to professional
accountants in business.
Fundamental Principles
The Code begins by establishing the fundamental principles of professional conduct and outlining the
requirements and application of the conceptual framework to identify, evaluate and address the threats to
compliance with the fundamental principles set out in the Code. The following topics are discussed next.
• Fundamental principles (the Code, s. 110):
– integrity
– objectivity
– professional competence and due care
– confidentiality
– professional behaviour.
• Conceptual framework (the Code, s. 120):
– threats and safeguards.
Integrity
The principle of integrity imposes an obligation on professional accountants to be straightforward and
honest (the Code, para. R111.1).
Objectivity
Accountants, and in particular auditors, may be exposed to numerous situations that could reduce
objectivity in their professional judgments. Therefore, they have a duty to avoid relationships or situations
that allow prejudice, bias, conflict of interest or the undue influence of others, which might compromise
their professional and business judgments (the Code, para. R112.1).
Professional Competence and Due Care
The principle of professional competence and due care (the Code, para. R113.1) is an obligation that
has two distinct parts:
(a) Attaining and maintaining professional knowledge and skills necessary to provide competent profes-
sional service to the client.
(b) To act ‘diligently and in accordance with applicable technical and professional standards’ (the Code,
para. R113.1(b)).

This obligation requires continuing awareness of relevant technical, professional and business devel-
opments, which can be obtained through continuing professional development (the Code, para. 113.1
A2). The Code explains that ‘diligence encompasses the responsibility to act in accordance with the
requirements of an assignment, carefully, thoroughly and on a timely basis’ (the Code, para. 113.1 A3).
Professional accountants are required to decline a job unless they possess the necessary skills to perform
it properly.
Pdf_Folio:12

12 Advanced Audit and Assurance

 QUESTION 1.2

Brenda Jones is a newly qualified accountant who is carrying out her first audit as the in-charge
auditor for a construction company client that is engaged in a range of long-term contracts. Brenda
has little experience of these types of clients and the accounting requirements in relation to long-
term contracts. John Bull is the CFO of the client — he is a busy man and has a notorious reputation
for being unfriendly to auditors. It has become apparent that Brenda has not fully understood the
accounting issues involved and has avoided asking the necessary questions of John Bull to gain
an understanding of the company’s transactions and the necessary audit work required to obtain
evidence on the long-term contract transactions.
As Brenda’s supervisor, how would you explain to her the importance of professionalism, using
the International Code of Ethics for Professional Accountants (including International Indepen-
dence Standards) and particularly referring to its guidance on competence? What advice would
you give as to how she should proceed?

Confidentiality
A professional accountant must respect the confidentiality of information acquired as a result of
professional and business relationships. They must not:
• use the information for the personal advantage of themselves or third parties
• disclose any such information to third parties without proper and specific authority, unless there
are responsibilities under law, regulation or relevant ethical requirements to disclose (the Code,
para. R114.1).
Circumstances where disclosure of confidential information may be required or appropriate (the Code,
para. 114.1 A1) include:
(a) Disclosure is required by law, for example:
(i) Production of documents or other provision of evidence in the course of legal proceedings; or
(ii) Disclosure to the appropriate public authorities of infringements of the law that come to light;
(b) Disclosure is permitted by law and is authorized by the client or the employing organization;
(c) There is a professional duty or right to disclose, when not prohibited by law:
(i) To comply with the quality review of a professional body;
(ii) To respond to an inquiry or investigation by a professional or regulatory body;
(iii) To protect the professional interests of a professional accountant in legal proceedings; or
(iv) To comply with technical and professional standards, including ethics requirements (the Code,
para. 114.1 A1).
Professional Behaviour
An accountant must demonstrate professional behaviour by complying with relevant laws and regulations
and avoid any conduct that discredits the profession (the Code, para. R115.1). They must act in a way that
promotes the good reputation of the profession.
Threats and Safeguards
Using the conceptual framework approach recommended by the Code, members must identify any threats
to compliance with the fundamental principles, evaluate those threats and address threats to compliance
with the fundamental principles in section 110 of the Code. Where the threats are significant, members
must apply safeguards to eliminate them or reduce them to an acceptable level (i.e. so that compliance
with the fundamental principles is no longer compromised). If members cannot implement appropriate
safeguards, they must either decline or discontinue the specific professional service, or consider resigning
from the client or employer.
Compliance with the fundamental ethical principles can be jeopardised by a range of threats.
• Self-interest threat may occur as a result of the financial or other interests of a professional accountant.
• Self-review threat may occur when the assurance team needs to form an opinion on their work or work
performed by others in their firm.
• Advocacy may occur when an auditor is asked to promote or represent their client in some particular
way. This could happen when a client asks the auditor to promote their shares on the stock exchange,
argue their client’s position on a proposed accounting disclosure or represent them in a court case. The
auditor’s objectivity may be impaired. Further, the auditor’s independence of mind and in appearance
could be compromised.
• Familiarity may occur when, because of a long or close relationship with a client, a professional
accountant becomes too sympathetic to their interests or too accepting of their work.
Pdf_Folio:13

MODULE 1 The Auditing and Assurance Framework 13

• Intimidation may occur when a professional accountant is deterred from acting objectively because of
actual or perceived threats (the Code, para. 120.6 A3).
Many of the safeguards that eliminate or reduce threats are discussed in the Code. Safeguards may be
created by the following.
• The profession, legislation or regulation — for example:
– the issue of quality standards, member education, establishment of a code of ethics, and the enactment
of legislation such as the Corporations Act and the ASIC Act.
• In the work environment of the assurance client — for example:
– when the client’s management appoints the auditor, people other than management ratifying or
approving the appointment
– the client having competent employees to make managerial decisions
– policies and procedures emphasising the client’s commitment to fair financial reporting
– internal procedures ensuring objective choices in commissioning non-audit work
– strong corporate governance, including an effective audit committee.
• In the work environment of the audit firm — for example:
– systems and procedures to ensure compliance with ethical standards (e.g. rules on share ownership,
relationship with clients, client acceptance procedures)
– partner rotation policies to enhance audit partner independence
– peer review policies to provide other partners with feedback.
In exercising judgment on the significance of threats and safeguards, accountants must consider what a
reasonable and informed third party would likely conclude on whether compliance with the fundamental
principles has been compromised.
You should now read paragraphs 200.1–200.8 of Part 2 of the Code, ‘Professional accountants in
business’, which provide guidance on identifying, evaluating and addressing threats.
Professional Accountants in Public Practice
Part 3 of the Code, ‘Professional accountants in public practice’, provides guidance on applying the
conceptual framework from Part 1. In this section, we consider specific issues relevant to public
practitioners, including:
• conflicts of interest
• professional appointments
• second opinions
• fees and other types of remuneration
• inducements (including gifts and hospitality)
• custody of client assets
• responding to non-compliance with laws and regulations.
You should now read paragraphs 300.6–310.13 of Part 3 of the Code, ‘Professional accountants in
public practice’, which provide many examples of the various threats and safeguards for professional
accountants in public practice.
Conflicts of Interest
A professional accountant should not allow a conflict of interest to compromise their professional
judgment. ‘A conflict of interest creates threats to compliance with the principle of objectivity and might
create threats to compliance with other fundamental principles’ (the Code, para. 310.2). Such threats may
be created, for example, when the interests of the client and the professional accountant conflict or when a
professional accountant in public practice performs services for two or more clients whose interests are in
conflict. In these circumstances, it is the responsibility of the professional accountant to notify the relevant
parties that they are acting for two or more parties whose respective interests are in conflict and obtain
their consent to so act.
Safeguards to address threats created by a conflict of interest include:
1. Having separate engagement teams who are provided with clear policies and procedures on maintaining
confidentiality.
2. Having an appropriate reviewer, who is not involved in providing the service or otherwise affected by the
conflict, review the work performed to assess whether the key judgments and conclusions are appropriate
(the Code, para. 310.8 A3).
Professional Appointments
Before accepting a new client, a professional accountant in public practice must determine whether
acceptance would create any threats to compliance with the fundamental principles.
Pdf_Folio:14

14 Advanced Audit and Assurance

• A threat to integrity or professional behaviour may be created from behaviours of the ‘client (its owners,
management or activities)’, such as ‘illegal activities, dishonesty, questionable financial reporting
practices or unethical behaviour’ (the Code, para. 320.3 A1). The professional accountant can safeguard
against this threat by obtaining knowledge and understanding of the client or securing the client’s
commitment to address the questionable behaviours.
• A threat to professional competence and due care arises if the engagement team does not possess
the competencies necessary to properly carry out the engagement. In these circumstances, an obvious
safeguard would be for the practitioner to acquire knowledge of the relevant industry and its regulatory
requirements.
In Australia, there are additional requirements that apply to the appointment of auditors. If the auditor
has been an officer or audit-critical employee of the proposed client within the 12 months immediately
before the proposed audit period, accepting an appointment is not permitted (Corporations Act, s. 324).
In respect of a change of auditor, an accountant who is asked to replace an existing auditor will generally
need to obtain the prospective client’s permission to communicate with the existing auditor. On receipt of
permission, they should request the necessary information to enable a decision to be made as to whether the
audit engagement should be accepted. If permission is not granted, the accountant must carefully consider
if the appointment should be declined. In this situation, the accountant must take reasonable steps to obtain
information by other means about the circumstances of the change of appointment and any possible threats.
These steps include enquiries of third parties or background investigations of senior management or those
charged with governance of the prospective client (the Code, paras 320.4–320.5 A1).

Second Opinions
In accounting, an intimidation threat arises when a client succeeds in obtaining a second opinion favourable
to their position — for example, an opinion on the use of particular accounting policies — and uses this to
apply pressure on the existing accountant. The fundamental principle threatened is objectivity. Safeguards
include the accountant who is asked to provide the second opinion seeking client permission to contact the
existing accountant, as well as providing the existing accountant with a copy of the second opinion (the
Code, para. 321.3 A3).

Fees and Other Types of Remuneration

Even though auditors, may quote whatever fee they consider as appropriate, quoting fees that are too low
may make it difficult for the auditor to perform the assurance engagement in accordance with the applicable
technical and professional standards. This is likely to impact on the principle of professional competence
and due care. Safeguards to address this type of self-interest threat include:
• adjusting the level of fees or the scope of the engagement
• having an appropriate reviewer review the work performed (the Code, para. 330.3 A4).

Additionally, contingent fees may create a threat to compliance with the principle of objectivity. Having
an appropriate reviewer review the work performed or obtaining a written agreement with the client on
the basis of remuneration prior to commencement of work may address such self-interest risks (the Code,
para. 330.4 A3).
A self-interest threat ‘with the principles of objectivity and professional competence and due care is
created if a professional accountant pays or receives a referral fee or commission relating to a client’ (the
Code, para. 330.5 A1). Such self-interest threats can be addressed by having the client outline commission
arrangements prior to commencing work or ‘disclosing to clients any referral fees or commission
arrangements’ with other professional accountants (the Code, para. 330.5 A2).
Inducements — Gifts and Hospitality
Professional accountants may find themselves in situations where they, or their immediate or close family
members, are offered inducements to influence their behaviour, such as:
• gifts
• hospitality
• entertainment
• political or charitable donations
• appeals to friendship and loyalty
• employment or other commercial opportunities
• preferential treatment, rights or privileges (the Code, para. 340.4 A1).
Pdf_Folio:15

MODULE 1 The Auditing and Assurance Framework 15

 Offers of inducements may create self-interest, familiarity or intimidation threats to the principles of
integrity, objectivity or professional behaviour (the Code, para. 340.2). Professional accountants need to
understand and comply with the relevant laws and regulations as offering or accepting inducements are
prohibited in many jurisdictions.
Custody of Client Assets
A professional accountant should not take ‘custody of client money or other assets unless permitted to do
so by law’ because doing so may create a self-interest threat to the principles of professional behaviour
and objectivity (the Code, para. R350.3). Before taking custody, a professional accountant should make
enquiries about the source of the assets as they may be derived from illegal activities such as money
laundering. After taking custody of client money or other assets, a professional accountant must comply
with the relevant laws and regulations, keep the assets separate from personal or firm assets, use them only
for the intended purpose and be ready to account for them at all times (the Code, para. R350.5).
Responding to Non-Compliance with Laws and Regulations
The Code incorporates the IESBA’s standard, Responding to Non-Compliance with Laws and Regulations
(NOCLAR), which became effective in July 2017. The Code sets out an approach to guide professional
accountants who encounter or become aware of a potential NOCLAR committed by a client (the Code,
s. 360).
Section 360 of the Code outlines provisions relevant to professionals in public practice, which are also
reflected in auditing standards, as explained in module 2.
While providing professional services to a client, a professional accountant may encounter or be made
aware of non-compliance or suspected non-compliance with laws and regulations. Regardless of the nature
of the client, including whether or not it is a public-interest entity, the accountant has a responsibility to
act in the public interest. If they encounter, or are made aware of NOCLAR, their objectives are:
(a) To comply with the principles of integrity and professional behavior;
(b) By alerting management or, where appropriate, those charged with governance of the client, to
seek to:
(i) Enable them to rectify, remediate or mitigate the consequences of identified or suspected non-
compliance; or
(ii) Deter the commission of the non-compliance where it has not yet occurred; and
(c) To take such further action as appropriate in the public interest (the Code, para. 360.4).

QUESTION 1.3

The following circumstances raise questions about an auditor’s ethical conduct.

• An auditor accepts an engagement knowing that they do not have the specialist knowledge
required.
• An auditor discloses confidential information about a client to a successor auditor.
• A public accountant pays a commission to a solicitor to obtain a client.
• A public accountant agrees to be the committee chairperson for a local fundraising activity.
• An auditor accepts a Christmas gift from a client.
• An auditor accepts a commission from an insurance company for recommending the company
to one of its audit clients.
• An auditor has a bank loan with a bank that is an audit client.
• An auditor retains a client’s records as a means of enforcing payment of an overdue audit fee.
1. Discuss the fundamental principles of the International Code of Ethics for Professional Accoun-
tants (including International Independence Standards) in relation to each of the above.
2. Indicate, in each of the above circumstances, whether the effect on professional ethics is
(i) a violation, (ii) not a violation or (iii) indeterminate, and explain.

Independence
Independence is generally considered to be the cornerstone of the auditing and assurance profession. The
definition of independence in the Code stresses that the accountant must be independent both of mind and
in appearance (refer also Glossary, APES 110). Accordingly, the accountant must act with integrity, and
exercise objectivity, professional judgment and professional scepticism.
In addition, the accountant must remain alert for new information, changes in facts and circumstances
and avoid circumstances that a reasonable and informed third party might think indicate that a member’s
integrity, objectivity or professional scepticism has been compromised. The reasonable person must
df_Folio:16
P

16 Advanced Audit and Assurance

perceive that the accountant is impartial and free of bias. When fraudulent practices and large business
failures occur without apparent warning, the independence of the profession is questioned. As a result, the
Code establishes a conceptual framework that requires a member to identify, evaluate and address threats
to compliance with the fundamental principles (the Code, para. 120.2).
The Code provides extensive application material in Part 4A describing numerous circumstances of
threats to independence and safeguards to reduce these threats. One of the major features of the Code is
the independence requirements in relation to long association of personnel with an audit client, in particular
the audit partner rotation requirements (the Code, s. 540). Audit partner rotation and independence
requirements in relation to the conduct of an audit are discussed further in module 2.
Under the Corporations Act, ASIC has responsibility for the surveillance, investigation and enforcement
of auditor independence.

EXAMPLE 1.1

Principles of Professional Conduct

Identify the fundamental principles of professional conduct outlined in the Code that are under threat for
each of the situations below.
............................................................................................................................................................................
(a) You become aware that one of your clients is involved in illegal activities.
(b) Your largest client (and the related fees) is growing at a much quicker rate than the rest of your business.
The client’s fees have increased from 10% to 16% of your firm’s total fees.
(c) You are the auditor of a client whose CEO is your long-time next-door neighbour.
(d) In the past, you have not carried out audits of credit unions. Most of your clients are clubs and small
local businesses. You decide to take on a credit union as a new client and hope there is a professional
development program available to update your staff on specialised issues for this industry.
(e) The audit assistant is asked to randomly select ten items from a stock list, then sight and count the relevant
inventory. The assistant selects the ten items, finds nine, and is told the tenth item is in the loft. The assistant
is wearing new clothes and, knowing how dusty the loft is, instead randomly selects and locates another
item.
(f) A partner received a loan from an audit client that is an Australian credit union.
(g) A member of your assurance team is considering resigning to take up a job offer with the assurance client
during the year.
(h) A prospective client asks for an audit to be completed within a month to meet bank requirements. It offers
a fixed fee plus a bonus for completing the audit on time.
(i) A current client, for whom you have provided consulting services that involved hiring financial accounting
staff and designing an information system, asks for an audit to be completed within a month to meet
bank requirements. It offers a fixed fee for completing the audit on time but there is no bonus attached.
(j) An audit manager is concerned that their client is not investing their funds wisely by having large amounts
of cash in the bank. To help the client without offending the bank manager, the audit manager explains this
issue to a friend who is a qualified financial adviser, who then sends the relevant information to the client.
(k) The audit firm places an advertisement stating they have had fewer legal suits than any other firm of
accountants in Australia or Asia.
Check your response against the suggested answer at the end of the book.

EXAMPLE 1.2

Independence Policies and Procedures

Audit firms are required to comply with independence requirements.
............................................................................................................................................................................
For each of the three listed audit firm requirements, describe practical policies and procedures a firm could
implement to ensure compliance.
1. Audit firms must have policies and procedures to provide reasonable assurance that the firm and its
personnel maintain independence.
2. Audit firms must communicate with and educate partners and professional staff, including non-audit
personnel, to ensure they understand the independence policies that relate to their activities.
3. Audit firms must maintain adequate records to identify, communicate and monitor compliance with specific
independence requirements (e.g. prohibited investment lists).
Check your response against the suggested answer at the end of the book.

P df_Folio:17

MODULE 1 The Auditing and Assurance Framework 17

Australian Perspective
Note that in Australia, the APESB issued APES 110 Code of Ethics for Professional Accountants
(including Independence Standards) in November 2018, which is based on the Code in both structure
and content. The updated APES 110 code is effective from 1 January 2020.
You should now read the Preface section of APES 110 Code of Ethics for Professional Accountants
(including Independence Standards) on the application of APES 110 to members of CPA Australia
and auditors who conduct audits in Australia.
ASA 102 Compliance with Ethical Requirements when Performing Audits, Reviews and Other Assur-
ance Engagements states that the auditor, assurance practitioner, engagement quality control reviewer, and
firm shall comply with the Code.
ASA 102 was designed to suit Australian law so there is no equivalent ISA. It allows references to ethical
requirements in other AUASB standards to remain current. Whenever APES 110 is amended, the AUASB
amends ASA 102, thereby eliminating the need to amend other AUASB standards.

QUALITY CONTROL STANDARDS

The Framework specifies that ethical principles, independence requirements and quality control (QC)
within firms are widely recognised as being in the public interest and are an integral part of high-quality
assurance engagements. The Framework outlines that professional accountants performing assurance
engagements are subject to ISQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial
Statements, and Other Assurance and Related Services Engagements.
An auditing standard ISA 220 Quality Control for an Audit of Financial Statements discusses specific
engagement matters. Much of the content of ISQC 1 is repeated in ISA 220, but as indicated, the difference
is that ISA 220 relates to the specific engagement while ISQC 1 is broader and relates to the audit firm
as a whole. In February 2019, the IAASB issued a suite of proposed international standards on quality
management. The proposals change the way professional accounting firms will be expected to manage
quality for audits, reviews and other assurance and related services engagements. Quality management is
being addressed to:
• more proactively manage quality to address stakeholder expectations and concerns
• improve the scalability of the standards
• modernise the standards and keep them fit for purpose.
For more details of these proposals, see https://www.iaasb.org/quality-management.
ISQC 1 establishes basic principles and essential procedures for firms to establish and maintain a system
of QC for assurance engagements. Each of the elements of quality control will be discussed, followed by
an overview of the Framework for Quality Control.

Elements of Quality Control

There are six areas where firms should have QC policies in place:
1. leadership responsibilities for quality within the firm
2. relevant ethical requirements
3. acceptance and continuance of client relationships and specific engagements
4. human resources
5. engagement performance:
(a) engagement support materials
(b) supervision and review
(c) consultation
(d) an engagement QC review
6. monitoring (ISCQ 1, para. 16).

Leadership Responsibility
Leadership culture underpins all other elements of QC, so it is important for a firm to have a strong QC
culture established by the leadership of the firm and the examples it sets. Operational responsibility for the
firm’s QC system must rest with a person with appropriate experience and ability, as well as the necessary
authority. In all likelihood, this will be one of the most senior partners.
An assurance firm should develop, document and implement appropriate QC procedures and a formal
code of conduct. Perhaps most challengingly, its leadership should demonstrate the firm’s overriding
commitment to quality above commercial considerations. This means that the work done in an assurance
Pdf_Folio:18

18 Advanced Audit and Assurance

engagement cannot be limited by the budget or by the fee, but must be determined by the assessed risk and
the procedures thought necessary to address that risk.
Read ISQC 1, paragraphs 18–19 and A4–A6 for discussions on these responsibilities.

Ethical Requirements
The assurance firm should develop, document and implement policies and procedures to guide and
reinforce ethical behaviour. These include independence policies describing permitted and prohibited
behaviour reflecting the advice in the Code, and independence consultations that allow staff and partners
to refer independence threats to relevant partners so that timely action can be taken. Systems that support
ethical behaviour include databases to match staff disclosures with a prohibited securities list, and (in
Australia) tracking the firm’s management of the auditor rotation requirements of the Corporations Act.
Read ISQC 1, paragraphs 20–25 for discussions on these responsibilities.
ISA 220 explains the ethical requirements, including independence, of the engagement team in relation
to audit engagements. In particular, the engagement partner shall consider whether members of the
engagement team have complied with relevant ethical requirements relating to audit engagements. The
engagement partner must remain alert for evidence of non-compliance with the ethical requirements
relating to the audit engagement. With respect to independence, it is mandatory that the engagement
partner:
(a) obtain relevant information from the firm and, where applicable, network firms, to identify and evaluate
circumstances and relationships that create threats to independence;
(b) evaluate information on identified breaches, if any, of the firm’s independence policies and procedures
to determine whether they create a threat to independence for the audit engagement; and
(c) take appropriate action to eliminate such threats or reduce them to an acceptable level by applying
safeguards … The engagement partner shall promptly report to the firm any inability to resolve the
matter for appropriate action (ISA 220, para. 11).

Non-compliance can be at the firm level (e.g. the control system to monitor employee ownership of
shares in listed companies is not adequate) or at the individual client level (e.g. the audit manager and the
CFO are related). In most firms, senior personnel (e.g. risk management partners) will be assigned to look
after these issues at the firm level. However, individual partners are responsible at the engagement level.
ASIC’s 2019 audit inspection report discusses compliance with these independence requirements. It
states that most firms have established policies and processes to facilitate compliance with the auditor
independence requirements of the Corporations Act and professional standards. However, there were some
instances of non-compliance.
• Three larger firms provided non-audit services to audit clients that compromised the appearance of
independence.
• One small firm failed to send partners and staff an annual independence questionnaire to confirm
compliance with independence (ASIC 2019, p. 40).
Examples such as these can undermine actual or apparent independence of auditors.

Acceptance and Continuance of Client Relationships

An assurance firm must:
• consider the integrity of each client, including potential issues associated with the client (e.g. client
involvement in illegal activity, questionable financial reporting practices or unethical behaviour)
• determine that it is competent to perform the engagement
• determine that it can comply with the Code, including, in particular, those matters related to
independence.
One approach taken by practitioners to assess the integrity of a client is a risk checklist. The client’s
risk score is used to determine whether the audit engagement should be accepted or continued. The risk
assessment can affect:
• the choice of an appropriate engagement team
• the extent of consultation required
• the audit approach
• the calculation of an appropriate audit fee.
The acceptance and continuance decisions should focus on independence considerations, possible
conflicts of interest and the ability to provide requisite skills to conduct the audit (e.g. whether the firm
has staff with the required expertise to do this audit).
Pdf_Folio:19

MODULE 1 The Auditing and Assurance Framework 19

 For each engagement, the engagement partner is required to make the acceptance or continuance
decision prior to commencing the audit, and this decision needs to be documented. Prior to accepting the
engagement, the auditor may be required by law, regulations or relevant ethical requirements to request
the predecessor auditor to provide known information regarding any facts or circumstances that, in the
predecessor auditor’s judgment, the auditor needs to be aware of before deciding whether to accept the
engagement (ISA 220, para. A9).
Thereafter, if the engagement partner obtains information that would have caused the firm to decline
the audit engagement (had that information been available earlier), this information needs to be promptly
communicated to the firm so that ‘necessary action’ can be taken (ISA 220, para. 13). The auditing standard
is not clear on what this appropriate action should be, but it is likely to depend on what stage of the audit
has been reached. During the audit, it is unlikely that the firm would withdraw from the audit, although
this could happen.
Read ISQC 1, paragraphs 26–28 and A18–A23 for discussions on these responsibilities.

QUESTION 1.4

List four factors that may indicate additional client evaluation procedures are necessary when
evaluating the continuance of an audit client.

Human Resources
An assurance firm’s human resource policies must apply at both the staff and partner levels. Important
personnel issues include:
1. recruitment
2. performance evaluation
3. capabilities, including time to perform assignments
4. competence
5. career development
6. promotion
7. compensation
8. the estimation of personnel needs (ISQC 1, para. A24).

‘Effective recruitment processes and procedures help the firm select individuals of integrity who have the
capacity to … perform competently’ (ISQC 1, para. A24). Human resources policies should demonstrate
that adherence to QC policies and ethical principles are criteria for promotion and remuneration decisions.
Non-compliance should result in disciplinary action (including financial penalties) and other follow-up
procedures such as training. For audit firms, it is also important that partner evaluations and promotions
are documented and that the documentation covers quality controls and independence.
Assignment of Engagement Teams
A firm should establish policies and procedures to assign appropriate personnel with the necessary
competence and capabilities to an engagement (ISQC 1, para. 31). The firm should have systems in place to
monitor the workload and availability of engagement partners. This will ensure that engagement partners
assigned to an engagement ‘have sufficient time to adequately discharge their responsibilities’ (ISQC 1,
para. A30).
ISA 220 requires an engagement partner to be satisfied that the engagement team collectively has the
appropriate capabilities and competence to perform the audit engagement (ISA 220, para. 14). Note that
these requirements apply to the engagement team as a whole. Therefore, it is possible to put a staff member
on an audit without all of the required capabilities and competencies, provided there is adequate supervision
and review. In most firms these issues will be handled through staff training and on-the-job training.
Knowledge of relevant industries can sometimes provide additional challenges and require using resources
from outside the firm. If the auditor becomes particularly aware of specific risk areas or areas requiring
specialist skills, the engagement partner may include more senior staff and specialists on the audit and
carry out additional reviews of the work done.
Engagement Performance
Engagement performance means completing assurance engagements in accordance with professional
standards, and legal and regulatory requirements.
df_Folio:20
P

20 Advanced Audit and Assurance

 Important policies and procedures that relate to engagement performance are:
• consistency in the quality of engagement performance
• supervision and review of work
• consultation
• engagement quality control review.

Consistency in the Quality of Engagement Performance

Most audit firms promote consistency in the quality of engagement performance through written or
electronic manuals, software tools or other forms of documentation and materials.

Supervision and Review

The engagement review process has long been accepted as a critical QC process within auditing firms.
A hierarchy of review is established within the audit team. Seniors review the work of juniors, managers
review seniors, and partners review managers. These reviews are ongoing throughout the engagement.
They ensure that sufficient evidence has been collected, the conclusions reached are consistent with the
results of the work performed, and documentation is appropriate. Additionally, the review process provides
training for all members of the audit team.
Read ISQC 1, paragraphs A34 and A35 for further details of the supervision and review processes.
The engagement partner takes responsibility for the direction, supervision and performance of the audit
engagement (ISA 220, para. 15). Direction to other members of the audit engagement team would normally
include informing them of:
• their responsibilities
• risk-related issues
• problems that may arise
• the detailed approach to the performance of the engagement.
Supervision of members of the engagement team is also an important aspect of engagement perfor-
mance. ISA 220, paragraph A16, provides the following examples of supervision:
• tracking the progress of the audit engagement
• considering the capabilities, competence, time availability and understanding of instructions of team
members, and whether the work is being carried out consistent with the planned audit approach
• addressing significant issues that arise during the audit and modifying the planned approach where
appropriate
• identifying matters for consultation with more experienced engagement members.
An important part of the supervision responsibility includes the review process, where more experienced
team members review work performed by less experienced team members. Reviewers will consider
whether, for example:
(a) the work has been performed in accordance with professional standards and applicable legal and
regulatory requirements;
(b) significant matters have been raised for further consideration;
(c) appropriate consultations have taken place and the resulting conclusions have been documented and
implemented;
(d) there is a need to revise the nature, timing and extent of work performed;
(e) the work performed supports the conclusions reached and is appropriately documented;
(f) the evidence obtained is sufficient and appropriate to support the auditor’s report; and
(g) the objectives of the engagement procedures have been achieved (ISQC 1, para. A35; ISA 220,
para. A18).

Consultation
Consultation is an important responsibility of the engagement partner. This includes the requirements to:
(a) take responsibility for the engagement team undertaking appropriate consultation on difficult or
contentious matters;
(b) be satisfied that members of the engagement team have undertaken appropriate consultation during the
course of the engagement, both within the engagement team and between the engagement team and
others at the appropriate level within or outside the firm;
(c) be satisfied that the nature and scope of, and conclusions resulting from, such consultations are agreed
with the party consulted; and
(d) determine that conclusions resulting from such consultations have been implemented (ISQC 1,
para. 34; ISA 220, para. 18).
Pdf_Folio:21

MODULE 1 The Auditing and Assurance Framework 21

 In most assurance firms, specialist partners are available for consultation on technical or complex
aspects of auditing and accounting issues, tax, systems and legal matters. Often, a technical query database
is compiled and firms designate partners to consult on conflict of interest and independence issues. In
addition, many firms have a mentoring scheme in place where audit staff are assigned to a mentor who
is a more senior auditor. The mentor provides the staff member with career planning and can be another
source of consultation when needed.
It is common for the larger firms to emphasise their culture of consultation. For example, Ernst and
Young states that their:
consultation policies are built upon a culture of collaboration, whereby audit professionals are encouraged
to share perspectives on complex accounting, auditing and reporting issues. Consultation requirements and
related policies are designed to involve the right resources so that audit teams reach appropriate conclusions
(Ernst & Young Australia 2018, p. 11).

Read ISQC 1, paragraphs 34 and A36–A40 for further details of the consultation processes.
Engagement Quality Control Review
On completion of the audit of listed entities and other public interest entities, assurance firms must
perform an engagement quality control review (EQCR). The EQCR provides an objective and independent
evaluation of the significant judgments made and the conclusions reached by the audit team and the audit
partner. The EQCR is in addition to the ongoing ‘review of audit working papers’ (see module 4) performed
by the engagement team and the engagement partner, discussed in the previous section, ‘Supervision and
review’.
EQCR reviewers are experienced audit partners who are not otherwise involved in the audit engagement.
They carry out a second (or concurring) independent review of the engagement, including the quality of
the work performed and the appropriateness of the auditor’s opinion.
An EQCR policy should identify:
• the nature, timing and extent of an EQCR
• criteria for eligibility of an EQCR reviewer
• documentation required of an EQCR
• how differences of opinion are to be resolved.
Read ISQC 1, paragraphs 35–42 for further details on engagement quality control reviews.

QUESTION 1.5

What are the main attributes of an effective audit quality review program (i.e. quality review
processes within audit firms) in an audit engagement?

Monitoring
‘Monitoring’ refers to the ongoing examination of QC systems and procedures to ensure that they are
appropriate and are carried out consistently and properly. Monitoring systems should ensure that any
identified problems are communicated to the partner responsible for the firm’s QC and that appropriate
responses to problems are implemented. These responses might include additional training, counselling or
disciplinary action for individuals, or a revision of the firm’s QC policy.
ASIC (2019) continues to emphasise that effective firm quality review processes are important for
improving audit quality. Such monitoring of audit quality involves regular reviews within firms of a sample
of completed audits. These reviews are usually carried out by senior staff from a different location
(e.g. interstate).
ASIC also released Information Sheet 222 ‘Improving and maintaining audit quality’ (INFO 222)
in June 2017 to outline considerations for auditors to improve and maintain audit quality. Some of the
considerations raised in INFO 222 for effective audit firm quality reviews include:
• suitability of reviewers
• review coverage
• review and reporting
• remedial action.
For more details, read INFO 222 at https://asic.gov.au/regulatory-resources/financial-reporting-and-
audit/auditors/improving-and-maintaining-audit-quality.
df_Folio:22
P

22 Advanced Audit and Assurance

 You can also refer to ISQC 1, paragraphs 48–56 for further details on monitoring.
As mentioned previously, in addition to an audit firm’s internal monitoring process, external monitoring
also takes place. In Australia, for example, in order to review compliance with audit quality and auditor
independence requirements, ASIC started an audit firm inspection program in 2004. The purpose of
the inspection program is to focus on audit quality and promote compliance with the requirements of
the Corporations Act, auditing standards, and professional and ethical standards. The audit firms to be
inspected are selected based on a number of criteria, but there is an emphasis on audit firms that audit
publicly listed or public interest entities. With auditing moving beyond national borders, there is a need
for effective global auditor oversight. ASIC, through its membership of IFIAR, has sought arrangements
with other international audit oversight bodies with the intention of conducting work either jointly or on
their behalf.
ASIC regularly releases a report of its inspection program. At the time of writing, the most recent report
released was in January 2019 for ASIC’s audit inspection program in the 18 months to 30 June 2018
(ASIC 2019). ASIC continued to find deficiencies in quality control systems and the audit evidence
obtained. It concluded:
In our view, in 20% of the key audit areas that we reviewed, auditors did not obtain reasonable assurance
that the financial report as a whole was free of material misstatement. This compares to 23% in the previous
18-month period ended 31 December 2016 and represents a welcome reduction in the level of findings for
the largest six firms. (ASIC 2019, p. 4).

ASIC stated that its findings did not necessarily mean the financial reports audited were materially
misstated, but rather that the auditor did not have a sufficient basis to support its opinion on the financial
report. It also noted that the level and nature of the findings were consistent with those found by inspectors
in other countries.
As further evidence of monitoring, in 2013, Australia mandated the preparation and release of
transparency reports by the larger audit firms of significant entities, with a focus on the disclosure of
their internal governance systems. Under section 322 of the Corporations Act, all audit firms must publish
a transparency report on their website if they have conducted audits under the Corporations Act of ten or
more significant entities. Just over 20 audit firms in Australia are required to publish such reports. The
information to be published includes:
• a description of the firm or company’s legal structure and ownership
• a description of the auditor’s governance structure and internal quality control system
• a statement by the management body on the effectiveness of the functioning of the internal quality
control system
• information concerning the basis for remuneration of the audit firm’s partners or the authorised audit
company’s directors.
The KPMG Auditor Transparency Report 2018 can be viewed at https://home.kpmg/au/en/home/
insights/2018/10/transparency-report.html.

QUESTION 1.6

Outline procedures that a firm could implement to demonstrate its commitment to quality above
commercial considerations.

A Framework for Audit Quality

Identifying the drivers of high-quality audits has been the subject of extensive discussion. In 2014, the
IAASB published A Framework for Audit Quality: Key Elements that Create an Environment for Audit
Quality (2014a), which describes, in a holistic manner, the different elements that create the environment
for audit quality at the engagement, firm and national levels, as well as relevant interactions and contextual
factors.
There are three parts to the audit quality framework. As outlined diagrammatically in figure 1.3, these
are the input, process and output stages of the audit, with each of these capable of being identified at the
engagement, firm and national level.
Figure 1.3 illustrates the main contextual factors impacting on audit quality as identified in A Framework
for Audit Quality (IAASB 2014a).
Pdf_Folio:23

MODULE 1 The Auditing and Assurance Framework 23

 FIGURE 1.3 A framework for audit quality

Contextual factors
Bus
ing ine
ort com ss p
l rep e me rac
ia l
nc tab rci tice
ina time al
law s an
F
d

La finan
Those
t

ws cia
en

charged Process Regulators

tal

an l rep
with

dr
ing

governance

egu orting
act
Attr

latio
ns
Audit
quality
environment

reporting fram ncial

Applicable fi
ation

na
ewor
Management Inputs Outputs Users
Litig

k
ms
Au

ste
dit

sy
re
gu

n
Auditor

tio
tio
la

n a
rm
fo
In
Bro
ade nce
r cu
ltura overna
eg
l factors Corporat

Source: International Auditing and Assurance Standards Board (IAASB) 2014, A Framework for Audit Quality: Key Elements
That Create an Environment for Audit Quality, in Handbook of International Quality Control, Auditing, Review, Other Assurance,
and Related Services Pronouncements, 2018 ed., vol. 3, p. 6, accessed August 2019, available from: https://www.ifac.org/
publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

The inputs to quality audits include auditors:

• exhibiting appropriate values, ethics and attitudes
• being sufficiently knowledgeable, skilled and experienced, and having sufficient time allocated to them
to perform the audit work.
A quality audit process involves auditors applying a rigorous audit process and appropriate quality
control procedures that comply with laws, regulations and applicable firm and national standards.
Quality audit outputs are those that are useful and timely to the report users and include outputs from
the auditor, the audit firm, the entity and audit regulators. These include the independent auditor’s report
at the individual engagement level or the audit firm’s transparency report at the national level, which in
Australia are both publicly available. The outputs also include those that arise from the auditing process
but that are generally not available to those outside the audited organisation, including the management
letter provided by the auditor to the audit committee at completion of the audit.
The second part of the audit quality framework covers the interactions between the various participants
in the financial reporting supply chain. The participants identified in the audit quality framework
include management, those charged with governance, regulators, users and auditors. While the primary
Pdf_Folio:24

24 Advanced Audit and Assurance

responsibility for performing quality audits rests with auditors, audit quality is best achieved in an
environment where there is support from the other participants. The way the stakeholders interact may
affect audit quality, and increased interaction is promoted in the audit quality framework. Recently there
has been much greater emphasis on communication between the auditors and the audit committee.
The third level outlines the contextual factors, as shown in the circle around the audit quality framework
(see figure 1.3). The ten contextual factors identified in the audit quality framework are:
1. business practices and commercial law
2. laws and regulations relating to financial reporting
3. the applicable financial reporting framework
4. information systems
5. corporate governance
6. broader cultural factors
7. audit regulation
8. litigation environment
9. attracting talent
10. financial reporting timetable.
Collectively, the contextual factors have the potential to affect the nature and quality of financial
reporting and, directly or indirectly, audit quality. Where appropriate, auditors respond to these factors
when determining how best to obtain sufficient appropriate audit evidence.
Notwithstanding the publication of A Framework for Audit Quality (IAASB 2014a), it is recognised
that the concept of audit quality is elusive, because it is only when financial statements are restated or
companies fail that a misstatement in the financial statements is discovered, and this is often long after the
period under audit.

DESCRIPTION OF ASSURANCE ENGAGEMENTS

Assurance engagements are described in the Framework for Assurance Engagements (para. 10) as an
engagement in which a practitioner obtains sufficient appropriate evidence in order to express a conclusion
aimed at enhancing the degree of confidence the intended users will have about the evaluation of the
underlying subject matter against criteria. The outcome of the measurement or evaluation is ‘the subject
matter information about which the practitioner gathers sufficient appropriate evidence as the basis’ for
their conclusion (Framework, para. 11). Examples of assurance engagements are provided in table 1.3 and
will be discussed further later in this module and again in module 5.

TABLE 1.3 Examples of assurance engagements

Underlying subject matter Criteria Outcome

Financial position, financial Financial reporting framework Financial statements

performance and cash flows

Entity’s internal control process Relevant criteria Internal control effectiveness

Various aspects of performance Relevant measurement Entity-specific performance

methodologies measures

Entity’s greenhouse emissions Recognition, measurement and Greenhouse gas statement

presentation protocols

Entity’s compliance Law and regulation Compliance statement

Source: The Framework, para. 11.

ATTESTATION AND DIRECT ENGAGEMENTS

Assurance engagements include the following.
• Attestation engagements (where attest means affirm, verify or corroborate the work of others),
where a party other than the assurance practitioner (normally management) measures or evaluates the
underlying subject matter against the criteria (i.e. prepares the financial statements in accordance with
the accounting standards) (Framework, para. 12). For this type of engagement, the preparers of the
subject matter assert in the report that it is in accordance with a stated framework. The auditor’s role is
to attest to whether (in their opinion) that is the case.
Pdf_Folio:25

MODULE 1 The Auditing and Assurance Framework 25

• Direct engagements where the assurance practitioner directly ‘measures or evaluates the underlying
subject matter against the criteria’ (Framework, para. 13). In this type of engagement, as there are no
such assertions made regarding the subject matter, the auditors must directly test the content themselves.
There is no overlap between attestation and direct engagements: an assurance engagement is either an
attestation engagement or a direct engagement. The key distinction is who measures or evaluates the under-
lying subject matter against the criteria. In the Framework definition, ‘measure or evaluates the underlying
subject matter’ essentially means ‘prepares a report’. In an attestation engagement, management prepares
the report and the practitioner examines that report to provide assurance to readers. In a direct engagement,
the report and the assurance on that report are both provided by the practitioner.
Audits and reviews of financial statements are structured as attestation engagements (i.e. financial
statements are prepared by management in accordance with the accounting standards and relevant
legislation). Auditors and reviewers are not permitted to prepare the financial statements that they audit.
In contrast, an assurance engagement examining the efficiency of an internal control system (the under-
lying subject matter) against, for example, COSO (2013) (the criteria) could be carried out as either an
attestation engagement or a direct engagement.
• It is an attestation engagement if management evaluates the internal control system against the criteria
and the assurers attest to the credibility of their report.
• It is a direct engagement if the assurers undertake the evaluation of the internal control system against
the criteria and report on this.
The main advantage of a direct engagement is that an independent assurer undertakes the measurement
and prepares the information. This approach reduces the appearance of any bias or measurement error
that management can, either deliberately or not, incorporate in the report. Direct engagements can, in this
sense, offer an additional level of assurance to users.

QUESTION 1.7

For a report on internal controls, select whether the following are attestation or direct engagements.
(a) Management provides an assessment of the effectiveness of the internal control system and
the practitioner provides a conclusion on that assertion.
(b) The practitioner evaluates and measures the internal control system and reports their findings
to the intended users of the assurance report.

REASONABLE AND LIMITED ASSURANCE ENGAGEMENTS

The Framework sets out the distinction between reasonable and limited assurance engagements. An audit
is an example of a reasonable assurance engagement, and a review is an example of a limited assurance
engagement. The following descriptions of the two types of engagements are derived from the Framework.

Reasonable Assurance Engagements

In a reasonable assurance engagement, the practitioner reduces engagement risk to an acceptably low level
in the circumstances of the engagement as the basis for their conclusion. The practitioner’s conclusion is
expressed in a form that conveys their opinion on the outcome of the measurement or evaluation of the
underlying subject matter against criteria (Framework, para. 14).
The term ‘reasonable assurance’ is a high level of assurance but not an absolute level of assurance. The
latter is not feasible because of the inherent limitations of an audit, where most of the evidence obtained
by the auditor is persuasive rather than conclusive. The auditor needs to obtain reasonable assurance about
whether the financial statements, as a whole, are free of material misstatement. Reasonable assurance arises
when the auditor obtains sufficient appropriate audit evidence to reduce audit risk to an acceptably low
level (ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with International Standards on Auditing, para. 5).
Sufficient appropriate audit evidence includes:
• obtaining an understanding of the engagement circumstances
• assessing risks
• responding to these risks
• performing further procedures, including substantive procedures
• evaluating the evidence obtained.
df_Folio:26
P

26 Advanced Audit and Assurance

 The entire audit process is geared towards an expression of opinion on the financial statements. The
assurance report for a reasonable assurance engagement conveys the practitioner’s opinion on the outcome
of the assessment of the subject matter information against the criteria. For an audit of the financial
statements, the following opinion is commonly used: ‘In our opinion, the financial statements are fairly
presented …’
Examples of conclusions provided in ISAE 3000 (Revised) Assurance Engagements Other than Audits
or Reviews of Historical Financial Information, paragraph A179 are:
‘In our opinion, the entity has complied, in all material respects, with XYZ law.’
‘In our opinion, the forecast of the entity’s financial performance is properly prepared, in all material
respects, based on XYZ criteria.’ or
‘In our opinion, the [appropriate party’s] statement that the entity has complied with XYZ law is, in all
material respects, fairly stated’.

Limited Assurance Engagements

A limited assurance engagement provides less confidence to users than a reasonable assurance engage-
ment as the engagement risk is greater. The Framework (para. 16) suggests that the assurance offered
by a limited assurance engagement should be ‘meaningful’, and that meaningful is ‘clearly more than
inconsequential’. Other than that, any judgment about the meaning of the terms ‘limited’ and ‘reasonable’
is left up to the practitioner’s judgment.
For a limited assurance engagement, sufficient appropriate evidence includes obtaining an understanding
of the subject matter information and other engagement circumstances, but the procedures are deliberately
limited in comparison to a reasonable assurance engagement.
The limited assurance engagement expresses a conclusion that conveys whether, based on procedures
performed and evidence obtained, anything has come to the auditor’s attention to lead them to believe
that the information has been materially misstated. For a review of the financial statements, the following
conclusion is commonly reached: ‘Nothing has come to our attention that would lead us to believe that the
financial statements are not fairly presented …’
Examples of conclusions provided in ISAE 3000 (Revised), paragraph A181 are:
‘Based on the procedures performed and evidence obtained, nothing has come to our attention that causes
us to believe that [the entity] has not complied, in all material respects, with XYZ law.’
‘Based on the procedures performed and evidence obtained, we are not aware of any material amendments
that need to be made to the assessment of key performance indicators for them to be in accordance with
XYZ criteria.’
‘Based on the procedures performed and evidence obtained, nothing has come to our attention that causes
us to believe that the [appropriate party’s] statement that [the entity] has complied with XYZ law, is not, in
all material respects, fairly stated’.

QUESTION 1.8

Explain in detail the extent to which reasonable and limited assurance engagements differ from one
another.

QUESTION 1.9

Can auditors provide absolute assurance? Discuss.

SCOPE OF THE FRAMEWORK

Practitioners perform engagements other than assurance engagements that are not covered by the Frame-
work as mentioned earlier in this module. These engagements include:
• engagements performed that are covered by ISRSs (e.g. agreed-upon procedures and compilation
engagements)
• the preparation of tax returns where no assurance conclusion is expressed
• consulting or advisory engagements (e.g. management and tax consulting) (the Framework, para. 17)
Pdf_Folio:27

MODULE 1 The Auditing and Assurance Framework 27

• engagements to testify in legal proceedings regarding accounting, auditing, taxation or other matters
• engagements that include professional opinions if certain conditions apply (see the Framework,
para. 19).
When an assurance engagement is part of a larger engagement that includes consulting or advisory work,
the Framework is only relevant to the assurance portion of the engagement.

ELEMENTS OF AN ASSURANCE ENGAGEMENT

Figure 1.4 illustrates the elements of a generic assurance engagement and the relationships between
these elements.

FIGURE 1.4 Elements of a generic assurance engagement

Responsibility Measure/Evaluate Assure

Responsible Measurer/ Engaging

party evaluator party

Criteria

Underlying Subject matter Terms of the

subject matter information engagement

Assurance
report

Practitioner
Intended
users

Source: International Auditing and Assurance Standards Board (IAASB) 2018, ISAE 3000 (Revised) Assurance Engagements
Other than Audits or Reviews of Historical Financial Information, in Handbook of International Quality Control, Auditing, Review,
Other Assurance, and Related Services Pronouncements, 2018 ed, vol. 2, p. 204, accessed July 2019, available from:
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

The difference between the elements illustrated in figure 1.4 for a generic assurance engagement and a
financial statement audit are depicted in table 1.4.
Comparison of the elements of a generic assurance
TABLE 1.4 engagement and a financial statement audit

Generic assurance engagement Financial statement audit

Responsible party Board of directors

Measurer/evaluator Company accountant

Engaging party Company audit committee

Underlying subject matter The business

Criteria Accounting standards

Subject matter information Financial statements

Terms of the engagement Auditing standards

Practitioner Auditor

Assurance report Auditor’s opinion

Intended users Shareholders/investors

Pdf_Folio:28
Source: CPA Australia 2019.

28 Advanced Audit and Assurance

 The final aspect of the Framework to be discussed is the elements of an assurance engagement, as listed:
(a) a three-party relationship involving:
– practitioner (the assurance practitioner)
– responsible party (responsible for the underlying subject matter and the preparation of the subject
matter information)
– intended users (of the assurance report)
(b) an appropriate underlying subject matter (e.g. a government department; a program; a system or a
business) (note that ‘subject matter information’ means the outcome of an evaluation or measurement
of a subject matter)
(c) criteria (rules governing the preparation of the subject matter information)
(d) sufficient appropriate evidence (providing the basis for the assurance report)
(e) a written assurance report (Framework, para. 26).
Refer to figure 1.4 as you go through these five elements in the following sections.

Three-Party Relationship
The three-party relationship involves the practitioner (professional accountant), the responsible party
(the person(s) responsible for the underlying subject matter) and the intended users of the report.
Practitioner
The practitioner is the assurance practitioner. For example, the auditor is the practitioner in a financial
statement audit. The practitioner is responsible for determining the nature, timing and extent of procedures,
and must judge the fair presentation of the subject matter information.
Responsible Party
The responsible party is the party responsible for the underlying subject matter. For example, for a financial
statement audit, the responsible party is normally the board of directors as they are responsible for the
conduct of the business — the underlying subject matter. Their responsibility for the financial statements is
evidenced by their signature on the Directors’ Statement. Employees who prepare the financial statements
(the subject matter information) are usually headed by the company accountant/chief financial officer. The
engaging party is usually the audit committee, which is a subcommittee of the board of directors.
The responsible party may or may not be the party who engages the practitioner. For example, parliament
may engage the Auditor-General to carry out a performance audit of a government program. In this case,
the management of the public sector organisation responsible for the program is the responsible party, and
the program is the underlying subject matter.
Intended Users
The intended users are the people or groups expected to read the assurance report. The aim of the assurance
report is to increase users’ confidence in the subject matter information. Of course, the users of the report
are also the users of the subject matter information. Table 1.5 provides examples of different types of
engagements and their intended users.

TABLE 1.5 Examples of intended users

Engagement Examples of intended users

Financial statement audit Suppliers of capital, such as existing shareholders, potential shareholders,
creditors and financiers

Assurance engagement that Management and the board of directors, audit committees
evaluates internal controls

Sustainability assurance May include a broad range of intended users. For example, a local
engagement community may be interested in water usage, or a local conservation group
may be interested in impacts on animal habitats.

Source: CPA Australia 2019.

Sometimes, an assurance engagement is performed for a specific purpose and there is only one user. For
example:
• a purchaser of a motorway may be interested in assurance regarding the number of cars that use the
motorway each day
• a bank may be interested in assurance on the cash budgets of a creditor
• a board of directors may want assurance on the information provided to them by management.
Pdf_Folio:29

MODULE 1 The Auditing and Assurance Framework 29

 In such cases, the practitioner might include a restriction in the assurance report that limits its use to a
specific user and for a specific purpose.

QUESTION 1.10

Determine the responsible party and the intended users for each of the following engagements.
1. A financial statement audit.
2. An assurance report on the internal controls over sales required by the board of directors.
3. An assurance report on controls at a company that provides cloud-based accounting services
to customers.

Underlying Subject Matter

The level of assurance does not impact on the appropriateness of an underlying subject matter. ‘An
appropriate underlying subject matter is identifiable and capable of consistent measurement or
evaluation against the identified criteria such that the resulting subject matter information can be subjected
to procedures for obtaining sufficient appropriate evidence to support a reasonable assurance or limited
assurance conclusion, as appropriate’ (The Framework, para. 41).
Appropriate underlying subject matter is information, which may include:
• data (e.g. historical or prospective financial information, CSR information, statistical information
provided to boards, performance indicators)
• reports on systems and processes (e.g. internal controls, information systems)
• reports on behaviours (e.g. corporate governance, compliance with regulations, human resource
practices).
Non-financial information is often a mix of qualitative and quantitative data. Established measurement
conventions for financial information (e.g. the accounting standards) are not normally available. The
subject matter information may be of a subjective nature (particularly for qualitative information).
Table 1.6 shows how the underlying subject matter of an assurance engagement can take many forms.

TABLE 1.6 Subject matter of an assurance engagement

Underlying subject matter Example Subject matter information

Financial performance Profitability of a bank Statement of comprehensive income

of a business

A government program A public transport system Report on efficiency and effectiveness

(e.g. percentage of late trains; customer
satisfaction)

Sustainability Greenhouse gas emissions Emissions report

Systems An internal control system* An assertion about the effectiveness of internal

controls

Behaviour Compliance with debt Statement of compliance

covenants

* This type of assurance has become particularly important. Since 2002, US companies and their international subsidiaries have been
required to have their internal control systems audited.
Source: CPA Australia 2019.

Criteria
Criteria are the standards, rules or benchmarks used to prepare and evaluate the subject matter information
of an assurance engagement.
Criteria can be formal, for example in the preparation of financial statements, the criteria may be
International Financial Reporting Standards or International Public Sector Accounting Standards; when
reporting on the operating effectiveness of internal controls, the criteria may be based on an established
internal control framework or individual control objectives specifically designed for the purpose; and when
reporting on compliance, the criteria may be the applicable law, regulation or contract. Examples of less
formal criteria are an internally developed code of conduct or an agreed level of performance (such as the
df_Folio:30
P
number of times a particular committee is expected to meet in a year) (IAASB Framework, para. 42).

30 Advanced Audit and Assurance

 The Framework suggests (but does not require) that the auditor considers a number of criteria in deciding
what is reasonable or meaningful. These include:
• the underlying subject matter (e.g. historical financial information, an internal control system, key
indicators of the effectiveness of a process)
• the criteria (e.g. International Financial Reporting Standards)
• the needs of users (e.g. investors considering buying shares)
• the responsible party and its environment (e.g. management and the economic conditions)
• other matters, events, transactions, conditions and practices that may have a significant effect on the
engagement.
In some cases, specific criteria will be developed within an organisation by the responsible party.
Alternatively, practitioners may develop suitable criteria to carry out an assurance engagement. A range
of criteria can be drawn upon for assurance engagements. Figure 1.5 illustrates three criteria specifically
developed for a report on customer satisfaction.

FIGURE 1.5 Three criteria for a report on customer satisfaction

Underlying subject matter:

Customer satisfaction

Responsible Party A Responsible Party B Responsible Party C

Criteria: Percentage of Criteria: Number of repeat Criteria: Number of new
customer complaints resolved purchases in the three customers making
to the satisfaction of months following the purchases each month
the customer initial purchase

Source: Adapted from International Auditing and Assurance Standards Board (IAASB) 2018 International Framework for
Assurance Engagements, para. 43, in Handbook of International Quality Control, Auditing, Review, Other Assurance, and
Related Services Pronouncements, 2018–19 ed., vol. 3, pp. 79-80, accessed July 2019, https://www.ifac.org/publications-
resources/2018-handbook-international-quality-control-auditing-review-other-assurance

Table 1.7 explains the characteristics of suitable criteria and provides an example for each.

TABLE 1.7 Characteristics of suitable criteria

Characteristic Description Example

Relevance Relevant criteria help For a performance audit on a state rail corporation, relevant
intended users make criteria could include the on-time running of trains.
decisions. Intended users are more likely to be concerned with the
number of trains more than five minutes late rather than one
minute late.

Completeness Criteria are sufficiently
complete when all
significant and relevant
factors that could affect
the conclusions of users
are present.
For the rail network, including on-time running but omitting
the number of times trains miss their station would result in
criteria that are incomplete.
People want to know that the trains arrive on time and stop at
their intended stations.

Reliability Reliable criteria
allow reasonably
consistent evaluation
or measurement of the
subject matter.
Measuring the number of trains that run late every day gives a
more reliable measure than taking a sample of one day every
three months.

(continued)
Pdf_Folio:31

MODULE 1 The Auditing and Assurance Framework 31

 TABLE 1.7 (continued)

Characteristic Description Example

Neutrality Neutral criteria help draw
conclusions that are free
from bias.
In many cases, management has an incentive to overstate
performance because improved performance may lead to
rewards (e.g. bonuses or promotion).
Evidence provided by independent parties is more likely to be
neutral than information provided by management.

Understandability Understandable criteria
help draw conclusions
that are clear and not
subject to significantly
different interpretations.
Criteria must be available to the intended users to allow them
to understand how the subject matter has been evaluated
or measured.

Source: Adapted from International Auditing and Assurance Standards Board (IAASB) 2018, International Framework for
Assurance Engagements, para. 44, in Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related
Services Pronouncements, 2018–19 ed., vol. 3, p. 80, accessed July 2019, https://www.ifac.org/publications-resources/2018-
handbook-international-quality-control-auditing-review-other-assurance

Many standard-setting organisations have created frameworks to guide preparers and assurers of reports,
which may form suitable criteria for an assurance engagement. For example, there are frameworks for
financial reporting, sustainability reporting, internal control system design and water accounting. However,
for some data, especially qualitative data, suitable criteria may be difficult to identify. It may also be
difficult for all three parties to agree on criteria, and this becomes even more difficult where the range and
identity of potential users is unclear.
Table 1.8 lists some types of engagement with examples of suitable criteria.

TABLE 1.8 Examples of criteria

Engagement Examples of criteria

Financial statement audit International financial reporting standards; international public sector accounting
standards

Assurance report on Internal Control — Integrated Framework (COSO 2013); this document is an
internal control accepted standard for the design of an internal control system

Risk management Enterprise Risk Management — Integrated Framework (COSO 2004); this
document is an accepted standard for the design of a risk management system

Compliance Applicable laws, regulations, policies or clauses in contracts

Sustainability report Global Reporting Initiative (GRI) standards

Source: CPA Australia 2019.

Evidence
The practitioner has to gather evidence that is both sufficient and appropriate to form an opinion about the
subject matter’s compliance with the relevant criteria. ‘Sufficiency’ refers to the quantity of evidence and
‘appropriateness’ to its quality. High-quality evidence is both relevant and reliable. In situations of high
risk, the practitioner is expected to gather a greater amount of evidence and to seek out evidence that is
highly relevant and reliable.
For example, in an examination of a year-end cash balance, statements obtained directly from the
bank are considered more reliable than bank statements provided by management (which may have been
altered). Similarly, a bank statement covering the year-end is more relevant than one for a previous month.
Sufficient appropriate evidence for subject matter information can sometimes be difficult to obtain. For
example, information can be proprietary and hence may not be shared by third parties with the practitioner.
Sometimes, lack of market data makes it difficult to corroborate information. Internal controls over the
preparation of non-financial information are generally not as strong as those for financial information
preparation.
According to the Framework, an assurance practitioner has to exercise professional scepticism in
obtaining sufficient appropriate evidence before reaching conclusions on the assurance engagement against
the criteria. In addition, the practitioner needs to exercise professional judgment ‘in considering materiality,
Pdf_Folio:32

32 Advanced Audit and Assurance

engagement risk, and the quantity and quality of available evidence when … determining the nature, timing
and extent of procedures’ (the Framework, para. 50).
Professional Scepticism
The Framework describes professional scepticism as an attribute that includes being alert to such
issues as:
• inconsistent evidence
• information that indicates the need to question the reliability of documents and management responses
to enquiries
• the need to collect additional evidence beyond what is specified in the audit standards
• conditions indicating likely misstatements (Framework, para. 51).
According to Nolder and Kadous (2018), professional scepticism comprises a sceptical mindset and
a sceptical attitude. The mindset component of professional scepticism captures the critical thinking
and objective decision making reflected in the auditor’s judgments. However, the attitude component of
professional scepticism captures the auditor’s feelings and beliefs about the evidence gathered, thereby
informing their evaluations.
As a result, a practitioner must make an assessment, with a questioning mind, of the validity of evidence
obtained and is especially alert to evidence that contradicts or brings into question the reliability of
documents or representations by the responsible party. An attitude of professional scepticism is necessary
throughout the engagement process for the practitioner to reduce the risk of overlooking suspicious
circumstances, of over-generalising when drawing conclusions from observations, and of using faulty
assumptions in determining the nature, timing and extent of evidence-gathering procedures and evaluating
the results.
Professional scepticism means that the practitioner needs to make critical assessments with a questioning
mind about the validity of evidence obtained and is also alert to evidence that contradicts the reliability
of documents or representations by the responsible party (ISA 200, para. A21–A23). For example, if the
auditor knows there is increasing competition in an industry, yet the client’s total sales and gross margins
are increasing, professional scepticism would suggest the importance of further enquiry. Similarly, a long
or close relationship with a client may pose a familiarity threat to professional scepticism because the
practitioner may become too sympathetic to the client’s interests or too accepting of their work (the Code,
para. 120.6 A3(d)).
The importance of professional scepticism is also emphasised by regulatory bodies around the world.
For example, in its latest audit inspection report, ASIC (2019) outlines that professional scepticism will
continue to remain an area of focus for audit firms and ASIC’s future inspections. ASIC states that it will
continue to focus on:

Whether an appropriate level of professional scepticism is exercised by auditors, focusing on significant

judgements about audit evidence, accounting estimates, going concern assumptions and accounting
treatments (ASIC 2019, p. 25).

In its 2019 ASIC inspection report, ASIC notes that, ‘auditors should deliver professional, high quality
audits through a strong internal culture focused on quality audits and professional scepticism’ (ASIC 2019,
p. 17). ASIC emphasises that it is important for firms to focus on professional scepticism, along with the
sufficiency and appropriateness of audit evidence obtained and the appropriate use of the work of experts
and other auditors (ASIC 2019, p. 10).
Example 1.3 demonstrates the importance of professional scepticism in collecting and evaluating
evidence. Review this example now.

EXAMPLE 1.3

Toe Ltd
Toe Ltd is a long-term audit client. The auditor has the highest regard for management integrity and
honesty. Management has a long history of open communication with the auditor and willingness to accept
all audit adjustments.
In auditing the financial statements of Toe Ltd, the auditor has sent confirmation letters to debtors as
part of the tests of existence for trade debtors. Most responses are mailed back and many have small
changes noted on the invoices, which are all immaterial. However, three responses are handed to the
P df_Folio:33

MODULE 1 The Auditing and Assurance Framework 33

 auditor by the client. The auditor is informed that the responses had been faxed back directly to the client.
None of these three responses had any corrections on them.
............................................................................................................................................................................
What impact could these facts have for the audit of Toe Ltd?
Check your response against the suggested answer at the end of the book.

Various bodies have provided descriptions and information to clarify and define what is meant by
professional scepticism and how it should be applied in practice. For example, the Center for Audit Quality
(CAQ) (2010) suggests that exercising professional scepticism includes:
• evaluating and challenging audit evidence
• remaining alert for information that suggests a material misstatement
• considering the risk that management may override internal controls.
Figure 1.6 describes six characteristics of scepticism as outlined by the CAQ (2010), Hurtt (2010) and
IAASB 2015.

FIGURE 1.6 The characteristics, attitudes and behaviours of scepticism

• Resist persuasion
Questioning • Enquire, maintaining
• Challenge assumptions Self esteem
mind a sense of doubt
• Challenge conclusions

Autonomy • Withhold
• Decide for • Self-direction judgment until
• Moral Professional Suspension of
oneself appropriate
independence scepticism judgment
• Do not simply evidence is
accept the • Conviction obtained
claims of others

• Recognise that people’s

motivations and • Investigate beyond the
Interpersonal Search for
perceptions can lead them obvious
understanding knowledge
to provide biased or • Seek corroboration
misleading information

In 2015, the IAASB released an invitation to comment around enhancing audit quality in the public
interest with a focus on professional scepticism, quality control and group audits (IAASB 2015). It lists
seven key issues, with the first two focused on scepticism:

1. Fostering an appropriately independent and challenging skeptical mindset of the auditor — professional
skepticism is a fundamental concept and core to audit quality. Can we better articulate how we and
others expect auditors, especially engagement partners, to appropriately apply professional skepticism?
Can the concept be reinforced more within the ISAs, or through other activities by us or others?
2. Enhancing documentation of the auditor’s judgments — how might an audit file more appropriately
demonstrate the auditor’s decision-making processes, essential interactions and communications, in
order to support the auditor’s judgments and the audit opinion overall? How can the application of
professional skepticism be better evidenced? (IAASB 2015, p. 7).
df_Folio:34
P

34 Advanced Audit and Assurance

Technology
Professional scepticism is affected by a range of contextual factors, which IAASB outlines in its
Framework for Audit Quality (IAASB 2014a). One important contextual factor affecting the auditor’s
scepticism is information technology changes. IAASB (2015) states:
Technological change is occurring at a rapid pace, ushering in the capability to capture and communicate
data digitally, on an unprecedented scale and on almost instantaneous timescales. This has resulted in
increasing focus on ‘big data,’ whether structured or unstructured. Comprehensive and powerful digital
information systems are increasingly capable of handling, analyzing, communicating and responding to
these data related changes. Businesses are rapidly changing their business models in innovative ways in
response to these developments. These changes are feeding into the information systems for financial
and broader corporate reporting, and therefore have implications for audits. Audits are also increasingly
being conducted using advanced technologies, including the evolving use of audit data analytics (IAASB
2015, p. 9).

With these changes in technology, the auditor is continually facing new challenges as well as being
provided with new tools. It is, therefore, necessary that auditors adjust how they apply professional
scepticism to the changing environment.

QUESTION 1.11

How does the use of digital information by companies and the ‘feeding into the information systems
for financial and broader corporate reporting’ (IAASB 2015, p. 9) affect an auditor’s professional
scepticism?

QUESTION 1.12

How could audit firms play an important role in cultivating a sceptical mindset in auditors?

Professional Judgment
Professional judgment involves the assurance practitioner applying their training, knowledge and
experience to make appropriate decisions and reach conclusions. The Framework (para. 56) explains
that ‘professional judgment is essential to the proper conduct of an assurance engagement’. Professional
judgment is needed to interpret ethical requirements and relevant Assurance Standards in order to make
informed decisions throughout the engagement.
Professional judgment is required to be exercised throughout an assurance engagement but must not
be used to justify decisions unless it is ‘supported by the facts and circumstances of the engagement or
sufficient appropriate evidence’ (the Framework, para. 60).
International auditing standards are replete with the term ‘judgment’. The need for the auditor to make
professional judgments is paramount. The audit manuals of large audit firms note that the single most
important element in applying firm procedures in an audit is the exercise of informed judgment. A report
by KPMG emphasises this point:
[Judgment] can be consequential to the continued viability of organizations, the livelihoods of the people
employed by them, and the investors who rely on them not to mention the effectiveness and efficiency of
our capital markets. Audit judgments both big and small matter (KPMG 2011, p. ii).

ASIC’s latest review of 98 audit files undertaken in 18 months to 30 June 2018 continues to reveal
instances when auditors did not obtain sufficient appropriate audit evidence, adequately question manage-
ment’s basis for valuation or challenge the work of experts, particularly in areas of impairment testing and
investments and financial instruments (ASIC 2019). ASIC further notes that audit firms should continue
to focus on ‘the audit of asset values … especially challenging the reasonableness of any forecasts, key
assumptions, and the basis of the valuation’ (ASIC 2019, p. 10). These shortcomings indicate the auditors’
professional judgment is inadequate.

Pdf_Folio:35

MODULE 1 The Auditing and Assurance Framework 35

 Experience in financial statement auditing informs assurance engagements on non-financial information
(e.g. assessing materiality, understanding the business, obtaining sufficient appropriate evidence, and
making informed judgments). However, ISAE 3000 (Revised), paragraph 52, requires appropriate
specialist knowledge to be applied in an assurance engagement, where considered necessary.
Table 1.9 identifies many circumstances where professional judgment is required.

TABLE 1.9 Examples of audit judgments

Understanding • What environmental factors to examine

the entity and • Which risk assessment procedures to use
its environment • Which members of the audit team should be involved in discussions of potential fraud
• Assessing the appropriateness of suitable criteria for a greenhouse gases (GHG)
emissions assurance engagement

Assessing the • Assessing inherent risk

risk of material • Determining high risk audit areas
misstatement • Assessing the probability of company failure
• Assessing the percentage of debtors that will be recoverable
• Assessing directors’ best estimate assumptions in the preparation of forecast financial
information
• Assessing whether the preparer has applied appropriate criteria (e.g. GRI reporting
standards)

Internal controls • Assessing control risk

• Extent of auditor reliance on internal controls

Consideration of • Which fraud risk factors are present

fraud and error • Determining which trends and relationships indicate the risk of fraud
• The extent to which matters are documented
• Whether a sales overstatement is material
• Whether an item of non-compliance is material in a compliance audit
• Determining the level of pollution that is material in an environmental assurance
engagement

Communication • The appropriate person(s) to communicate with

• Matters to be communicated
• The level of detail to be communicated

Policies • The appropriateness of accounting policies used

• Whether policies used are consistent with prior years

Audit evidence • Nature, timing and extent of evidence

• Whether to rely on audit evidence from previous audits
• Sufficiency and appropriateness of audit evidence
• Conclusions on results of specific audit procedure
• Use of an independent expert

Analytical • Audit strategy

procedures • Which techniques to use
• Development of expectations
• Identification of significant fluctuations
• Assessing the appropriateness of data used by management in developing an environ-
mental report

Audit sampling • Whether or not to use statistical sampling

• Determining sample size
• Selection of items to test

Audit reporting • Whether a modified audit report is appropriate, and if so, which one
• Whether an emphasis of matter paragraph is appropriate
• Qualified, disclaimer, adverse opinions
• What key audit matters (KAMs) to include in the audit report, if any
• Whether a going concern basis is appropriate
• The wording of other assurance reports

Source: CPA Australia 2019.

Pdf_Folio:36

36 Advanced Audit and Assurance

 QUESTION 1.13

Both professional scepticism and professional judgment are essential to the proper conduct of
an assurance engagement. Explain how auditors use professional scepticism and professional
judgment in the context of an assurance engagement.

Materiality
As mentioned earlier, judgments pertaining to evidence collection and evaluation are made within the
context of materiality. In respect of accounting information, an omission, misstatement or non-disclosure
is material if it could adversely affect user’s decisions based on the financial statements. Materiality is
relevant when the practitioner:
• plans the engagement
• determines their procedures for gathering evidence
• assesses whether the subject matter information is free of misstatement.
Materiality judgments must take into account both quantitative (numerical and measurable) and
qualitative (other than numerical; subjective) factors. Materiality is discussed in more detail in
module 2.

Engagement Risk
The subject matter presented to the assurance practitioner may fail to meet the requirements of the
relevant criteria and, hence, may be materially misstated. Assurance engagement risk is the risk that the
practitioner reports that the subject matter information is fairly presented when, in fact, it is materially
misstated. In other words, it is the risk that the practitioner’s conclusion is wrong. When an audit is
undertaken, this is referred to as audit risk.
A key requirement of a quality assurance engagement is to keep the engagement risk at an acceptably
low level (some firms don’t use the ‘low’ category e.g. use numbers instead). Consequently, an assurance
provider assesses the engagement risk during the planning stage of the engagement by assessing three
components.
1. Inherent risk is defined as the susceptibility of the subject matter information to a material misstate-
ment and is therefore determined by the underlying subject matter. For example, in the case of a financial
statement audit of a business, inherent risk is determined by the riskiness of both the business and the
economic environment. Normally, it would be expected that higher inherent risk exists for small as
opposed to large businesses, and during periods of recession as opposed to periods of economic growth.
Many considerations affect the assessment of inherent risk.
2. Control risk is defined as the risk that a material misstatement will not be prevented, or detected
and corrected, by the internal control system. A well-designed and implemented control system
can reduce control risk, but some level of control risk always exists because of the limitations of
control systems. For example, an important control over cash is the bank reconciliation, so if a bank
reconciliation is not performed, control risk increases. That is, the risk that the bank account will be
misstated, and that the control system will fail to prevent the error, or fail to detect and correct the error,
is increased.
3. Detection risk is the risk that the assurance practitioner’s evidence-gathering procedures will not detect
a material misstatement. Detection risk is affected by the quantity, reliability and relevance of evidence.
For example, assume that to determine the existence of the inventory, an auditor counts ten items of
inventory. Detection risk would be reduced if the practitioner were to increase the sample size for testing
to 20 items.
Inherent risk and control risk are commonly combined and are referred to as the risks of material
misstatement. In the Glossary of Terms provided by IAASB, audit risk is described as ‘a function of the
risks of material misstatement and detection risk’.
The degree to which the practitioner considers each of the components of audit risk is affected by the
engagement circumstances and whether a reasonable assurance or a limited assurance engagement is being
performed.
Example 1.4 illustrates the use of professional judgment in planning the audit for Galaxy Ltd. Review
this example now.
Pdf_Folio:37

MODULE 1 The Auditing and Assurance Framework 37

 EXAMPLE 1.4

Galaxy Ltd
Galaxy Ltd (Galaxy) is a large, well-established computer-parts manufacturer that sells parts to computer
stores. Changing technology makes the industry very competitive, and Galaxy has made only small profits
for the last couple of years. Its bank loan depends on it continuing to earn a profit.
Because of the competitive pressures, Galaxy recently relocated the manufacture of some of its com-
puter parts from Perth, in Australia, and Hong Kong to southern China. This has reduced manufacturing
costs, but occasional quality problems have resulted in some lost orders.
Sales staff have previously been paid a fixed salary based on the number of years they have been with
the company. However, a new commission scheme is being introduced this year by which staff will be paid
a lower fixed salary but will receive a 4% commission if their individual sales targets are met or exceeded.
Galaxy plans to upgrade its general ledger reporting with a new software package. The conversion is
planned for just before year-end so that it will be ready for next year. The new computer system will provide
detailed information on sales, gross margins and inventory levels by product line.
............................................................................................................................................................................
What factors will affect the planning of the audit for Galaxy?
Check your response against the suggested answer at the end of the book.

QUESTION 1.14

(a) What is professional scepticism?

(b) How is it linked to engagement risk?

Nature, Timing and Extent of Procedures

Based on the assessment of materiality and combined risk of misstatement, an assurance practitioner will
use a combination of procedures to collect sufficient and appropriate evidence. The exact nature, timing
and extent of these procedures will vary from engagement to engagement (the Framework, para. 76).
Nature refers to the purpose of the test (e.g. to test controls, transactions or account balances) and
the procedure used (e.g. inspection, observation, enquiry, confirmation, recalculation, re-performance
or analytical procedures). For example, in auditing inventory, the auditor could perform the following
procedures:
• ask warehouse personnel about obsolete inventory (enquiry)
• watch warehouse personnel count the inventory (observation)
• test count the inventory (re-performance)
• sight shipping documents and receiving reports (inspection).
The nature of an audit procedure will also depend upon the assertion being tested. The higher the risk
of material misstatement, the more reliance placed on substantive procedures, the greater the use of audit
procedures that access the most persuasive audit evidence (Moroney et al. 2017).
Timing refers to when the evidence is collected (e.g. interim period or year-end). Evidence collected at
year-end, or close to the date of the subject matter information, is the most reliable. This is largely due to
year-end testing focusing more on substantive tests of balances rather than transactions.
Extent refers to the quantity of information collected and tested. It is equivalent to sufficiency. More
evidence is better than less, but this is highly dependent on its quality.
Planning for the nature, timing and extent of evidence collection is informed by the:
• assessment of inherent risk
• intention to use selective testing and sampling
• limitations of internal control systems
• assessed control risk
• fact that much of the evidence available to the practitioner is persuasive rather than conclusive
• use of judgment in gathering evidence and evaluating and forming conclusions based on that evidence.

Assurance Report
A practitioner provides a written assurance report containing a clearly expressed conclusion about the
subject matter information. The determination of the level of assurance that can be provided involves
df_Folio:38
P

38 Advanced Audit and Assurance

consideration of the relationships between the underlying subject matter, the criteria and the quantity
and quality of evidence. Basic elements for assurance reports are established by Assurance Standards
(Framework, para. 83).
In providing the assurance report, there are important considerations related to the wording. There is a
much greater variety in assurance reports that do not relate to historical financial information. Reporting
timetables may also be shorter and sometimes less predictable (e.g. when an entity decides to issue a report
on an environmental issue in response to a current event and requires assurance on that report within a
particular timeframe).
As discussed earlier, in a reasonable assurance engagement, the practitioner expresses the conclusion in
a positive form — for example, ‘In our opinion the internal control system is effective’.
In a limited assurance engagement, the practitioner expresses the conclusion in a form that aligns to the
limited scope of the assurance engagement — for example, ‘Nothing has come to our attention that causes
us to believe that internal control is not effective’.
Review paragraphs 83–92 of the Framework to become familiar with the contents of these types
of assurance reports.

QUESTION 1.15

Does an engagement to perform an audit of financial statements include the provision of assurance
on internal controls?

The key points covered in this part, and the learning objectives they align to, are below.

KEY POINTS

1.1 Apply the International Framework for Assurance Engagements (the Framework) and the
related standards and other guidance to assurance engagements.
• The Framework is not a standard. It provides a frame of reference for assurance practitioners and
others involved in assurance engagements.
• The Framework distinguishes direct engagements from attestation engagements and reasonable
assurance engagements from limited assurance engagements.
• The Framework sets out preconditions for an assurance practitioner to accept an assurance
engagement.
• The Framework identifies five elements that assurance engagements exhibit and how they vary in
different assurance engagements.
• The Framework discusses assurance practitioner’s responsibilities towards the use of professional
scepticism and the application of professional judgment in obtaining sufficient appropriate evidence
to support the assurance practitioner’s conclusion.
1.2 Apply the Code of Ethics for Professional Accountants to assurance engagements.
• The Code sets out fundamental principles of ethics for all professional accountants. These prin-
ciples establish the standard of behaviour expected of a professional accountant.
• The Code provides a conceptual framework that members are required to apply in order to identify,
evaluate and address threats to compliance with fundamental principles.
• The Code also sets independence standards for audits and other assurance engagements.

1.3 TYPES OF ASSURANCE ENGAGEMENTS

In addition to historical and prospective financial information, entities report a large amount of non-
financial information, such as:
• additional disclosures relating to wider operating data, internal controls, corporate governance, and risk
management practices and outcomes
• corporate social responsibility (CSR) reporting on economic, social and environmental issues (including
carbon emissions)
• reporting to regulators regarding such issues as compliance with regulatory requirements.
The types and amount of these reporting requirements are generally growing and, while there may be
differences in emphasis across some countries, it is certainly a worldwide trend.
Pdf_Folio:39

MODULE 1 The Auditing and Assurance Framework 39

 In this section, we provide an overview of the different types of assurance services that an assurance
practitioner can provide. These types of engagements are introduced here and will be examined in more
detail in the remaining modules. The most common types of assurance engagements are:
• audits of financial statements
• audits of specialised areas
• review engagements
• assurance of historical non-financial information
• assurance on future-oriented information
• assurance on systems and processes
• assurance on aspects of behaviour
• assurance of performance of an activity.
Each type of assurance engagement will now be explained in turn.

AUDITS OF FINANCIAL STATEMENTS

According to ISA 200, the objectives of the auditor are to obtain reasonable assurance that the financial
statements are free from material misstatement and ‘to express an opinion about whether the financial
statements are prepared in all material respects in accordance with a financial reporting framework’
(ISA 200, para. 11).
Within an Australian context, this means that the financial report has been prepared in accordance with
Australian Accounting Standards and interpretations and any relevant legislation, such as the Corporations
Act (ASA 200). Where a fair presentation framework is applicable for financial reports, the opinion
required by the Australian Auditing Standards is on whether the financial report is presented fairly, in
all material respects, or gives a true and fair view (ASA 200, para. A13; ISA 200, para. A13).
The entity’s reporting requirements are specified in the Corporations Act. Both a financial report and
a directors’ report must be prepared annually by disclosing entities, public companies, large proprietary
companies and registered schemes (s. 292 of the Corporations Act). Under sections 295(4)(c) and 295A
of the Corporations Act, directors of the reporting entity must declare whether the reporting entity
will be able to pay its debts as and when they become due, whether the financial records have been
properly maintained, whether the financial report and notes comply with Australian Accounting Standards
including interpretations, and whether the financial report and notes give a true and fair view. A true
and fair view refers to the consistent and faithful application of accounting standards in accordance with
the financial reporting framework when preparing the financial report (ASA 200, para. 13; ISA 200,
para. 13). Australian companies must prepare their financial report in compliance with accounting
standards (s. 296 of the Corporations Act). If compliance with accounting standards does not give a true
and fair view, a company should provide additional information in the notes to the financial report (s.
295(3)(c) of the Corporations Act). Regulatory Guide 230 (ASIC, 2011) provides information for company
directors and financial report preparers regarding the disclosure of information other than in accordance
with accounting standards. Section 301 of the Corporations Act requires that the financial report be audited.
In fulfilling their role, the auditor must be independent of the company they audit, exercise due professional
care, and comply with Auditing and Assurance Standards (APES 210).

Limitations of an Audit
A financial statements audit is conducted to enhance the reliability and credibility of the information
included in a financial report. Yet it is not a guarantee that the financial report is free from error or fraud.
The limitations of an audit stem from the nature of financial reporting, the nature of audit procedures
and the need for the audit to be conducted within a reasonable period of time and at a reasonable cost
(ISA 200).
The nature of financial reporting refers to the use of judgment when preparing financial reports due to
the subjectivity required when arriving at accounting estimates. Judgment is also required when selecting
and applying accounting methods.
The nature of audit procedures refers to the reliance on evidence provided by the client and its
management. If an auditor does not have access to all the information relevant to the audit, there is a
limitation in the scope of their audit. If the auditor is unaware of this situation, they may arrive at an
inappropriate conclusion based on incomplete facts. Evidence may be withheld or modified by perpetrators
of fraud. It can be difficult for an auditor to determine whether a fraud has occurred and documents altered
as those committing a fraud generally hide evidence. Sampling is used when testing transactions and
Pdf_Folio:40

40 Advanced Audit and Assurance

account balances. If a sample is not representative of all items available for testing, an auditor may arrive
at an invalid conclusion.
The timeliness and cost of a financial report audit refers to the pressure an auditor faces to complete
their audit within a certain time frame at a reasonable cost. While it is important that an auditor does not
omit procedures in an effort to meet time and cost constraints, they may be under some pressure to do so.
This pressure will come from clients wanting to issue their financial reports by a certain date, from clients
refusing to pay additional fees for additional audit effort, and from within the audit firm where there are
pressures to complete all audits on a timely basis to avoid incurring costs that may not be recovered. By
taking the time to plan the audit properly (covered in module 2), an auditor can ensure that adequate time
is spent where the risks of a significant error or fraud are greatest.

AUDITS OF SPECIALISED AREAS

Audits of specialised areas cover audits of historical financial information other than general purpose
financial statements. This includes audits of:
• special purpose financial statements
• single financial statements or components thereof
• summary financial statements including concise financial reports.

REVIEW ENGAGEMENTS
An assurance practitioner may be engaged to perform a review of a financial report rather than an audit,
and this review may be conducted by a practitioner who has no other dealings with the company or may
be conducted by the company’s independent auditor. Specific requirements exist for reviews of financial
statements which are distinct from those requirements that relate to the reviews of other historical financial
information.
A review of interim financial statements enables the auditor to express a conclusion whether, on the
basis of the review, anything has come to light to cause the auditor to believe that the interim financial
report is not prepared in accordance with an applicable financial reporting framework. A review differs
significantly from an audit in that it does not provide a basis for an opinion to be formed regarding whether
the financial report gives a true and fair view, or is presented fairly, in all material aspects, in accordance
with the applicable financial reporting framework. A review is not designed to obtain reasonable assurance
that the interim financial report is free from material misstatement.
Reviews of historical financial information that are other than a complete financial report include reviews
of specific components, elements, accounts or items of a financial report, other information or schedules
that can be derived from financial records, or financial statements that are prepared in accordance with a
financial reporting framework that is not designed to achieve fair presentation, such as condensed financial
statements and an entity’s internal management accounts.

QUESTION 1.16

You have been approached by a prospective client, who is unsure about the applicability of the
financial reporting requirements. They are unclear about the difference between an audit and a
review. Prepare notes for a meeting to help the prospective client understand the differences
between an audit and a review, including differences in the level of assurance, form of the opinion
and types of procedures that could be performed.

HISTORICAL NON-FINANCIAL REPORTS ASSURANCE

ISAE 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial
Information is an umbrella standard for ‘other’ assurance engagements. Other assurance engagements
under ISAE 3000 (Revised) may be either ‘reasonable’ or ‘limited’ (para. 10), and the conditions for
accepting or continuing them are set out in ISAE 3000 (Revised), paragraph 22. These conditions include
the general requirements that the practitioner (signing partner) believes that the engagement team satisfies
relevant ethical requirements, including independence. The practitioner should also be satisfied that the
engagement team, collectively, has the appropriate competence and capabilities. Further, the practitioner
Pdf_Folio:41

MODULE 1 The Auditing and Assurance Framework 41

should be satisfied that the preconditions of an assurance engagement, as discussed in ISAE 3000
(Revised), paragraph 24, are present.
Assurance of non-financial information includes assurance on:
• corporate social responsibility (CSR) reports
• greenhouse gas statements (GHG)
• sustainability reports
• water accounting reports
• business performance measurement
• integrated reports.

FUTURE-ORIENTED INFORMATION ASSURANCE

Assurance engagements covering future-orientated information include prospective financial information
about future events which are not certain. This information includes:
• forecasts based on best-estimate assumptions based on expectations
• projections based on hypothetical assumptions
• pro forma financial statements for a prospectus.
Given the inherent uncertainties surrounding financial information based on future predictions, assur-
ance engagements in relation to this information only ever give limited assurance. An example of
circumstances where this kind of information would need assurance attached to it is where an organisation
has prepared forecast information in support of an application for a bank loan and the assurance provided
by the auditor would enhance the credibility of these forecasts.
It is not within the scope of the engagement to express an opinion on the truth, fairness or other
characteristics of the information. The auditor will express a negative form opinion on the suitability of the
assumptions and then give a further opinion about whether the information has been prepared in accordance
with those assumptions and an appropriate financial reporting framework. An additional statement will be
included, which highlights that actual results are likely to be different to the forecast where events do not
occur as expected.

ASSURANCE ON SYSTEMS AND PROCESSES

‘Systems and processes’ is one of the categorisations of underlying subject matter for other assurance
services (International Framework for Assurance Engagements, Appendix 4). The most common other
assurance services relate to internal control.
Following the enactment of the Sarbanes–Oxley Act 2002 (US), there are now requirements for
management reports on internal controls and subsequent requirements for these assessments to be audited.
Given that these requirements are seen by many regulators as best practice, they are likely to lead to greater
reporting and assurance on internal controls in other jurisdictions as well. The IAASB issued ISAE 3402
Assurance Reports on Controls at a Service Organisation for auditors performing assurance engagements
on controls at a service organisation.
You can access ISAE 3402 at https://www.ifac.org/system/files/publications/files/IAASB-2018-HB-
Vol-2.pdf.
In Australia, the AUASB issued a new Standard, ASAE 3150 Assurance Engagements on Controls, in
2015. This standard sets out mandatory requirements for assurance practitioners to apply, in conjunction
with the requirements in ASAE 3000, when accepting, planning, performing and reporting on controls.
Providing a report on internal controls enables management to discharge its accountability obligation to
establish an effective internal control structure. The investing public has a legitimate interest in the state
of an entity’s internal controls. Also, a requirement for management to report on the adequacy of internal
controls may cause them to be more effective in maintaining internal control systems.
Assurance on systems and processes include:
• internal audits
• internal controls audit
• continuous auditing.

Internal Audits
Internal audits are conducted to provide assurance about various aspects of an organisation’s activities.
The internal audit function is typically conducted by employees of the organisation being audited but can
be outsourced to an external audit firm. As such, the function of internal audit is determined by those
Pdf_Folio:42

42 Advanced Audit and Assurance

charged with governance and management within the organisation. While the functions of internal audits
vary widely from one organisation to another, they are often concerned with evaluating and improving
risk management, internal control procedures and elements of the governance process. The internal audit
function often conducts performance audits, compliance audits, internal control assessments and reviews.

Internal Controls Audit

Engagements in relation to control procedures aim to provide a level of assurance in relation to the design
and operating effectiveness of internal control procedures. These engagements may be direct reporting
engagements, where the auditor gives an opinion directly on the internal controls themselves, or an
assertion-based engagement, where management has made assertions (usually in the form of a written
report) about the effectiveness of their control procedures and the auditor is providing an opinion on those
assertions. Engagements of this nature may give rise to either reasonable assurance or limited assurance.

Continuous Auditing
The electronic revolution has created a demand for more timely assurance on a broader range of
information than that provided by the annual audit of historical financial statements. Companies now
release information via their websites to interested parties over a short time frame, and continuous auditing
allows auditors’ reports on that information to be provided almost immediately. A continuous audit is a
process or method that enables independent auditors to provide written assurance on subject matter using
a series of auditors’ reports issued simultaneously with, or a short time after, the occurrence of events
underlying the subject matter. It is conducted on continuous financial and non-financial information made
available to users in formats defined by management.
Auditors could be asked to continuously audit and report on:
• financial statements available on demand via a website
• specific financial information in conjunction with a debt covenant agreement
• compliance with published policies and practices regarding e-commerce transactions (e.g. reliance on
secure encrypted systems for credit card processing)
• the effectiveness of controls operating in key systems or processes.
A continuous audit presents a number of auditing issues. There is little time for the auditor to gather audit
evidence for verifying and substantiating the subject matter concerned. The auditor cannot rely on normal
audit procedures, such as obtaining independent confirmations and checking material misstatements, so
a reliable and well-controlled application system is vital. The auditor must use fully automated audit
software such as IDEA or ACL to read, manipulate and generate the information required. Other conditions
necessary for ensuring a successful continuous audit are:
• effective communication and technology between the client and the auditor
• agreement as to the form, content and scope of the audit
• a sound knowledge by the auditor of the systems used by the client.
Continuous auditing is more relevant in an online environment where strategies and business processes
are used to provide value-added performance information to interested parties.

ASSURANCE ON ASPECTS OF BEHAVIOUR

Assurance on aspects of behaviour include:
• compliance engagements
• corporate governance assurance.

Compliance Engagements
Organisations may have obligations to follow requirements imposed by law or regulation, by contract
or internally imposed through accounting policies and procedures. Compliance engagements provide
assurance that regulations, contractual obligations or other requirements have been complied with. An
example of this is reporting on whether an entity has complied with certain aspects of a bank loan agreement
relating to interest payments and maintenance of predetermined financial ratios.
The level of work that the auditor needs to carry out will be dependent upon whether the engagement
is a reasonable assurance engagement or limited assurance engagement, and specific procedures need
to be designed accordingly. Given the variety of possible engagements that could arise, it is important
that the auditor ensures that the overall aspects of compliance relate to matters within their scope of
professional competence. One of the most significant issues in these engagements is ensuring the suitability
Pdf_Folio:43

MODULE 1 The Auditing and Assurance Framework 43

of the criteria against which the outcome is to be measured. This may be simple with legislation or
contractual provisions where the criteria are clearly stated; in other circumstances, such as compliance with
organisational policies and procedures, the suitability of the criteria will need to be carefully considered.
The report prepared by the auditor should clearly identify the criteria, the time period covered and state
whether, in the auditor’s opinion, the entity has complied with its obligations.

Corporate Governance Assurance

The major corporate collapses in the early 2000s (including Enron, WorldCom, HIH Insurance and
Le Nature’s Inc.) prompted an increase in the regulation of corporate governance. This included the
introduction of the Sarbanes–Oxley Act in the United States and the CLERP 9 reforms in Australia.
Corporate governance has thus assumed new levels of importance in today’s business world. The Big
Four accounting firms all provide assurance services related to corporate governance requirements and
best practice board reporting (refer to the websites of any of the Big Four accounting firms).

PERFORMANCE OF AN ACTIVITY
Performance engagements are concerned with the economy, efficiency and effectiveness of an organ-
isation’s activities (ASAE 3500 Performance Engagements, para. 7). Economy refers to the cost of
inputs, including wages and materials. Efficiency refers to the relationship between inputs and outputs.
Specifically, efficiency refers to the use of the minimum amount of inputs to achieve a given output.
Finally, effectiveness refers to the achievement of certain goals or the production of a certain level of
outputs. From an organisation’s perspective it is important to perform well across all three dimensions and
not allow one to dominate. For example, if buying cheap inputs results in an inefficient production process,
efficiency may be seen to be sacrificed to achieve economic goals.

QUESTION 1.17

A firm provides the following service for its clients.

1. Preparation of a report advising a client on the introduction of a new system of internal controls.
2. A report providing an opinion on a school’s responses to a questionnaire required by the auditor-
general.
3. Preparation of the company’s tax returns.
4. A report to management about the success of a marketing campaign.
5. A report to directors in relation to half-year financial report for a listed company.
6. An audit of a management report into the effectiveness of a company’s internal control system.
7. A statement of findings to management in relation to the completeness and accuracy of its trade
creditors balance.
For each of the above, identify whether assurance services are being provided and justify your
answer. For each assurance service, identify what level of assurance will be provided and what
form the opinion will take.

The key points covered in this part, and the learning objectives they align to, are below.

KEY POINTS

1.1 Apply the International Framework for Assurance Engagements (the Framework) and the
related standards and other guidance to assurance engagements.
• Standards on Assurance Engagements establish requirements and provide application and other
explanatory material for a range of assurance engagements other than audit or review of financial
information.
• ASAEs on a specific subject matter are read and applied in conjunction with ASAE 3000.
• According to ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in
Accordance with International Standards on Auditing, the objective of a financial statements audit
is for the auditor ‘to express an opinion about whether the financial report is prepared in all material
respects in accordance with a financial reporting framework’.
• ISAE 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial
Information is an umbrella standard for ‘other’ assurance engagements.
df_Folio:44
P

44 Advanced Audit and Assurance

 • ISAE 3402 Assurance Reports on Controls at a Service Organisation provides guidance for auditors
performing assurance engagements on controls at a service organisation.
• ASAE 3500 Performance Engagements are concerned with the economy, efficiency and effective-
ness of an organisation’s activities.

1.4 APPLICATION OF STANDARDS

The Preface to the International Quality Control, Auditing, Review, Other Assurance, and Related Services
Pronouncements issued by the IAASB facilitates understanding of the scope and authority of the IAASB’s
pronouncements. The IAASB pronouncements govern audit, review, other assurance and related services
engagements that are conducted in accordance with International Standards.
As discussed earlier:
• International Standards on Auditing (ISAs) are to be applied in the audit of historical financial
information
• International Standards on Review Engagements (ISREs) are to be applied in the review of historical
financial information
• International Standards on Assurance Engagements (ISAEs) are to be applied in assurance engagements
other than audits or reviews of historical financial information
• International Standards on Related Services (ISRSs) are to be applied to compilation engagements,
agreed upon procedures and other related service engagements.
ISAs, ASREs, ISAEs and ISRSs are collectively referred to as the IAASB’s Engagement Standards. As
mentioned previously, these pronouncements do not override the local laws or regulations in a particular
country.

APPLICATION OF ISAs
The ISAs are developed by the International Auditing and Assurance Standards Board (IAASB). The
following points are noteworthy.
• The ISAs are written in the context of an audit of historical financial statements.
• The ISAs apply to all members of the accounting profession and are applicable to both the private and
public sectors.
• The ISAs apply to audits of all sizes and complexity. The argument is that it is in the public interest
that users of audited financial statements have confidence that the audits have been performed at a high
standard. This applies regardless of whether the entities are large or small, complex or simple (IAASB
2009).
Figure 1.7 provides an overview of the categories of auditing standards, as well as the ISA number
sequence used for each category, and shows the number of standards in each category. As can be seen
from figure 1.7, the standards provide a guide that takes the auditor through the whole audit process. Not
surprisingly, many standards are in the category of ‘audit evidence’ because obtaining evidence to support
an opinion is crucial to the auditor’s work. The standards are designed to be applicable to the whole audit
process. Specific standards are not written for particular classes of transactions or balances.
These ISAs cover the following.
• Audits of annual general purpose financial statements (covered by ISA series 200 to 700)
– covered in modules 2–4
• Other audits of historical financial information (covered by ISA series 800) and discussed in module 5
includes:
– financial statements prepared in accordance with special purpose frameworks
– single financial statements and specific elements, accounts or items of a financial statement
– summary financial information.
The authority of ISAs is set out in ISA 200. ISA 200:
• creates an obligation for auditors to comply with ethical requirements and the ISAs
• sets out the overall objectives of the independent auditor
• explains the nature and scope of an audit that will enable the independent auditor to meet these objectives
• explains the scope, authority and structure of relevant ISAs that shall assist an independent auditor in
planning and performing the audit (ISA 200, paras 1 and 21).
Pdf_Folio:45

MODULE 1 The Auditing and Assurance Framework 45

 FIGURE 1.7 Structure of the ISAs

• General principles and responsibilities

ISA 200 series
(covered by 8 standards)

ISA 300 series

• Risk assessment and response to assessed risks
and
(covered by 6 standards)
ISA 400 series

• Audit evidence
ISA 500 series
(covered by 11 standards)

• Using the work of others

ISA 600 series
(covered by 3 standards)

• Audit conclusions and reporting

ISA 700 series
(covered by 6 standards)

• Specialised areas
ISA 800 series
(covered by 3 standards)

Digital content, such as videos and interactive activities in the e-text, support this module. You can
access this content on My Online Learning.

SME Perspective
Applying ISAs Proportionately with the Size and Complexity of an Entity (IAASB 2009) provides questions
and answers relating to the audits of small and medium-sized entities (SMEs). So while the requirements
of all relevant ISAs apply to SMEs and the auditor’s objectives are the same regardless of size or
complexity, some important issues are raised in IAASB (2009) as to the conduct of an audit of an
SME compared to a larger entity. Not all audits are planned and performed in the same way. Specific
audit procedures to comply with ISAs may vary considerably depending on the size and complexity of
the entity.
The work effort for the audit of an SME may differ from that in a larger audit because it will generally
involve much simpler transactions and, therefore, be more straightforward. For example, the requirement
to understand the entity and its environment (ISA 315 (Revised) Identifying and Assessing the Risks of
Material Misstatement through Understanding the Entity and Its Environment) will be much easier to
carry out for an SME. Similarly, internal controls in an SME are usually simpler; while the auditor is still
required to obtain an understanding of internal control, the auditor can usually obtain and document that
understanding more quickly.

Pdf_Folio:46

46 Advanced Audit and Assurance

 ISAs often have a special section entitled ‘Considerations Specific to Smaller Entities’. Examples of
considerations from these sections include:

1. Standard audit programs or checklists … drawn up on the assumption of few relevant control activities
… may be used provided that they are tailored to the circumstances of the engagement, including the
auditor’s risk assessments (ISA 300 Planning an Audit of Financial Statements, para. A21).
2. Some smaller entities may not have interim or monthly financial information that can be used for
purposes of analytical procedures. In these circumstances … the auditor may need to plan to perform
analytical procedures to identify and assess the risks of material misstatement when an early draft of the
entity’s financial statements is available (ISA 315 (Revised), para. A17).
3. Audit evidence for elements of the control environment in smaller entities may not be available
in documentary form … Consequently, the attitudes, awareness, and actions of management or the
owner-manager are of particular importance to the auditor’s understanding of a smaller entity’s control
environment (ISA 315 (Revised), paras A86–A87).

While an auditor of an SME must comply with all relevant ISAs (ISA 200, paras 18–20), a number of
ISAs are likely to be less relevant to an SME. Examples include:
• ISA 300 Planning an Audit of Financial Statements — if a one-person audit team is used, the
requirements related to the direction, supervision and review of team members is not relevant
• ISA 402 Audit Considerations Relating to an Entity Using a Service Organization — if the SME does
not use a service organisation
• ISA 510 Initial Audit Engagements — Opening Balances — if the SME audit is a continuing engagement
and not an initial engagement
• ISA 600 Special Considerations — Audits of Group Financial Statements (Including the Work of
Component Auditors) — if the SME audit engagement is not a group audit
• ISA 610 (Revised) Using the Work of Internal Auditors — if the SME has no internal audit function
• ISA 800 (Revised) Special Considerations — Audits of Financial Statements Prepared in Accordance
with Special Purpose Frameworks, ISA 805 (Revised) Special Considerations — Audits of Single
Financial Statements and Specific Elements, Accounts or Items of a Financial Statement and ISA 810
(Revised) Engagements to Report on Summary Financial Statements — if the SME audit engagement
is to report on general purpose financial statements.
Even when an ISA is relevant to an SME, not all requirements of every ISA will be relevant when
performing an audit of an SME (ISA 300, para. A17). Similarly, the form, content and extent of
documentation can vary with the size and complexity of the entity (ISA 230 Audit Documentation,
para. A2). Also, documentation for an SME is generally less extensive than for a large entity (ISA 230,
para. A16), and it may be helpful and efficient to record various aspects of the audit in a single document.

Audit Requirements
The audit requirements of small businesses and incorporated associations can vary considerably. In
Australia, unincorporated businesses and sole traders are not subject to the audit requirements of the
relevant regulations such as the Corporations Act (Cwlth). Many small businesses, however, choose to
adopt the small proprietary company as a business form in order to obtain the benefits of limited liability.
Under the Corporations Act, Australian small businesses may choose between including key financial data
in their annual returns to ASIC or having the company’s accounts audited, in which case this information
is not required to be submitted. Often, small businesses choose to have their accounts audited in order to
maintain the privacy of their financial affairs and to deny competitors access to confidential trade-related
financial information.
Associations, clubs, community groups and charities have long been, and remain, an important part of
society. Such an association does not have to be incorporated, but incorporation means that it becomes
a legal entity in its own right, separate from the individual members. It is therefore considered at law to
have a distinct identity that continues regardless of changes to the membership. In Australia, there are
a number of ways associations can incorporate — under the Corporations Act, associations, charitable
or not-for-profit organisations will generally be registered as companies that are limited by guarantee.
In each of the Australian states and territories, there are various Association Incorporation Acts, which
contain differential accounting and audit requirements. CPA Australia has summarised these various
requirements in its guide Companies limited by Guarantee and Incorporated Associations: Reporting and
Auditing/Review Obligations.
Pdf_Folio:47

MODULE 1 The Auditing and Assurance Framework 47

 You can access the 2017 CPA Australia’s guide on Companies Limited by Guarantee and Incorporated
Associations: Reporting and Audit/Review Obligations on the CPA website at: http://cpaaustralia.
com.au/~/media/corporate/allfiles/document/professional-resources/auditing-assurance /incorporated-
associations.pdf.
A tiered approach is commonly used to ease the audit burden for smaller incorporated associations. For
example, under the Corporations Act (for companies limited by guarantee) the Australian Charities and
Not-For-Profits Commission (ACNC) Act 2012 (Cwlth) and various state Associations Incorporation Acts,
a tiered approach is used. These tiers are outlined in table 1.10.

TABLE 1.10 A tiered approach to audit requirements for incorporated associations

Tier Size of tier Audit requirement

Tier 3 Revenue of $1m or more Audit must be completed by a registered company auditor

Tier 2 Revenue of $250 000 to less than $1m Can elect to have their financial report either reviewed
or audited

Tier 1 Revenue of less than $250 000 No audit or review requirements

Source: CPA Australia 2019.

Future Developments
The scalability and proportionality of the ISAs has been one of the key environmental drivers that shaped
the IAASB’s Proposed Strategy for 2020–2023 and Work Plan for 2020–2021. To gather information on its
strategic theme ‘Develop ways to address complexity, while maintaining scalability and proportionality’,
IAASB published a Discussion Paper, Audit of Less Complex Entities — Exploring possible options to
address the challenges in applying the ISAs in April 2019 for public consultation. Feedback from the
Discussion paper will assist IAASB to further understand the challenges of using ISAs in audit and less
complex entities and views about possible actions to address these challenges.
Although the discussion about the challenges of applying the ISAs has historically been around the
difficulties experienced in audits of smaller entities as outlined in the Chairman’s Foreword, we are of the
view that it is appropriate to focus on the complexity of the entity rather than its size. This is because in
today’s environment, it is not only about size — there may be entities that are smaller but may be considered
complex, and there may be other entities that would not be considered smaller, but would be considered
less complex (Discussion Paper, p. 4).
Further information on the project ‘Audits of less complex entities’ and the Discussion paper can be
found at https://www.iaasb.org/projects/audits-less-complex-entities.
As a stakeholder, IFAC recently launched an Audits of Less Complex Entities Survey to obtain a
deeper understanding of the specific challenges in applying ISAs in audits of less complex entities
and capture views on the possible options to address these challenges to help inform the IAASB
deliberations. In addition, IFAC provides practical support to small- and medium-sized practices in relation
to implementation of ISAs while auditing SMEs through its publication, ‘Guide to Using International
Standards on Auditing in the Audits of Small- and Medium-Sized Entities’.
You may refer to the fourth edition (released in 2018) of the Guide at https://www.ifac.org/publications-
resources/guide-using-international-standards-auditing-audits-small-and-medium-sized-18.
Differential Reporting
The International Accounting Standards Board (IASB) in 2009 issued an International Financial Reporting
Standard (IFRS) for SMEs. The IFRS for SMEs is a self-contained accounting standard tailored to suit the
needs and capabilities of smaller businesses. Many of the principles in full IFRSs for recognising and
measuring assets, liabilities, income and expenses have been simplified, topics not relevant to SMEs have
been omitted, and the number of required disclosures has been significantly reduced. To reduce further the
reporting burden for SMEs, revisions to the IFRS will be limited to once every three years.
In Australia, the Australian Accounting Standards Board (AASB) introduced a differential reporting
framework for the types of organisations that need to issue general purpose financial statements (GPFSs).
The reduced disclosure requirements were introduced as a second tier of reporting requirements for
preparing general purpose financial statements. The aim is to reduce reporting needs of entities that
previously were required to apply full IFRSs but found the disclosures under full IFRSs burdensome.
Pdf_Folio:48

48 Advanced Audit and Assurance

Under the differential reporting framework, Tier 1 reporting (full IFRSs) applies only to for-profit private
sector entities that have public accountability, the Australian government, and state, territory and local gov-
ernments.
Thus, the reporting and audit burden facing small businesses was addressed by reducing the complexity
of the accounting requirements.

Public Sector Perspective

As mentioned earlier, ISAs apply to both the private and public sectors, so it is worthwhile at this point
to briefly discuss public sector auditing and also to show that an audit of financial statements is only
one aspect of the role of the public sector auditor. To understand public sector auditing, it is necessary to
understand the environment in which the public sector auditor works. The following section examines this
environment, the role of the public sector auditor and the role of the Auditor-General. In countries that
adopt the Westminster system of government, the title ‘Auditor-General’ is usually applied to the public
sector auditor.
The control of public expenditure is one of the main responsibilities of government. Each year parliament
approves a budget, and procedures and regulations ensure that all transactions entered into by government
departments and agencies are legally permissible and conform with the annual appropriations. This
budgetary and appropriation system is central to financial control.
Several instrumentalities participate in the control of public expenditures.
• Parliament is responsible for authorising annual expenditures.
• The treasurer is the minister responsible for financial and economic matters. At the Commonwealth
level, the treasurer is supported by the Department of Finance, and at the state level by the Treasury.
• The audit acts and finance regulations prescribe in detail the accounting practices to be followed by all
levels of government.
• The Auditor-General is responsible to the parliament (the responsibilities of the Auditor-General are
discussed in this section).
• Public accounts committees examine the accounts of the receipts and expenditures and the Auditor-
General’s report.
Public sector audit work involves financial statement auditing. It is recognised that it is important that
expenditure decisions are made wisely, and that government departments and agencies conduct their
affairs effectively, and with efficiency and economy. This understanding has led to the development of
performance auditing. Performance audits result in a separate report to parliament following the completion
of each audit. Performance audits other than financial statement audits are covered in module 5.
Because of the considerable variance in the legislation that applies to public sector auditors worldwide,
this section focuses on the standards framework at a general level.
Mandate of the Auditor-General
In this section, the work of public sector auditors is illustrated by discussion of the roles of some auditors-
general.
Australia
In Australia, the audit of government departments, statutory authorities and instrumentalities is primarily
the responsibility of the Auditor-General. The Auditor-General also acts as auditor for government
corporations by arrangement with the responsible ministers. Each state and territory has an Auditor-
General whose duties are governed by state legislation and are similar to those of the Australian Auditor-
General. In the public sector, auditors work for either the Australian National Audit Office (ANAO) or
state audit offices, which support the various state auditors-general.
The Australian Auditor-General is responsible under the Auditor-General Act 1997 (Cwlth) for provid-
ing auditing services to parliament and public sector entities. The ANAO supports the Australian Auditor-
General, who is an independent officer of the parliament. It is important to note that auditors-general are
independent — they are not subject to control or direction by either parliament or the government. This
independence is provided for by the respective legislation.
The ANAO’s primary client is the Australian parliament and its purpose is to provide parliament ‘with
an independent assessment of selected areas of public administration, and assurance about public sector
financial reporting, administration, and accountability’ (ANAO 2019). The ANAO conducts performance
audits, financial statements audits and assurance reviews.
To obtain a better understanding of the audit work carried out by the various state audit offices in
Australia, consider the following core services provided by the Audit Office of New South Wales:
Pdf_Folio:49

MODULE 1 The Auditing and Assurance Framework 49

 Financial audits
Our financial audits provide independent opinions on the financial statements of NSW government entities,
universities and councils. Our opinions provide assurance about whether these financial statements comply
with accounting standards, relevant laws, regulations and government directions. Additional financial audits
are undertaken each year on the General Government and Total State Sector Accounts. Financial statement
audits also highlight opportunities where entities can improve their accounting and financial systems.

Performance audits
Performance audits provide information to the New South Wales Parliament and public about how well
government programs and services are delivered. Ultimately, they aim to improve public administration.
Performance audits examine whether programs and services are delivered efficiently, effectively, econom-
ically and in accordance with the law.

Special reports
Special audits are sometimes conducted to confirm that specific legislation, directions and regulations have
been adhered to.

Source: Audit Office of New South Wales, ‘Our work’, accessed July 2019, https://www.audit.nsw.gov.au/our-work
© Audit Office of New South Wales 2019.

Hong Kong
In Hong Kong, the equivalent of the ANAO is the Audit Commission. The Audit Commission was
established on 1 July 1997 pursuant to the ‘Basic Law of the Hong Kong Special Administrative Region
of the People’s Republic of China’ (Audit Commission 2019a).
The head of the Audit Commission is the Director of Audit. The duties and powers of the Director of
Audit are set out in the ‘Audit Ordinance’ (Cap. 122) (Audit Commission 2019b). The Director of Audit:
1. is the external auditor of the accounts of the Government of Hong Kong Special Administrative Region;
has wide powers of access to the records of departments;
2. can require any public officer to give an explanation and to furnish such information as he thinks fit to
enable him to discharge his duties; and
3. is not subject to the direction or control of any other person or authority in performing his duties and
when exercising his powers under the Ordinance (Audit Commission 2019b).
Example 1.5 deals with public sector audits. Complete the example now.

EXAMPLE 1.5

Public Sector Audits

The Victorian Auditor-General’s Office (VAGO) notes that its audit findings and recommendations address
the following for government organisations.
1. The effectiveness, efficiency, and economy of government agencies, programs and services.
2. The quality of resources management.
3. Opportunities for improvements in management practices and systems.
4. The fair presentation of annual financial statements and performance statements.
5. Compliance with legislative and other requirements.
6. Wastage or lack of probity in the management of public resources.
............................................................................................................................................................................
Determine which of the following findings would most likely arise from a financial statement audit and/or a
performance audit.
• The effectiveness, efficiency, and economy of government agencies, programs and services
• The quality of resources management
• Opportunities for improvements in management practices and systems
• The fair presentation of annual financial statements and performance statements
• Compliance with legislative and other requirements
• Wastage or lack of probity in the management of public resources.
Check your response against the suggested answer at the end of the book.
Source: Victorian Auditor-General’s Office 2019, ‘Our role’, accessed July 2019, https://www.audit.vic.gov.au/our-role
© Victorian Auditor-General’s Office 2019.

df_Folio:50
P

50 Advanced Audit and Assurance

APPLICATION OF ISREs
ISREs are international standards that cover the basic principles and essential procedures governing review
engagements on historical financial information. There are only two international standards covering
review engagements.
1. ISRE 2410 Review of Interim Financial Information Performed by the Independent Auditor of the
Entity — covers reviews of interim and other financial information performed by the independent
auditor of the entity.
– For example, reviewing quarterly or half-yearly interim financial statements.
2. ISRE 2400 (Revised) Engagements to Review Historical Financial Statements — covers engagements
to review financial statements performed by an assurance practitioner who is not the auditor of the entity.
– For example, where an entity that is not required to have its annual financial statements audited
decides to have these reviewed as stakeholders such as banks or shareholders want to ensure the
amounts shown on the financial statements are believable.
The following points related to review engagements are worth noting and will be discussed further in
module 5.
• A review provides only limited assurance whether the financial statements conform to generally
accepted accounting principles.
• When a review is performed by an independent auditor who also performed the audit of general purpose
financial statements, the auditor brings the knowledge that they acquired when undertaking the annual
audit to the review engagement.
• Even though a review conducted by an auditor other than the auditor who performed the audit of the
general purpose financial statements starts off from a different knowledge based about the entity, both
review engagements should provide a similar level of assurance.

APPLICATION OF ISAEs
The overarching standard to be applied to all assurance engagements other than audits or reviews of
historical financial information is ISAE 3000 (Revised) Assurance Engagements Other than Audits or
Reviews of Historical Financial Information. In addition, there are four international subject specific
standards for these assurance engagements. They are:
1. ISAE 3400 The Examination of Prospective Financial Information
2. ISAE 3402 Assurance Reports on Controls at a Service Organisation
3. ISAE 3410 Assurance Engagements on Greenhouse Gas Statements
4. ISAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma Financial Information
Included in a Prospectus.
The subject matters which can be assured under these types of engagements range widely. Some are
required by regulation and others are reported on a voluntary basis. There are five core types of other
assurance engagements that can be conducted either as reasonable or limited assurance engagements. The
five types of engagements and their specific international standards in addition to ISAE 3000 are as follows.
1. Historical non-financial reports — ISAE 3410.
– Includes: Performance engagements on use of resources or value for money (e.g. greenhouse gas
statements; sustainability reports; KPIs; statement on effective use of resources; statement on value
for money; corporate social responsibility reporting and integrated reports).
2. Future-oriented information — ISAE 3400 and 3420.
– Includes: Performance engagements (e.g. forecast/projected cash flow); Position engagements (e.g.
forecast/projected financial position); Performance engagements on use of resources or value for
money (e.g. expected emissions reductions attributable to a new technology, greenhouse gases to be
captured by planting trees, or statement that a proposed action will provide value for money).
3. Systems and processes — ISAE 3402.
– Includes: Description engagements (e.g. the description of a system of internal control); Design
engagements (e.g. the design of controls at a service organisation or the design of proposed controls
for a forthcoming production process); Operation/Performance engagements (e.g. the operating
effectiveness of procedures for hiring and training staff).
4. Aspects of behaviour.
– Includes: Compliance engagements; Human behaviour (e.g. evaluation of audit committee effective-
ness) and Other (e.g. fitness for purpose of a software package).
Pdf_Folio:51

MODULE 1 The Auditing and Assurance Framework 51

 5. Performance of activity — ASAE 3500 Performance Engagements.
– Includes: Performance engagements (e.g. performance of a public sector activity).
These other assurance engagements will be discussed further in module 5.

APPLICATION OF ISRSs
ISRSs apply to non-assurance engagements involving related services such as the following.
• Agreed-upon procedures — ISRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding
Financial Information
– engagements where the auditor is engaged to issue a report of findings based on procedures agreed
upon with specified parties
– these procedures are potentially broad ranging and can be in any area where the client and user
perceive it to be beneficial to have a report on a matter using audit-related skills.
• Compilation engagements — ISRS 4410 (Revised) Compilation Engagements
– involve the use of accounting expertise, as opposed to auditing expertise, to collect, classify and/or
summarise financial information
– usually entails preparing financial statements from transaction and other information, without the
requirement to test the accuracy of that information
– commonly used for SMEs in circumstances where there is no requirement for the entity to have an
assurance report provided on their financial statements.
These non-assurance engagements will be discussed further in module 5.

AUSTRALIAN PERSPECTIVE
In Australia, Auditing standards ASA 100 Preamble to AUASB Standards, ASA 101 Preamble to
Australian Auditing Standards and ASA 102 Compliance with Ethical Requirements when Performing
Audits, Reviews and Other Assurance Engagements require assurance practitioners to comply with all
AUASB standards, Auditing standards and Ethical requirements respectively. ASA 101 is an Australia-
only standard that outlines how the AUASB intends the Australian standards to be understood, interpreted
and applied. An important aspect of this standard is the distinction made between ‘auditing standards’ and
‘auditing and assurance standards for other purposes’, which is significant for enforcement purposes.
In Australia, the AUASB drafts Australian Auditing Standards (ASAs) equivalent to ISAs (see
ASA 101). The following points are noteworthy.
• Only Australian auditing standards have the ‘force of law’ — that is, they are legally enforceable.
• The ASAs are written in the context of an audit of a ‘financial report’.
• Where the ASAs diverge from the ISAs, these are identified by a paragraph reference ‘Aus x.x’ in the
Australian standards.
The ASAs also include some standards that do not exist at the international level, for example:
– ASRE 2415 Review of a Financial Report: Company Limited by Guarantee or an Entity Reporting
under the ACNC Act or Other Applicable Legislation or Regulation (discussed below)
– ASAE 3100 Compliance Engagements
– ASAE 3150 Assurance Engagements on Controls
– ASAE 3450 Assurance Engagements involving Corporate Fundraisings and/or Prospective Finan-
cial Information
– ASAE 3500 Performance Engagements
– ASAE 3610/AWAS 2 Assurance Engagements on General Purpose Water Accounting Reports
– APES 310 Client Monies
– ASRS 4450 Comfort Letter Engagements.
These standards will be discussed further in module 5.
In Australia, changes to the Corporations Act led to the issue of ASRE 2415 which applies to:
• companies limited by guarantee
• an entity reporting under the Australian Charities and Not-for-Profit Commission Act 2012
(Cwlth) (ACNC Act)
• entities required to report under other applicable legislation or regulation.
Under the changes in legislation, there is a three-tiered differential reporting framework for such entities
(mainly not-for-profit entities). Entities in the first tier are exempt from preparing a financial report and are,
therefore, not required to have the annual report audited. Entities in the second tier (with annual revenue
between $250 000 and $1 million or with revenue below $250 000 and that are a deductible gift recipient)
Pdf_Folio:52

52 Advanced Audit and Assurance

must prepare a financial report that they can choose to have reviewed instead of audited. Under the third
tier, entities must continue to prepare an audited financial report; prepare a streamlined directors’ report,
rather than a full directors’ report; and are subject to a streamlined process for distributing the annual report
to members.

QUESTION 1.18

Providers of corporate sustainability assurance reports often state that the work was performed
in accordance with ISAE 3000 (Revised). Obtain a copy of each of these documents. Explain why
ISAE 3000 would be useful in CSR assurance.

The key points covered in this part, and the learning objectives they align to, are below.

KEY POINTS

1.1 Apply the International Framework for Assurance Engagements (the Framework) and the
related standards and other guidance to assurance engagements.
• Different standards are applicable to different types of assurance engagements.
• ISAs are applicable to all audit engagements. However, for smaller entities and less complex
entities, applicability of ISAs is different.
• The role and objectives of auditors are different for private sector and public sector audits.
• The overarching standard to be applied to all assurance engagements other than audits or reviews
of historical financial information is ISAE 3000 (Revised) Assurance Engagements Other than Audits
or Reviews of Historical Financial Information.
• International Standards on Auditing (ISAs) are to be applied in the audit of historical financial
information.
• International Standards on Review Engagements (ISREs) are to be applied in the review of historical
financial information.
• International Standards on Assurance Engagements (ISAEs) are to be applied in assurance
engagements other than audits or reviews of historical financial information.
• International Standards on Related Services (ISRSs) are to be applied to compilation engagements,
agreed upon procedures and other related service engagements.
• ISRE 2410 covers reviews of interim and other financial information performed by the independent
auditor of the entity, e.g. reviewing quarterly or half-yearly interim financial statements.
• ISRE 2400 (Revised) covers engagements to review financial statements performed by an assur-
ance practitioner who is not the auditor of the entity.
• ISAE 3410 Assurance Engagements on Greenhouse Gas Statements is specific to the assurance
of greenhouse gas statements.
• ISAE 3400 The Examination of Prospective Financial Information provides guidance on performing
assurance engagements related to prospective financial information.
• ISAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma Financial Infor-
mation Included in a Prospectus provides guidance on performing assurance engagements on
future-oriented information related to pro forma financial information included in a prospectus.
• ISAE 3402 Assurance Reports on Controls at a Service Organization covers assurance engage-
ments on controls.
• ASAE 3500 Performance Engagements covers assurance engagements related to the performance
of an activity.
• ISRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information
covers engagements where the auditor is engaged to issue a report of findings based on procedures
agreed upon with specified parties.
• ISRS 4410 (Revised) Compilation Engagements provides guidance on compilation engagements
involving the use of accounting expertise, as opposed to auditing expertise, to collect, classify
and/or summarise financial information.

1.5 CHANGING ENVIRONMENT

Business is evolving rapidly in response to technological developments. Business models continue to evolve
with changes to technology and the way business entities transact across the globe. As part of understanding
the entity, the assurance team needs to understand how the business operates and creates value.
Pdf_Folio:53

MODULE 1 The Auditing and Assurance Framework 53

 Another area that is changing is the growing demand for entities to disclose climate risks due to climate
change. Assurance practitioners will assess the need for these disclosures when assessing the entity’s risks,
after gaining an understanding of the business.
Developments in automation, artificial intelligence, big data, data analytics and blockchain technologies
continue to provide better insights to management and improve business efficiency.
The following sections provide an overview of changes to the assurance environment due to evolving
business models, climate-risk disclosure requirements and technological innovations.

EVOLVING BUSINESS MODELS

A business model describes everything about how a business creates and delivers value to its stakeholders.
As such, business entities around the world use countless different business models. Many successful
business entities adapt elements of existing business models, whereas others develop entirely new business
models to respond to the needs of customers or changes to technology.
It is now commonplace for entities to diversify and expand their operations through mergers and
acquisitions, making it difficult to classify their operations, for example, as manufacturing or intellectual
property entities.
Business models need to continually evolve as entities react to changes by repositioning to avoid
emerging risks and to seize opportunities. Over time, these changes may transform everything about the
business model. In particular, an entity may change the way that it sells to its customers, and the way
customers buy, in both business-to-consumer and business-to-business transactions. Some of this change
is due to digitisation, as entities pursue new economic activities in virtual online markets (Sarson 2018).
However, technological disruption will continue to impact on an entity’s business model due to the fast
pace at which new technologies are evolving. For example, advances in artificial intelligence and robotics
make it difficult to predict how an entity will need to transform its business model to survive.
Some of the main business model innovations currently transforming the business world are next-
generation outsourcing and offshoring, the freemium model, crowdsourcing, subscription models, online
marketplaces, cloud solutions, on-demand, the gig economy and the sharing economy.
Gaining an understanding of the entity, including its business model, is important when planning an
audit and assessing the risk of material misstatements. Rapid changes to the environment have led to
business models continually evolving to enable entities to maintain a competitive advantage. As such,
business models are discussed in module 2 as a component of obtaining knowledge of the entity’s business
operations.

CLIMATE-RISK DISCLOSURE
Many entities in the Australian market, across a range of different industries, face risks due to climate
change. The Task Force on Climate-related Financial Disclosures (TCFD), established in 2016 by the
G20 Financial Stability Board, has made recommendations on the type of information that entities should
disclose to provide stakeholders with a better understanding of the entity’s climate-related risk exposure.
In doing so, the TCFD identified two main categories of climate-related risks.
1. Transition risks — transitioning to a lower-carbon economy may entail extensive policy, legal,
technology and market changes to address mitigation and adaption requirements related to climate
change.
2. Physical risks — physical risks resulting from climate change can be acute or chronic. Acute physical
risks refer to those that are event-driven, including increased severity of extreme weather events, such as
cyclones or floods. Chronic physical risks refer to longer-term shifts in climate patterns (e.g. sustained
higher temperatures) that may cause sea level rises or chronic heat waves (ASIC 2018, p. 5).
The TCFD released its final report in June 2017, setting out a framework for voluntary, consistent
climate-related financial disclosures. Also in 2017, the Senate Economics References Committee released
a report acknowledging that climate change presented material risks to Australian businesses. In their
report, they set out a number of recommendations around climate change, highlighting the importance of
adequate climate-risk disclosure.
To date, the majority of climate change and climate-risk-related disclosure has been provided outside
of statutory disclosure on a voluntary basis. Examples of voluntary disclosures include:
• disclosure under the TCFD recommendations
• the Carbon Disclosure Project (CDP)
• environmental, social and governance (ESG) sustainability policies.
Pdf_Folio:54

54 Advanced Audit and Assurance

 However in April 2019, the AASB and AuASB republished a joint guidance document for ‘financial
statement preparers and auditors on how to consider climate-related risks in the context of the financial
statements, including their potential impact on the amounts recognised and associated disclosures’
(Thomson, Fikkers & Stott 2019, p. 1). Investors place importance on climate-related risks to their decision
making thereby indicating that considering these risks requires materiality judgments. Therefore, entities
should no longer consider voluntary disclosures of climate-related risks as adequate. Instead, entities
should consider these risks in the context of their financial statements. Climate-related risks are likely
to impact financial statements of certain industries more than others, such as transportation, resources,
energy, agriculture, banks and insurers.
With this increased focus on climate-related risks, auditors need to consider climate-related risks during
the risk assessment phase of an audit in accordance with ISA 315 (Revised). Consideration of climate-
related risks during risk assessment when obtaining an understanding of the entity and its environment is
discussed further in module 2.
In addition, auditors may need to consider such risks when assessing accounting estimates used by
management in accordance with ISA 540 (Revised) Auditing Accounting Estimates, Including Fair Value
Accounting Estimates, and Related Disclosures. Auditors will need to substantiate climate-related risks
disclosed in the financial statements by entities to ensure the disclosures are appropriate given the
uncertainty surrounding such risks (Thomson, Fikkers & Stott 2019).
If material climate-related disclosures are reflected in the financial statements, this information would
be audited as part of the annual audit. Even though auditors read and consider other information presented
in the annual report to look for material inconsistencies with the financial statements, this other information
is not audited. When climate-related disclosures made outside the annual report (for example, in a
sustainability report) are assured, ISAE 3000 (Revised) is applicable. The assurance of sustainability
reports is discussed further in module 5.

TECHNOLOGICAL INNOVATIONS
We live in a fast-moving global economy. There is much more complexity in the ways that businesses
operate, and big data now provides huge amounts of information that conventional auditors with a historical
snapshot approach may miss.
Developments in artificial intelligence (AI) have provided the opportunity to increasingly embed
technology into the audit approach. For example, EY are developing a process of automation that provides
the information needed to conduct the audit. This dramatically reduces the time clients spend supporting
an audit, as well as the administrative time staff spend gathering the information. Instead, the auditors
begin the process at the point they need to start applying judgment, thereby enhancing audit quality.
What this example indicates is that the auditing profession is definitely ripe for disruption. The
profession has no choice but to adapt, and to do so quickly if it is to remain relevant and survive.
Entities are increasingly using disruptive technologies and big data to improve business practices. These
technological innovations have the potential to fundamentally transform the financial reporting process
and the way financial statements are audited. These innovations are illustrated in figure 1.8 as an audit
innovation continuum. The fundamental characteristics of this continuum are continuous auditing, full
population testing and audit by exception (Rozario 2019).
As the use of technology-based data analytics becomes more prominent in financial statement audits,
it is not difficult to imagine the potential use of more advanced innovation techniques in the conduct of
audits. On one side of the continuum is basic innovation, which is the use of existing technologies and
non-traditional sources of information. Data analytic tools such as CaseWare IDEA are used to perform
audit procedures (discussed further in module 2).
In the central section of the continuum, new technologies, such as robotic process automation (RPA)
and drones are used to modify the audit (discussed further later in this section). These tools are ideally
suited to rules-based tasks and can achieve near end-to-end process automation.
On the opposite side of the continuum is advanced innovation, which includes the use of new
technologies to redesign the audit. These technologies include blockchain and artificial intelligence, which
are also discussed later in this section. These innovative technologies have the potential to substantially
transform the audit process by executing unstructured, rules-based tasks, and storing audit information on
a secure and distributed ledger.
These innovations have the potential to change the nature, timing and extent of audit procedures which
is expected to improve audit quality.
Pdf_Folio:55

MODULE 1 The Auditing and Assurance Framework 55

 FIGURE 1.8 Audit innovation continuum

C
on ll e ex
tin po stin ce
Fu

uo pu g pt
Au

us la
di

au tion
t
tb

di
y

tin
g
io
n

Audit innovation continuum

Basic Intermediate Advanced

innovation innovation innovation

Unorthodox audit Robotic Process Blockchain

evidence Automation
Smart contracts
CaseWare IDEA
Drones
for data analysis Artificial
intelligence

Source: Rozario 2019, p. 3.

In this section, we discuss how these innovative technologies are disrupting the business environment
and impacting on the preparation and audit of financial statements.

Automation
Robotic process automation is a relatively simple and cheap approach to automating routine business
processes. More ambitious automation projects, projects that involve re-engineering how processes work,
or enterprise-wide automation projects may instead be built on artificial intelligence platforms and will
often use application program interface (API) based automation to integrate with other systems.
In accounting, software such as Xero, QuickBooks and Sage have APIs that allow third parties to connect
their own applications to those accounting platforms. For example, an entity’s application for storing
scanned documents can connect with QuickBooks via an API to provide the data from the documents
to the records in QuickBooks. This avoids needing to export (or manually retype) data from the scanned
documents and then uploading it to the accounting software.
Examples of APIs in business are integrations with banking software, credit control applications,
automated bookkeeping systems and online payments.
Auditing is a mix of mechanical, rules-based tasks and professional judgment. Vasarhelyi and Rozario
(2018) have provided an example of how the rules-based tasks could be implemented using robotic process
automation (figure 1.9). They point out that by automating these types of tasks, auditors can spend more
time using their professional judgment to analyse the difference and anomaly reports generated by the RPA
software, resulting in an overall improvement in audit quality.
An RPA revenue audit could remotely log into a client’s systems to retrieve relevant data, such as current
and prior year sales and the trial balance, total the sales and compare against the trial balance, then compare
whether the total revenue amounts are materially different. If the difference exceeds a predetermined
threshold, the system will generate an alert so the auditors can investigate further. Similar RPA can access
and compare orders, shipping documents and invoices (Vasarhelyi & Rozario 2018).
An implementation of RPA involves understanding and defining each process, standardising data records
so the system can compare data from different sources, and finally implementing RPA to run the processes
on the data and generate alerts and on-demand reports (Vasarhelyi & Rozario 2018).

Pdf_Folio:56

56 Advanced Audit and Assurance

 FIGURE 1.9 A suggested RPA implementation of a revenue audit

Audit team Revenue audit bot Server/cloud

implementation
Analyse, document,
program and test tasks
RPA

Testing
and processes for RPA
(once only)

Initiate audit Request audit evidence Provide audit evidence

(or set up ongoing • Sales listings
real-time audit) • Trial balance
Extract data

Import data to analysis software

Reconciliation

Calculate total sales per

sales listing
Audit:

Compare listing and

trial balance totals

Generate report to audit team:

• material
Review output difference/anomaly alert
• OK message.

Investigate issues

Initiate audit Request audit evidence Provide audit evidence:

(or set up ongoing • prior year audit
real-time audit) workpapers.
Extract prior year revenue balance

Import data to analysis software

Analysis
Audit:

Compare current and prior

year revenue

Generate report to audit team:

• material difference alert
Review output • OK message.

Investigate issues

P df_Folio:57

MODULE 1 The Auditing and Assurance Framework 57

 Audit team Revenue audit bot Server/cloud

Initiate audit Request audit evidence Provide audit evidence:

(or set up ongoing • all purchase orders
real-time audit) • all invoices
Extract data • all shipping lists.

Import data to analysis software

Testing
Audit:

Compare prices and quantities

across corresponding purchase
orders, invoices and shipping lists

Generate report to audit team:

Review output • mismatch alerts
• OK message.

Investigate issues

EXAMPLE 1.6

Automation of Accounts Payable Process

WNS Holdings Ltd (WNS) explored the potential for robotic process automation of the accounts payable
process. A number of significant obstacles were found:
• inconsistencies among invoices
• imperfect optical character recognition
• invoices not supported by a purchase order
• discrepancies requiring communication and/or negotiation between organisations
• concerns that a coding error could create chaos.
Nevertheless, the accounts payable process is a mix of rules-based components and aspects that
require judgment. If invoicing processes can be standardised, then the rules-based components can be
automated and some other aspects can be managed by the system in combination with human input.
Generally, any aspect requiring dealing with an external party (other than merely exchanging data) will at
present require a human.
WNS said that near-term automation of accounts payable was likely to be the automation of the rules-
based processes, essentially replacing human labour with a cheaper, faster and more accurate robot.
However, it believes long term, RPA will continue to evolve and improve as analytics-enabled processes
drive re-engineering of processes rather than digital reproduction of existing ones.
WNS suggests a software robot can cost as little as one-ninth of a full-time human employee but works
20 times faster.
............................................................................................................................................................................
What is the likely impact that the automation of accounting processes will have on auditors when under-
standing an entity’s accounting information system?
Check your response against the suggested answer at the end of the book.

Artificial Intelligence and Auditing

As we described earlier in relation to big data and blockchain, auditing is an area particularly suitable
for the application of technology. By automating the mechanical checks involved in auditing, it has the
potential to free up auditors to focus on complex areas requiring significant judgment and expertise. The
use of big data and analytics can further increase audit efficiency and reduce risk. Artificial intelligence
goes a step further than the automation technologies described earlier, in that it can act intelligently and
deal with unstructured data, thereby making decisions or suggestions to the auditor. This reduces the
need to filter and code data into standardised data formats. However, irrespective of the advancement in
various technologies, some continue to argue that accounting is not just a set of rules and hence, artificial
df_Folio:58
P

58 Advanced Audit and Assurance

intelligence cannot replace human input. Accounting requires professional judgment to a degree that would
make such complete automation impossible.

EXAMPLE 1.7

Use of Robotics to Catch Fraud in Expenses

The Association of Certified Fraud Examiners (ACFE) reports that only a small percentage of companies’
expense reports are closely examined, resulting in over $7 billion in annual losses from fraud. The ACFE’s
director of research says that, by using robots rather than random spot checks, companies can catch
fraud more than twice as fast and cut their fraud losses in half. Business owners can now get a 100%
overview of incoming employee expense reports using artificial intelligence tools such as SAP Concur’s
Concur Detect by AppZen, which only sends a charge for examination by a human auditor if it has a
red flag.
............................................................................................................................................................................
Why is this important for auditors and their clients?
Check your response against the suggested answer at the end of the book.
Source: Adapted from Marks 2019; Pinsker 2019.

Big Data
One of the weaknesses of traditional auditing is the reliance on investigating only a sample of documenta-
tion and transactions. It is quite possible for an audit — although performed professionally and diligently —
to fail to detect errors and fraudulent transactions amidst the mass of data available.
Big data refers to structured or unstructured data sets that are commonly described according to the
four Vs.
• Volume — data sets are too large for traditional tools to analyse.
• Variety — different data formats such as quantitative, images, video, text-based etc.
• Velocity — frequency at which new data become rapidly available.
• Veracity — quality and relevance of the data changes dramatically over time (Gepp et al. 2018).
The auditing profession has access to a large and growing volume of data available in real time, much
of which is automatically generated and captured by online processes and transactions.
Big data encompasses the techniques and technology used to draw inferences from the data. Often these
techniques seek to infer relationships and causal effects from sparse data. Computer scientists approach big
data as a method of uncovering patterns using algorithms to analyse all the data whereas statisticians treat
data as observations of an underlying process and extract information using sampling to make inferences
about the underlying process (Gepp et al. 2018). Insights into patterns and relationships will not only allow
auditors to provide a bird eye view of the financials but also a thorough view of the accounting records.
Focus on detecting fraudulent activities will also increase as auditors can now identify every transaction
that deviates from the expected norm. However, research by Gepp et al. (2018) found that the use of big
data techniques in auditing lagged behind its use in financial distress modelling, financial fraud modelling
and stock market prediction. Some leading auditing firms have started adopting big data techniques in
practice, but others are reluctant to adopt technologies that are yet to be adopted by their audit clients.
Challenges in adopting the technical advancements persist. More flexible models are used in big data
as traditional structured regression models are unlikely to fit big data well. Algorithms used to analyse big
data enable patterns to be identified that would not be possible using traditional statistical methods. Big
data offers limited value unless it is processed and analysed so that meaningful conclusions can be drawn.
Data analytics is the process of analysing data.

Data Analytics
Given the evolving environment, the Big Four firms in particular are investing in technology, especially
data analytics, as a means of making the audit more effective and efficient. In a major study, The future of
assurance: how technology is transforming the audit, the professional services firm Ernst & Young (EY)
has made a number of predictions. The report highlights the following points.
• Technical advances in high-performance computing mean that audit teams can gain access to more client
data than was ever before available to support the audit process.
• Advanced analytics and visualisation tools can enable auditors to concentrate their resources on high
risk areas where more judgment is required.
Pdf_Folio:59

MODULE 1 The Auditing and Assurance Framework 59

• There are now greater expectations of the value of audit, not only from clients but also from regulators
and investors, and auditors need to deliver.
Major business entities have recognised the opportunity that big data and analytics provide, and as
a result are making significant investments to better understand their business, risks and opportunities.
Data analytics is being increasingly discussed at the board of directors’ level. As clients continue to adopt
data analytics in their business, they expect auditors to do the same. It becomes imperative for auditors
to understand technological advancements for not only meeting client expectations but also for effective
communication with them.
As noted in an EY publication, ‘How big data and analytics are transforming the audit’:
… the transformed audit will expand beyond sample-based testing to include analysis of entire populations
of audit-relevant data (transaction activity and master data from key business processes), using intelligent
analytics to deliver a higher quality of audit evidence and more relevant business insights. Big data and
analytics are enabling auditors to better identify financial reporting, fraud and operational business risks
and tailor their approach to deliver a more relevant audit.

EY also notes that:

It’s a massive leap to go from traditional audit approaches to one that fully integrates big data and analytics
in a seamless manner … while the profession has long recognized the impact of data analysis on enhancing
the quality and relevance of the audit, mainstream use of this technique has been hampered due to a lack
of efficient technology solutions, problems with data capture and concerns about privacy. However, recent
technology advancements in big data and analytics are providing an opportunity to rethink the way in which
an audit is executed.

Overall, big data and analytics is providing opportunities to rethink how an audit is performed. In some
ways, the audit does not change. The auditor must still audit the same assertions, must still understand the
business and industry, and must still understand an entity’s system of internal control. However, technology
allows the auditor to rethink how risks are assessed and how audit tests are performed. However, simply
utilising a small team of data analysts is not recommended when attempting to utilise data analytics on
a large scale and in new ways. Individuals with data analytics skills need to be fully integrated with the
rest of the audit team so new opportunities for risk analysis and substantive testing can be identified and
utilised. An understanding of what data analytics techniques can offer audit firms is essential for every
member of the audit firm that influences the audit.

Blockchain
Blockchain is a type of distributed ledger technology that some say has the potential to disrupt and
transform entire industries. Blockchain technology uses the concept of peer consensus on a computer
network to create an immutable, decentralised public ledger without the need for a central trusted authority.
The blockchain functions as an open ledger that can record transactions in a way that is efficient, veri-
fiable and permanent. This sharply differentiates blockchain technology from other database technologies
and from the separate private ledgers maintained within business entities.
Implementing blockchain provides entities with the opportunity to write their transactions directly
into a joint register. This could replace separate records based on transaction receipts and would create
an interlocking system of enduring accounting records. Since all entries in a blockchain are distributed
and cryptographically sealed, falsifying or destroying them is practically impossible. It is similar to the
transaction being verified by a notary — only in an electronic and automatic way (figure 1.10 ) (Andersen
2016).
Standardisation would allow auditors to verify a large portion — or even all — of the most important data
behind the financial statements automatically and at any point in time, or even continuously, rather than
periodically as currently occurs. The cost and time necessary to conduct an audit — including the need to
involve a company’s accountants for long periods — would decline considerably. Machine learning could
also be used to interrogate transactions in real time in order to alert auditors to anomalies or other incidents
requiring investigation (Haimes 2018).
At present, cryptocurrencies, such as Bitcoin, are the best known and most widely adopted application
of blockchain technology, but increasingly, the financial sector and other industries are investigating and
experimenting with other blockchain applications. Blockchain technology has various potential advantages
for specific uses in accounting, but at present, such proposed uses remain largely theoretical. However, a
shift towards any of these would clearly represent a major disruptive event in the accounting industry.
Pdf_Folio:60

60 Advanced Audit and Assurance

 FIGURE 1.10 Automatic notarisation, automatic audit

Complete, automated Every transaction becomes

audit of all transactions ‘notarised’

Company A Company B
Blockchain

Blockchain entry serves in both companies’ accounting

Source: CPA 2019.

Due to data security concerns and businesses’ preference for control, an alternative — more likely —
application of blockchain is in a permissioned or private network where only trusted parties are able to
participate. Alternatively, blockchain data structures may merely be used as another database approach,
recording information in ways that largely mirror current processes.
Auditors will need to understand blockchain technology as it is implemented by their clients because it
has the potential to impact all record-keeping processes. As new techniques and procedures emerge with
the use of blockchain, the auditor’s role may continue to change. For example, ‘methods for obtaining
sufficient appropriate audit evidence will need to consider both traditional stand-alone general ledgers
as well as blockchain ledgers’ (Bible et al. 2017, p. 2). In addition, more efficient data extraction and
analysis may be possible due to greater standardisation and transparency in reporting and accounting using
blockchain technology.
Overall, the use of blockchain technology will result in multiple benefits to businesses and the
accounting profession.
• Blockchain-based accounting systems could greatly expand the scope and quality of information able
to be captured within accounting systems. As a distributed, tamper-proof ledger, a well-designed
blockchain doesn’t just cut out intermediaries, reduce costs, and increase speed and reach, it also offers
greater transparency and traceability for many business processes.
• Smart contracts hosted in a blockchain give rise to the ability to invoke and record the transactions
automatically. The automated nature of record keeping reduces the costs and risks of errors or fraud
encountered in manual record keeping and also reduces the associated costs (Carlin 2018).
• By capturing each transaction, and all relevant supporting documents and associated data in time-
stamped records in the blockchain, the entire life of every accounting incident can be captured. Entire
business processes — including accounting processes, but also numerous other dealings, such as the
supply chain — spanning over multiple departments or companies, become easily traceable (Andersen
2016; O’Leary 2017).
As a result, blockchain technology can further enhance audit efficiency and effectiveness. Big data and
analytics offer the potential of auditing 100% of an entity’s transactions. Blockchain technology can further
contribute by preventing records from being changed, falsified or destroyed.
The key points covered in this part, and the learning objectives they align to, are below.

KEY POINTS

1.1 Apply the International Framework for Assurance Engagements (the Framework) and the
related standards and other guidance to assurance engagements.
• Gaining an understanding of the entity, including its business model, is important when planning
an audit and assessing the risk of material misstatements. Rapid changes to the environment have
led to business models continually evolving to enable entities to maintain a competitive advantage.
• The majority of climate change and climate-risk-related disclosure provided to date have been
provided on a voluntary basis.
P df_Folio:61

MODULE 1 The Auditing and Assurance Framework 61

 • With an increased focus on climate-related risks, auditors need to consider climate-related risks
during the risk assessment phase of an audit, in accordance with ISA 315 (Revised).
• By automating rules-based tasks, auditors can spend more time using their professional judgment
to analyse the difference and anomaly reports generated by the RPA software, resulting in an overall
improvement in audit quality.
• Insights into patterns and relationships possible with the use of big data will not only allow auditors
to provide a bird’s eye view of the financials but also a thorough view of the accounting records.
• Technology allows the auditor to rethink how risks are assessed and how audit tests are performed.
• Implementing blockchain provides entities with the opportunity to write their transactions directly
into a joint register. This could replace separate records based on transaction receipts and would
create an interlocking system of enduring accounting records.
• With the fast developing technologies such as blockchain, big data and analytics, the future of audit
will be very different from what it is today.
• Standard-setters, regulators, educators and the professionals will need to challenge their mindset
and continuously seek solutions to arising issues.

REVIEW
This module started by providing an overview of the current assurance environment, including the
regulation of auditing in Australia. It then discussed the development of the International Framework
for Assurance Engagements (the Framework) that shapes auditing and other assurance engagements.
Following the structure of the Framework, the module introduced the key matters pertaining to an
assurance engagement, including:
• ethical principles — including requirements set out in the Code
• quality control standards — including ISQC 1 requirements
• description of assurance engagements
• attestation and direct engagements
• reasonable and limited assurance engagements
• scope of the Framework
• elements of an assurance engagement:
– three-party relationship
– underlying subject matter
– criteria
– evidence
– assurance report.
The discussion of evidence emphasised the importance of professional scepticism and professional
judgment in collecting and evaluating evidence. Expanding on various types of assurance engagements,
this module distinguished between audits of historical financial statements, audits of specialised areas,
review engagements, historical non-financial reports assurance, future-oriented information assurance,
assurance on systems and processes, assurance on aspects of behaviour and performance of an activity.
The module then discussed the application of standards to different types of entities, including private
sector, public sector and small and medium-sized entities. The typical mandates of auditors-general in
Australia and Hong Kong were also discussed briefly.
The final section outlined the impact a changing environment is having on auditing. The challenges
faced by the audit profession due to evolving business models, enhanced disclosure requirements related
to climate-risks and the incorporation of technological innovations, which are impacting on auditors when
gaining an understanding of the entity and its environment, were discussed.

WESTERWAYS CASE STUDY ACTIVITY

The Accounting Firm and the Audit of Westerways Pty Ltd

When Westerways Pty Ltd was founded, Campbell Lee Taylor was a three-partner firm of accountants in
public practice. Ray Campbell was the firm’s audit specialist, Alina Lee its tax and financial planning
specialist, and Anne Taylor its specialist in business systems consulting. The firm had developed a

df_Folio:62
P

62 Advanced Audit and Assurance

 good clientele over the previous 12 years. It employed 14 young professional staff and 4 secretarial and
administrative staff. Five of the professional staff spent much of their time on audit work. One of these,
Fiona Kerr, had four years’ experience in audit work and was in charge of some of the larger audits under
Ray Campbell.
Ray Campbell had known Len Lewis for many years and had performed various professional services
for him, including the audit of three of his businesses, a motor vehicle agency, a farm machinery agency,
and an engineering works, each of which has branches in Arnton and nearby towns. He knew him to be a
good business manager and had always had good relations with him. He did not know Mark Valenti. Nearly
four years ago, Len Lewis first approached Ray to perform the audit of the annual financial statements of
the new business that Mark Valenti was setting up assisted by Len’s finance.
The CLT audit clients included various agricultural, engineering, wholesale and service companies, as
well as the Lewis motor vehicle and farm machinery agencies, but, as it happened, no retail stores. The
partners decided that they should not turn down an opportunity to move into retail store auditing and
accepted the job.
Ray needed evidence that he would be taking on a client that brought in a satisfactory fee income for
the firm and would not damage the firm’s professional reputation. He therefore interviewed Len Lewis
about the proposed business and the entrepreneurs. Later, Len called in Mark and Joy Valenti and Ray
interviewed them also. With the permission of Len Lewis and the Valentis, the discussion was recorded and
the Minutes in Appendix 1 in the end-of-book case study contains a transcript of part of the discussions.
Additional Services for the New Company
In the first few months of the company’s existence, CLT performed a number of professional services for
its directors. Ray Campbell, who made the contact, passed the company establishment services to his
partners. Alina Lee, Corporate Services partner, had one of her division’s staff work with the Westerways
to prepare a financial plan, as well as to register the company for administration and taxation purposes.
Business Consulting partner, Anne Taylor, having assessed the company’s immediate needs and growth
prospects, advertised for proposals for an accounting system, analysed the submissions, and passed
on two proposals for consideration by the Valentis. They chose OurBiz, a system developed by System
Solutions Ltd (SSL), a Ventura-based I.T. firm. Through periodic visits, she monitored the installation of
the system and the training provided until she was sure, after two months, that the Valentis were using
the system effectively.
The CLT tax and planning division prepared the company’s tax returns in subsequent years and in
the first year provided some assistance with the budget. When the Westerways directors decided in mid
20X7 to set up another store in Tannam, the same division assisted with the financial planning. No further
information system services were required from CLT because OurBiz had proved to be a satisfactory
system and Westerways negotiated with SSL system expansions involving new hardware and software
for the new store’s LAN and some upgrading of the Arnton LAN to allow access to the Tannam system by
modem from the Arnton system for inquiry and data transfer.
Professional Integrity and Independence
CLT recognise that they have ethical responsibilities as professional accountants and auditors. They must
be competent to perform the audit, possessing both the skills required and the staff available at the
times required. They must have a high degree of integrity based on the principle that, as professional
accountants in public practice, their task is to serve the community and for that purpose to put service
before profit.
The partners of CLT are very conscious of their need to be, and to appear to be, independent of the
companies they audit. They know that in their audit work they must be entirely objective with respect
to the company and its management. This is because an auditor, even though dealing from day to day
with the management, and in practice normally agreeing the audit fee with the management, is actually
working primarily for the benefit of the shareholders and other parties external to the company, such as
lenders to it.
In accordance with professional guidelines, the firm for each audit client analyses the threats to its
independence. The threats are as follows.
• Self-interest. The loss of the firm’s objectivity from financial or related reasons.
• Self-review. The loss of its objectivity through situations of reviewing its own work.
• Advocacy. The loss of its objectivity through development of a ‘pro-client’ state of mind.
• Familiarity. The loss of its objectivity through becoming too close to the client.
• Intimidation. The loss of objectivity through pressure from client management.
Then, following professional guidelines, CLT make use of a variety of methods to offset these threats.
As general safeguards, the partners never allow themselves to rely on one client or set of related clients
(including staff of an audit client) for more than 10% of their fee income in a year. The partners lead their
staff by themselves participating in staff development seminars containing discussion of ethical issues.
Every six months, the firm circulates a document containing a list of all audit clients, and all partners and

P df_Folio:63

MODULE 1 The Auditing and Assurance Framework 63

 staff are required to respond by submitting a statement of any financial or other interests (e.g. a relative
working for a client) that might threaten the firm’s independence or appearance of independence with
respect to any of the clients. The firm also has policies on assignment of staff; for example, staff in Audit
Division may perform assurance or other compliance services, such as taxation work, but do not perform
consulting services.
Using the information provided above, and within the Westerways case study at the end of the Study
Guide, complete the following tasks.
............................................................................................................................................................................
CASE STUDY TASKS
1. Using part 3 Professional accountants in public practice of IESBA’s International Code of Ethics for
Professional Accountants (Including International Independence Standards) (the Code) as guidance, outline
the evidence provided in the case study that demonstrates whether Campbell Lee Taylor (CLT) considered
the following specific issues before accepting the Westerways audit for the first time.
• Issue 1. Conflict of interest — objectivity
• Issue 2. Professional appointments — integrity and/or professional behaviour
• Issue 3. Professional appointments — professional competence and due care
• Issue 4. Fees and other types of remuneration — professional competence and due care.
Complete the Campbell Lee Taylor standard audit working paper, IF1-EPI.
Hint: Read the memorandum contained in Appendix 1 for additional background information.
2. Identify the five essential elements of the Westerways assurance engagement in accordance with the
International Framework for Assurance Engagements.
Note: Working papers are available in Appendix 9 at the end of the case study information provided in
the Study Guide.

REFERENCES
Andersen N 2016, ‘Blockchain technology: a game-changer in accounting?’, Deloitte, March, accessed July 2019, https://
www2.deloitte.com/content/dam/Deloitte/de/Documents/Innovation/Blockchain_A%20game-changer%20in%20accounting.pdf
Audit Commission 2019a, ‘History of the Audit Commission’, accessed July 2019, http://www.aud.gov.hk/eng/aboutus/
about_history.htm
Audit Commission 2019b, ‘Role of the Director of Audit’, accessed July 2019, http://www.aud.gov.hk/eng/aboutus/about_role.htm
Australian National Audit Office (ANAO) 2019, ‘The Australian National Audit Office’, accessed August 2019,
https://www.anao.gov.au/about/australian-national-audit-office
Australian Securities and Investments Commission (ASIC) 2011, Regulatory Guide RG 230 Disclosing non-IFRS financial
information, accessed July 2019, https://asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-230-disclosing-
non-ifrs-financial-information/
Australian Securities and Investments Commission (ASIC) 2013, Regulatory Guide RG 34 Auditor’s Obligations: Reporting to
ASIC, accessed November 2017, http://www.asic.gov.au/media/1238083/rg34-published-31-may-2013.pdf
Australian Securities and Investments Commission (ASIC) 2018, Climate risk disclosure by Australia’s listed companies, Report
593, September, accessed July 2019, https://asic.gov.au/regulatory-resources/find-a-document/reports/rep-593-climate-risk-
disclosure-by-australia-s-listed-companies/
Australian Securities and Investments Commission (ASIC) 2019, Audit Inspection Program Report for 2017–18, Report 607,
accessed July 2019, https://download.asic.gov.au/media/4990650/rep607-published-24-january-2019.pdf
ASX 2018, ‘ASX Ltd Overview’, November, accessed August 2019, https://www.asx.com.au/documents/investor-relations/asx-
investor-fact-sheet.pdf
Bible, W, Raphael, J, Riviello, M, Taylor, P & Valiente, IO 2017, ‘Blockchain Technology and Its Potential Impact on the Audit
and Assurance Profession’, Chartered Professional Accountants of Canada (CPA Canada) & the American Institute of CPAs
(AICPA), accessed July 2019, https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/
downloadabledocuments/blockchain-technology-and-its-potential-impact-on-the-audit-and-assurance-profession.pdf
Carlin, T 2018, ‘Blockchain and the journey beyond double entry’, Australian Accounting Review, DOI: 10.1111/auar.12273, CPA
Australia.
Center for Audit Quality (CAQ) 2010, Deterring and Detecting Financial Reporting Fraud: A Platform for Action, accessed July
2019, https://www.thecaq.org/wp-content/uploads/2019/03/deterring-and-detecting-financial-reporting-fraud-a-platform-for-
action.pdf
Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2004, Enterprise Risk Management—Integrated
Framework, American Institute of Certified Public Accountants, New York.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013, Internal Control–Integrated Framework,
American Institute of Certified Public Accountants, New York.
CPA Australia 2017, Companies Limited by Guarantee and Incorporated Associations, accessed August 2019,
cpaaustralia.com.au/~/media/corporate/allfiles/document/professional-resources/auditing-assurance/incorporated-
associations.pdf
Deloitte 2019, ‘Audit - a regulated profession: responding to regulatory trends’, accessed August 2019, https://www2.deloitte.com/
au/en/pages/audit/articles/audit-regulated-profession.html
df_Folio:64
P

64 Advanced Audit and Assurance

Ernst & Young Australia 2018, ‘Transparency report 2018’, Ernst & Young Australia, accessed August 2019, https://www.ey.com/
Publication/vwLUAssets/EY-australia-transparency-report-2018/$FILE/EY-australia-transparency-report-2018.pdf
External Reporting Board (XRB) 2019a, ‘About XRB’, accessed July 2019, https://www.xrb.govt.nz/about-xrb/who-we-are/
External Reporting Board (XRB) 2019b, ‘Convergence with international standards and Trans-Tasman Harmonisation of
Standards’, accessed July 2019, https://www.xrb.govt.nz/standards-for-assurance-practitioners/convergence-with-international-
standards/
External Reporting Board (XRB) 2019c, ‘Current Standards and Guidance’, accessed July 2019, https://xrb.govt.nz/
Site/Auditing_Assurance_Standards/Current_Standards/default.aspx
Financial Markets Authority (FMA) 2019, Auditor Regulation and Oversight Plan 2019-2022, FMA, accessed July 2019,
https://www.fma.govt.nz/news-and-resources/reports-and-papers/auditor-regulation-and-oversight-plan/
Gepp, A, Linnenluecke, MK, O’Neill, MK & Terence, J 2018, ‘Big data techniques in auditing research and practice: Current
trends and future opportunities’, Journal of Accounting Literature, June, accessed July 2019, DOI: 10.1016/j.acclit.2017.05.003,
https://research.bond.edu.au/files/ 12803576/JAL_Big_Data_Auditing_Submitted_Version_Free_to_Share.pdf
Global Reporting Initiative (GRI) 2019, ‘About GRI’, accessed July 2019, https://www.globalreporting.org/information/about-
gri/Pages/default.aspx
Haimes, D 2018, ‘How blockchain will impact financial management software systems’, Blockchain Technology: An emerging
issues forum, accessed July 2019, http://aaahq.org/Meetings/2018/BlockchainAAA/Presentations-and-Materials/Thursday-
Video-3
HIH Royal Commission 2003, The Failure of HIH Insurance, Commonwealth of Australia, Canberra.
Hurtt, R. K. 2010, ‘Development of a scale to measure professional skepticism’, Auditing: A Journal of Practice & Theory, vol. 29,
no. 1, pp. 149–72.
International Auditing and Assurance Standards Board (IAASB) 2009, Applying ISAs Proportionately with the Size and
Complexity of an Entity, IFAC, New York, accessed July 2019, http://www.ifac.org/publications-resources/staff-questions-
answers-applying-isas-proportionately-size-and-complexity-ent
International Auditing and Assurance Standards Board (IAASB) 2014a, A Framework for Audit Quality: Key Elements
that Create an Environment for Audit Quality, IFAC, New York, accessed July 2019, http://www.iaasb.org/publications-
resources/framework-audit-quality-key-elements-create-environment-audit-quality
International Auditing and Assurance Standards Board (IAASB) 2014b, Glossary of Terms, IAASB, New York.
International Auditing and Assurance Standards Board (IAASB) 2015, Invitation to Comment: Enhancing Audit Quality in the
Public Interest—A Focus on Professional Skepticism, Quality Control, and Group Audits, IFAC, New York, accessed July 2019,
https://www.ifac.org/publications-resources/invitation-comment-enhancing-audit-quality-public-interest
International Auditing and Assurance Standards Board (IAASB) 2019, ‘About IAASB’, accessed July 2019,
http://www.iaasb.org/about-iaasb
International Ethics Standards Board for Accountants (IESBA) 2017, Responding to Non-compliance with Laws and
Regulations: Professional Accountants in Business, Staff Questions & Answers, February, accessed November 2017,
http://www.ifac.org/system/files/publications/files/IESBA-NOCLAR-QA-Professional-Accountant-IB.pdf
International Ethics Standards Board for Accountants (IESBA) 2018, International Code of Ethics for Professional Accountants
(Including International Independence Standards), accessed July 2019, https://www.ifac.org/system/files/publications/files/
Final-Pronouncement-The-Restructured-Code_0.pdf
International Federation of Accountants (IFAC) 2018–2019, Handbook of International Quality Control, Auditing, Review, Other
Assurance, and Related Services Pronouncements, IFAC, New York.
International Federation of Accountants (IFAC) 2019, accessed July 2019, https://www.ifac.org/about-ifac
International Forum of Independent Audit Regulators (IFIAR) 2019, ‘About us’, accessed July 2019, https://www.ifiar.org/about/
Johnson, R & Wiley, L 2018, Auditing: A practical approach with data analytics, 1st edn, Wiley.
Knapp, M & Knapp, C 2015, ‘The Le-Nature’s Inc Fraud: What happened and why?’, IMA Educational Case Journal, 14 July,
accessed August 2019, https://www.thecasecentre.org/programmeAdmin/products/view?id=134947.
KPMG 2011, Elevating Professional Judgment in Auditing: The KPMG Professional Judgment Framework, KPMG International.
Leung, P, Coram, P, Cooper, BJ & Richardson, P 2019, Audit and Assurance Services, 1st edn, Wiley, Milton.
Marks, G 2019, ‘Tech stories you may have missed: fraud-hunting robots’, Accounting Today, 1 May, accessed July 2019,
https://www.accountingtoday.com/list/tech-stories-you-may-have-missed-fraud-hunting-robots
Moroney, R, Campbell, F & Hamilton, J 2017, ‘Auditing: A practical approach’, 3rd edn, John Wiley & Sons Australia.
Nolder, CJ, & Kadous, K 2018, January 27 ’Grounding the professional skepticism construct in mindset and attitude
theory: A way forward’, Accounting, Organizations and Society. Forthcoming, https://ssrn.com/abstract=2524573 or
http://dx.doi.org/10.2139/ssrn.2524573
O’Leary, DE 2017, ‘Configuring blockchain architectures for transaction information in blockchain consortiums: the case of
accounting and supply chain systems’, Intelligent Systems for Accounting, Finance and Management, Vol. 24, no. 4,
pp. 138–147, doi: https://doi.org/10.1002/isaf.1417
Pinsker, B 2019, ‘Employers Using Robots to Catch Fraud in Expense Reports’, Insurance Journal, 26 March, accessed July 2019,
https://www.insurancejournal.com/news/national/2019/ 03/26/521573.htm
Rozario, AM 2019, ‘Three essays on audit innovation: Using social media information and disruptive technologies to enhance
audit quality’, PhD Dissertation, accessed July 2019, https://rucore.libraries.rutgers.edu/rutgers-lib/60551/
Sarson, T 2018, ‘Changing business models’, Insights, accessed July 2019, https://home.kpmg/xx/en/home/insights/
2018/10/changing-business-models.html
Thomson, G, Fikkers, R & Stott, M 2019, ‘Climate-related and other emerging risks’, Straight-away Alert, IFRS Bulletin from
PwC, May, accessed July 2019, https://www.pwc.com.au/assurance/ifrs/assets/straight-away-alert-20190521.pdf
Vasarhelyi, MA & Rozario, AM 2018, ‘How robotic process automation is transforming accounting and auditing’, The CPA
Journal, June, accessed July 2019, www.cpajournal.com/2018/07/02/how-robotic-process-automation-is-transforming-
accounting-and-auditing
Pdf_Folio:65

MODULE 1 The Auditing and Assurance Framework 65

MODULE 2

PLANNING THE AUDIT OF

HISTORICAL FINANCIAL
INFORMATION
Module 1
Auditing and Assurance Framework

• Definitions
• Elements
• Professional scepticism and judgment
• Quality control
• Ethical principles

Audits of historical financial Module 5

information Other assurance engagements

Module 4 • Review engagements

Module 2 Module 3 Conclusions and • Historical non-financial
Planning the audit Performing the audit reporting information
responsibilities
• Future-oriented information
• Compliance
• Controls and performance

Perform preliminary • Independence risk factors

Engagement acceptance
engagement activities • Engagement letter

• Overall audit strategy and plan

Perform audit planning Develop overall audit strategy
• Financial statement assertions
procedures and audit plan
• Materiality

Perform Assess risk of material

• Business and fraud risk
risk assessment misstatement through
understanding the entity • Other significant risks
procedures

• Internal control assessment

• Assessed risk of material

df_Folio:66
P

misstatements
LEARNING OBJECTIVES

After completing this module, you should be able to:

2.1 explain the responsibilities of management and the auditor in relation to an audit
2.2 evaluate historical financial information by applying professional scepticism and judgment
2.3 apply the processes and procedures undertaken by auditors in planning an audit
2.4 apply techniques to analyse factors that could impact fraud risk
2.5 design appropriate processes and procedures undertaken by auditors to identify and assess risks during
audit planning
2.6 apply the appropriate standards that relate to audit planning.

RELEVANT STANDARDS AND GUIDANCE MATERIALS

International standards Australian standards

IESBA International Code of Ethics for Professional APES 110 Code of Ethics for Professional Accountants
Accountants (including International Independence (including Independence Standards)
Standards)

ISA 200 Overall Objectives of the Independent Auditor ASA 200 Overall Objectives of the Independent Auditor
and the Conduct of an Audit in Accordance with and the Conduct of an Audit in Accordance with
International Standards on Auditing Australian Auditing Standards

ISA 210 Agreeing the Terms of Audit Engagements ASA 210 Agreeing the Terms of Audit Engagements
(Compiled)

ISA 220 Quality Control for an Audit of Financial ASA 220 Quality Control for an Audit of a Financial
Statements Report and Other Historical Financial Information
(Compiled)

ISA 230 Audit Documentation ASA 230 Audit Documentation (Compiled)

ISA 240 The Auditor’s Responsibilities Relating to Fraud ASA 240 The Auditor’s Responsibilities Relating to
in an Audit of Financial Statements Fraud in an Audit of a Financial Report (Compiled)

ISA 250 (Revised) Consideration of Laws and ASA 250 Consideration of Laws and Regulations in an
Regulations in an Audit of a Financial Report Audit of a Financial Report

ISA 260 (Revised) Communication with Those Charged ASA 260 Communication with Those Charged with
with Governance Governance (Compiled)

ISA 300 Planning an Audit of Financial Statements ASA 300 Planning an Audit of a Financial Report
(Compiled)

ISA 315 (Revised) Identifying and Assessing the Risks ASA 315 Identifying and Assessing the Risks of
of Material Misstatement through Understanding the Material Misstatement through Understanding the
Entity and Its Environment Entity and Its Environment (Compiled)

ISA 320 Materiality in Planning and Performing an Audit ASA 320 Materiality in Planning and Performing an
Audit (Compiled)

ISA 330 The Auditor’s Responses to Assessed Risks ASA 330 The Auditor’s Responses to Assessed Risks
(Compiled)

ISA 450 Evaluation of Misstatements Identified during ASA 450 Evaluation of Misstatements Identified during
the Audit the Audit (Compiled)

ISA 540 (Revised) Auditing Accounting Estimates and ASA 540 Auditing Accounting Estimates and Related
Related Disclosures Disclosures

ISA 550 Related Parties ASA 550 Related Parties (Compiled)

ISA 570 (Revised) Going Concern ASA 570 Going Concern

ISQC 1 Quality Control for Firms that Perform Audits
and Reviews of Financial Statements, and Other
Assurance and Related Services Engagements
P df_Folio:67
ASQC 1 Quality Control for Firms that Perform Audits
and Reviews of Financial Reports and Other Financial
Information, Other Assurance Engagements and
Related Services Engagements

MODULE 2 Planning the Audit of Historical Financial Information 67

PREVIEW
This module discusses auditing standards that are applied to audits of historical financial information (i.e.
audits of financial statements).
Module 1 discussed the framework for assurance engagements, which informs the development of
auditing standards and provides a frame of reference for those undertaking or involved in assurance
engagements. The framework identifies two types of assurance engagements:
1. reasonable assurance engagements
2. limited assurance engagements.
This module builds on the material in module 1 and focuses on reasonable assurance engagements in the
form of the audit of financial statements. It focuses mainly on International Standards on Auditing (ISAs)
at the 200, 300 and 400 level.
The 200-level series of auditing standards covers the general principles and responsibilities, including
the objectives, of an audit of financial statements, whereas the 300- and 400-level series covers risk
assessment and response to assessed risks.
Many of the matters discussed — terms of engagements, quality control for audits, audit documentation
and the auditor’s responsibility to consider fraud — in these and some of the intervening standards are
introduced in the International Framework for Assurance Engagements (discussed in module 1) and
elaborated upon in terms of ethical considerations in the International Code of Ethics for Professional
Accountants (including International Independence Standards) (the Code) and International Standard
on Quality Control (ISQC) 1 Quality Control for Firms that Perform Audits and Reviews of Financial
Statements, and Other Assurance and Related Services Engagements.
A major focus of this module is ISA 315 (Revised) Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and Its Environment. The remainder of the module covers
materiality (ISA 320 Materiality in Planning and Performing an Audit) and responses to audit risks
(ISA 330 The Auditor’s Responses to Assessed Risks). More detailed coverage of the procedures is given
in module 3, which looks at the 500- and 600-level series of the ISAs.
In this module we introduce the concept of a ‘business risk’ and how it:
• impacts on the auditor’s knowledge and understanding of the client
• relates to the risk of material misstatement.
Obtaining an understanding of the business assists the auditor in:
• assessing risks and identifying problems
• planning and performing the audit both effectively and efficiently
• evaluating audit evidence.
Risk assessments for specific items that are likely to be significant risks are considered. The risks include
fraud, accounting estimates, related parties, going concern, climate-related risks and non-compliance with
laws and regulations (NOCLAR).
This module provides an overview of some techniques for obtaining an understanding of the entity
and its environment, including strategic analysis, analytical procedures and data analytics. This includes
understanding the entity’s business model and strategy.
Strategic analysis is an important part of risk analysis. Emphasis is placed on the following techniques
used in strategic analysis to identify business risks:
• SWOT analysis
• PEST analysis
• value chain analysis
• data analytics.
While the management literature employs these types of analysis to identify investing and operating
opportunities, auditors consider threats to the auditee’s business as a source of audit risk.
After discussing the planning of an audit and materiality, substantial emphasis is placed in this module
on ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understanding
the Entity and Its Environment and ISA 330 The Auditor’s Responses to Assessed Risks. As internal control
is a means of mitigating business risk, we examine the components of internal control using the framework
set out in ISA 315 (Revised). ISA 315 (Revised) is written to cover a wide range of environments ranging
from manual controls to a very sophisticated information technology (IT) environment. An important topic
covered in ISA 315 (Revised) is financial statement assertions.
Pdf_Folio:68

68 Advanced Audit and Assurance

 Following a discussion on the use of ISA 330 by the auditor in response to assessed risks, how the
overall audit strategy is developed is explained. This module concludes with an introduction to the two
major classes of audit procedures: tests of control, and substantive tests. The purpose of tests of control
is to support an assessed level of control risk (or the risk of material misstatement) as determined by
the evaluation of internal controls. Substantive tests of transactions and balances involve substantively
verifying the associated dollar values. The auditor will outline in the audit plan the most efficient and
effective combination of audit procedures to achieve a desired level of audit risk.

2.1 OBJECTIVES OF AN AUDIT OF

FINANCIAL STATEMENTS
OVERARCHING PURPOSE
ISA 200 (para. 3) states:
The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements.
This is achieved by the expression of an opinion by the auditor on whether the financial statements are
prepared, in all material respects, in accordance with an applicable financial reporting framework. In the
case of most general purpose frameworks, that opinion is on whether the financial statements are presented
fairly, in all material respects, or give a true and fair view in accordance with the framework. An audit
conducted in accordance with ISAs and relevant ethical requirements enables the auditor to form that
opinion (Ref: Para. A1).

The risk that an auditor will form an incorrect opinion is known as audit risk and is discussed next.

Audit Risk
Audit risk is the risk that the auditor will express an incorrect opinion when the financial statements are
materially misstated (ISA 200). Audit risk is a combination of all types and categories of risk, including
inherent, control and detection risks.
Inherent risk is a function of the nature and uncertainty surrounding some transactions, account bal-
ances and disclosures, such as complex calculations and accounting estimates. An entity’s environment,
including technological change and industry characteristics, may also present inherent risks.
Control risk relates to the efficacy of an entity’s internal controls and the risk that those controls will
not prevent, or detect and correct, a material misstatement at the assertion level. An absence of sufficient
or effective internal controls can provide both opportunities and motivation to engage in dysfunctional
behaviour.
Inherent and control risks exist independently of the audit of the financial statements. Managing these
risks is the responsibility of management. For example, some corporate failures and scandals (e.g. Hertz
and Banking Royal Commission) provide evidence that factors such as declining economic conditions,
changes in technology and demand, and poor internal controls, in conjunction with the attitude of
management towards achieving specified goals, prompted dysfunctional behaviour that resulted in the
misstatement of financial statements.
Detection risk is a function of the adequacy and effectiveness of the nature, timing and extent of audit
procedures that are determined by the auditor to reduce audit risk to an acceptably low level. It is the risk
that the procedures undertaken by the auditor will not detect a material misstatement.
The audit risk model provides a framework for auditors to follow in responding to these assessed risks
through their choice of audit procedures. However, note that the auditing standards are not specific on
what is an acceptable level of audit risk, and use of the audit risk model requires a significant degree of
judgment by the auditor. In relation to the components of audit risk, the auditor generally expresses each
component in non-quantitative terms (such as low, medium and high, as shown in figure 2.1). The matrix
demonstrates that the acceptable levels of detection risk are inversely related to the assessments of inherent
and control risks.
Auditors plan and perform their audit to keep audit risk at an acceptably low level (ISA 200, para. 17).
If inherent and control risks are high for an assertion, the auditor will set detection risk as low, to maintain
a low audit risk. A low detection risk means the auditors increase the amount of detailed audit procedures
used to test the year-end account balances and transactions from throughout the year.
Pdf_Folio:69

MODULE 2 Planning the Audit of Historical Financial Information 69

 FIGURE 2.1 Matrix of level of detection risk required to keep audit risk to an acceptably low level

Auditor’s assessment of control risk is

High Medium Low

High Lowest Lower Medium

Auditor’s
assessment
Medium Lower Medium Higher
of inherent
risk is
Low Medium Highest Highest

Source: Leung et al. 2018, p. 310.

If an auditor’s assessment of control and inherent risks are both high (there is high likelihood of errors
in the financial statements), then the acceptable level of detection risk will have to be very low; that is,
the risk that the auditor’s substantive procedures will not detect material misstatements will need to
be low. Conversely, if an auditor’s assessment of control and inherent risks are both low (there is only
a small likelihood of errors in the financial statements), then the acceptable level of detection risk can
be high; that is, the risk that the auditor’s substantive procedures will not detect material misstatements
can be high.
The auditor often assesses inherent and control risks jointly when assessing the risk of material
misstatement (i.e. inherent risk and control risk determine the probability that financial statements contain
material misstatements).

While inherent risk and control risk are the entity’s risks, they are still important to the auditor given
their relationship to overall audit risk. For a given level of detection risk, the higher the inherent and
control risks, the greater the audit risk (i.e. the risk that an auditor may express an inappropriate opinion
on financial information that is materially misstated). The risks of material misstatement may exist at
two levels:
• the overall financial statement level; and
• the assertion level for classes of transactions, account balances, and disclosures (ISA 200, para. A36).

Risks of material misstatement at the overall financial statement level refer to risks that relate to
the financial statements as a whole, potentially affecting many assertions. On the other hand, risks of
material misstatement at the assertion level relates to specific classes of transactions, account balances and
disclosures. Examples of factors that increase inherent risk and control risk at the financial statement level
are shown in figure 2.2.
Further details on risks of material misstatement are contained in ISA 200, paragraphs A36–A38.
Read these sections now.
In order to reduce audit risk to an acceptably low level (ISA 200, para. 17), and thereby enable the
auditor to form an opinion, it is necessary for the auditor to obtain sufficient appropriate audit evidence.
In order to obtain sufficient appropriate audit evidence, the extent of audit testing is based on the level of
detection risk set by the auditor to achieve a low level of audit risk.
The ASIC audit inspection program report for 2017–18 found that for 24% of key audit areas reviewed,
auditors did not obtain reasonable assurance that the financial report as a whole was free of material
misstatement (ASIC 2019, p. 4). ASIC continues to stress the importance for auditors to focus on the
sufficiency and appropriateness of audit evidence obtained (ASIC 2019, p. 7).
In its 2017–18 report, ASIC notes that ‘in addition to maintaining a strong culture of audit
quality . . . audit firms should continue to improve both the adequacy of their audits of asset values
and revenue recognition’ (ASIC 2019, p. 28).

Pdf_Folio:70

70 Advanced Audit and Assurance

 FIGURE 2.2 Factors that increase inherent risk and control risk at the financial statement level

Inherent risk Control risk

• Obsolescence of the client’s products • Poor attitude of management towards
• Increased competition controls
• Technological advances by competitors • Limited segregation of duties
• Lack of independence of directors and • Staff not taking regular leave
management • Decrease in the size of the internal audit
• Ineffective audit committee group
• Increased degree of estimate required in
preparing financial statements
• Inexperienced and poorly trained
accounting staff
• Inappropriately designed bonus schemes
• Overemphasis on profits
• Unusual transactions near year end
• Optimistic press releases
• Long-term achievements used prominently
(e.g. references in annual reports to ten
years of uninterrupted profit growth)
• Key positions understaffed or staffed by
inexperienced managers

QUESTION 2.1

Consider the following three scenarios and state whether the scenario involves inherent risk,
control risk or detection risk.
(a) A business has high volumes of low-value revenue streams in multiple currencies.
(b) A business has limited segregation of duties in functional areas.
(c) The auditor of a business conducts inappropriate substantive testing.

Example 2.1 deals with the factors that increase or decrease inherent risk. Review the example now.

EXAMPLE 2.1

Inherent Risk
LRS Ltd is a hotel chain that operates 40 hotels throughout Australia and Asia. While its head office is in
Melbourne, it has hotels in all Australian capital cities as well as Beijing, Hong Kong SAR, Kuala Lumpur,
Singapore and Shanghai. Mr Lee, the chair of the board and CEO, has just put the audit out to tender, as he
believes the present auditor insisted on very conservative accounting policies. Control of the organisation
is in the hands of Mr Lee’s family, who have been majority shareholders for over 30 years. They have
extensive experience in the hotel industry. The board consists of four family members, who also hold
senior management positions, and there is one independent member of the board who is chairperson of
the audit committee.
As a result of credit restrictions, there has been a fall in the Australian share market, so the company
has delayed its public listing until later in the year. LRS Ltd has a low debt–equity ratio compared to the
industry average.
............................................................................................................................................................................
Identify the inherent risk factors and then evaluate whether they increase or decrease the inherent risk of
LRS Ltd.
Check your response against the suggested answer at the end of the book.

Example 2.2 deals with inherent risk at the financial statements level and at the account level for
inventory and trade debtors. Review the example now.

Pdf_Folio:71

MODULE 2 Planning the Audit of Historical Financial Information 71

 EXAMPLE 2.2

Inherent and Control Risks

You are the senior auditor in charge of the audit of Potholders Ltd, a retailer of garden pots and gnomes.
Your audit firm has been auditor for the last four years. Historically, the firm has had a competent and
qualified internal audit function upon whose work you have placed significant reliance. Management is
well respected and is viewed to have high integrity, although there was some friction last year when the
auditor discovered sales cutoff errors, which reduced profit and had an adverse impact on management
bonuses under the new bonus scheme.
While the company has been very profitable, drought and water restrictions have placed pressure on
management to maintain profitability. In planning the audit, you become aware of the following facts.
1. There is a cash shortage caused by recent business expansions and falls in cash inflow.
2. The accounts payable balance has increased by 30% on last year.
3. Days in debtors has increased from 45 days to 63 days.
4. Due to the difficulty of maintaining sales levels, credit checks are not always carried out.
5. Internal audit department staff levels have been halved.
6. After a recent series of thefts, control over inventory has been tightened. When goods are received, they
are counted and inspected and, after a pre-numbered goods received advice is prepared, the goods
are moved to an enclosed storage area with adequate security, including closed-circuit TV. Goods are
released from the store only upon receipt of a properly authorised requisition form.
7. In the past, all purchases were made centrally at head office. However, store managers are now
asked/allowed to purchase direct from local suppliers in order to obtain inventory at lower prices and
avoid transport costs. Some store managers in North Queensland are importing from Indonesia.
............................................................................................................................................................................
(a) Which facts increase the risk of material misstatement at the financial statement level?
(b) What are the inherent risks at the assertion level for inventory and trade debtors?
(c) Which facts increase or decrease control risk?
Check your response against the suggested answer at the end of the book.

Having explained the components of audit risk and identified the overarching purpose of an audit of
financial statements, we now discuss the legal, regulatory, professional and ethical requirements.

LEGAL, REGULATORY, PROFESSIONAL AND

ETHICAL REQUIREMENTS
The conduct of an audit of financial information is regulated by laws and regulations (including standards)
as well as the auditing profession’s code of ethics. Various specific requirements are discussed in the
following subsections.

Regulatory Environment
The regulatory environment includes the following.
• The audit review processes, including reviews performed by the professional bodies and those performed
by regulatory authorities. In Australia, ASIC’s statutory audit inspection process is considered a strength
of the regulatory process.
• A legally enforceable audit regulation framework that includes accounting standards, auditing standards
and auditor independence requirements.
• The quality of the applicable financial accounting framework.
• The soundness of corporate governance, law and regulation.
As discussed in module 1, the International Standards on Auditing (ISAs) are to be applied to the audit
of historical financial information. In this module, focus is on many of the 200, 300 and 400 series of
standards covering general principles and responsibilities (200 series) and risk assessment and response to
assessed risks (300 and 400 series). Of particular importance is ISA 300 Planning an Audit of Financial
Statements.
The Financial Reporting Council (FRC) empowers the AUASB to issue standards, guidance notes and
other information to provide clear standards for auditing and assurance services, in addition to other
related services. FRC also provides strategic advice related to the quality of audits conducted by Australian
audit firms.
df_Folio:72
P

72 Advanced Audit and Assurance

Quality Control for Audits
In module 1, ISQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Statements,
and Other Assurance and Related Services Engagements was discussed in detail. ISQC 1 establishes basic
principles and essential procedures with the intention of establishing a system of quality control designed
to provide reasonable assurance that the firm complies with professional standards, applicable legal and
regulatory requirements and issue appropriate reports.
Also, the International Federation of Accountants (IFAC) has developed a Guide to Quality Control for
Small- and Medium-Sized Practices (IFAC 2018b).
You can access this guide at https://www.ifac.org/publications-resources/guide-using-international-
standards-auditing-audits-small-and-medium-sized-en.
Wherever in the world you are auditing, the national requirements will be as demanding as, or more
demanding than, ISQC 1.
ISA 220 Quality Control for an Audit of Financial Statements deals with the specific responsibilities
of the auditor regarding quality control procedures for an audit of financial statements (ISA 220, para. 1)
at the engagement level while ISQC 1 covers quality controls required at the firm level. In Australia, the
equivalent ASA 220 also deals with the audit of a financial report and other historical financial information
(ASA 220, para. 1). Both ISA 220 and ASA 220 address the responsibilities of the engagement quality
control reviewer.
The engagement partner is required to take responsibility for the overall quality of an audit engagement
(ISA 220, para. 8). The engagement team is generally entitled to rely on the firm’s systems — for
example, competence of staff through recruitment and training, and independence via accumulation and
communication of relevant independence information (ISA 220, para A2).
Emphasis is placed on the engagement partner’s leadership responsibilities in relation to the quality of
audits. This is provided through both actions and communications to the engagement team. It is important
for the engagement partner to reinforce the importance of such actions as complying with the firm’s
quality control policies and procedures, emphasising the fact that quality is essential in performing audit
engagements (ISA 220, para. A3).
Read ISA 220 Quality Control for an Audit of Financial Statements.
In 2018–19, the IAASB proposed a suite of quality management standards. One of the most significant
issues highlighted in the invitation to comment on the Quality Management Standards was fostering an
appropriately independent and sceptical mindset of the auditor (IAASB 2019a). Professional scepticism
is an essential attribute that all auditors need to possess.
As part of IAASB’s proposed changes, it released an exposure draft for the proposed ISA 220 (Revised)
Quality Management for an Audit of Financial Statements, aimed at improving the management of quality
at the engagement level for audits of financial statements. It contains enhanced requirements and guidance
relating to professional judgment and scepticism, the engagement partner’s role and responsibilities and
the use of technology for audit purposes (IAASB 2019b).
Engagement Team Members’ Compliance with Ethical Requirements
ISA 220 explains the ethical requirements, including independence, of the engagement team in relation
to audit engagements. In particular, the engagement partner shall consider whether members of the
engagement team complied with relevant ethical requirements relating to audit engagements. This includes
the fundamental principles of professional ethics:
a) Integrity;
b) Objectivity;
c) Professional competence and due care;
d) Confidentiality; and
e) Professional behaviour (ISA 220, para. A4).

Each of these items was discussed in module 1. The engagement partner must remain alert for evidence
of non-compliance with the ethical requirements relating to the audit engagement.
Non-compliance can be at the firm level (e.g. the control system to monitor employee ownership of
shares in listed companies is not adequate) or at the individual client level (e.g. the audit manager and the
CFO are related). In most firms, senior personnel (e.g. risk management partners) will be assigned to look
after these issues at the firm level. However, individual partners are responsible at the engagement level.
ASIC (2019) discusses compliance with these independence requirements. It states that most firms have
established policies and processes to facilitate compliance with the auditor independence requirements of
Pdf_Folio:73

MODULE 2 Planning the Audit of Historical Financial Information 73

the Corporations Act 2001 (Cwlth) (Corporations Act) and professional standards. However, there were
some instances that could undermine the actual or apparent independence and objectivity of auditors:
• ‘three instances in the largest six firms, where . . . the provision of non-audit services to clients raised
concerns about the appearance of independence being compromised’
• cases where the firm’s internal independence teams were not consulted to advise on the acceptability of
non-audit services to clients (ASIC 2019, p. 40).
Acceptance and Continuance of Client Relationships
These acceptance and continuance decisions should focus on independence considerations, possible
conflicts of interest and the ability to provide requisite skills to conduct the audit (e.g. does the firm have
staff with the required expertise to do this audit?).
For each engagement, the engagement partner is required to make the acceptance or continuance
decision prior to commencing the audit, and this decision needs to be documented. Prior to accepting
the engagement, laws, regulations or relevant ethical requirements may require the auditor to request
the predecessor auditor to provide known information regarding any facts or circumstances that, in the
predecessor auditor’s judgment, the auditor needs to be aware of before deciding whether to accept the
engagement (ISA 220, para. A9).
Thereafter, ‘if the engagement partner obtains information that would have caused the firm to decline
the audit engagement had that information been available earlier’, this information needs to be promptly
communicated to the firm so that ‘necessary action’ can be taken (ISA 220, para. 13). The auditing standard
is not clear on what this appropriate action should be, but it is likely to depend on what stage of the audit
has been reached. During the audit, it is unlikely that the firm would withdraw from the audit, although
this could happen.
Assignment of Engagement Teams
ISA 220 requires the appropriate assignment of engagement teams. In particular, the engagement partner
needs to be satisfied that the engagement team collectively has the appropriate capabilities and competence
to perform the audit engagement (ISA 220, para. 14). Note that these requirements apply to the engagement
team as a whole. Therefore, it is possible to put a staff member on an audit without all of the required
capabilities and competencies, provided there is adequate supervision and review. In most firms, these
issues will be handled through staff training and on-the-job training. Knowledge of relevant industries can
sometimes provide additional challenges and require using resources from outside the firm.
Engagement Performance
The engagement partner takes responsibility for the direction, supervision and performance of the audit
engagement (ISA 220, para. 15).
Direction to other members of the audit engagement team would normally include:
• their responsibilities
• risk-related issues
• problems that may arise
• the detailed approach to the performance of the engagement.
Supervision of members of the engagement team is also an important aspect of engagement perfor-
mance. ISA 220, paragraph A16 provides the following examples of supervision:
• tracking the progress of the audit engagement
• considering the capabilities, competence, time availability and understanding of instructions of team
members, and whether the work is being carried out consistent with the planned audit approach
• addressing significant issues that arise during the audit and modifying the planned approach where
appropriate
• identifying matters for consultation with more experienced engagement members.

Auditor Independence for the Audit of Financial Statements

Module 1 discussed the importance of independence in the acceptance and continuance of an assurance
engagement. In this module, we discuss the additional independence requirements for an audit of financial
statements.
For an audit of a financial report in Australia, the concept of auditor independence is embodied in
statute. The Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004
(Cwlth) (also known as CLERP 9) imposes independence requirements on auditors of financial reports.
These requirements amend the Corporations Act 2001.
Pdf_Folio:74

74 Advanced Audit and Assurance

 The Corporations Act 2001 (s. 307C) requires that the auditor provides directors of the client with a
written declaration as to whether the auditor is aware of any contraventions of the auditor independence
provisions of the Corporations Act or codes of professional conduct, such as a conflict of interest situation
as defined at section 324CD of the Corporations Act.
The Corporations Act provides some guidance, in the context of defences to charges of a breach of the
independence provisions and on how independence may be demonstrated. The first of these provisions
provides a maximum hours test, whereby a maximum of ten hours of non-audit services can be provided
during the period to which the audit relates. A further ten hours of non-audit services can be provided
in the 12 months immediately prior to the period to which the audit relates. Subsection 324CF(7) of the
Corporations Act provides an independence test based on the relationship between the auditor and the
audit entity, such as influence, participation in the business or professional activities of the audit practice
and an absence of financial arrangements.
Some other requirements included in Division 3 ‘Auditor independence’ of the Corporations Act, such
as specific requirements for listed companies in relation to auditor independence are outlined in section
300 (11AA–11E).
Under the Corporations Legislation Amendment (Audit Enhancement) Act 2012 (Cwlth), ASIC has
the responsibility for monitoring auditor independence. Under this Act, ASIC carries out its inspection
program of audit firms, including audit quality and independence.
This Act also requires audit firms with ten or more significant audits to publish an annual transparency
report that includes information about the audit firm’s independence practices. These transparency reports
can be found on the websites of the large audit firms.
In Australia, the Joint Accounting Bodies’ Independence guide ‘provides practical examples of
independence issues encountered by accountants and auditors’. You can access the guide on the
CPA Australia website at www.cpaaustralia.com.au/~/media/corporate/allfiles/document/professional-
resources/auditing-assurance/independence-guide.pdf

Auditor Independence and United States Legislation

The Sarbanes–Oxley Act 2002 (US) became part of corporate regulation in the United States following
high-profile corporate collapses such as Enron and WorldCom. This legislation contains provisions similar
in intent to the CLERP 9 amendments to the Corporations Act, outlined previously, but is more explicit in
identifying non-audit functions that are deemed incompatible with auditor independence.
While this legislation originated in the United States, the global nature of business means that Australian
audit firms must be cognisant of these legislative and regulatory requirements, as the Sarbanes–Oxley Act
applies to Australian companies listed in a stock exchange in the United States.
Compliance with Independence Requirements
The engagement partner is required to form a conclusion on compliance with independence requirements
applicable to audit engagements as outlined in ISA 220, para. 11. For example, the engagement partner is
required to:
• obtain relevant information from the firm to identify and evaluate circumstances and relationships that
create threats to independence
• evaluate information on any identified breaches of the firm’s independence policies and procedures to
assess whether they create a threat to independence for the audit engagement
• take appropriate action to eliminate threats or reduce them to an acceptable level by applying safeguards
• report to the firm any matters unable to be resolved so appropriate action can be taken.
Auditor and Audit Firm Rotation
Periodic rotation of auditors on engagements is designed to bring fresh views to the audits, aid profes-
sional scepticism and promote independence. This periodic rotation could be of key personnel on audit
engagements; more recently there have been suggestions to periodically rotate audit firms.
Auditor Rotation
Many countries have requirements for mandatory periodic rotation of key audit personnel. In Australia,
section 324DA of the Corporations Act requires that, where an individual plays a significant role (generally
as a lead or review partner) in the audit of a listed entity for five successive financial years, the individual
cannot play a significant role in the audit of that entity for at least another two successive years. In addition,
an individual cannot play a significant role for more than five out of seven successive financial years,
where the involvement is not in consecutive years. Small or regional audit firms may apply to ASIC for an
extension of the rotation period to seven years.
Pdf_Folio:75

MODULE 2 Planning the Audit of Historical Financial Information 75

 Under the Corporations Legislation Amendment (Audit Enhancement) Act 2012, directors have the
flexibility to extend the five-year auditor rotation period for another two years, provided that the audit
committee is satisfied that it will not adversely affect independence or undermine the quality of the audit.
In response to the collapse of Enron, WorldCom and other high-profile businesses in the United States,
the Sarbanes–Oxley Act mandates audit partner rotation. In addition to the Sarbanes–Oxley Act, the
International Ethics Standards Board for Accountants (IESBA) also requires audit partner rotation as
detailed in s. 540 of the Code. To address the threats to independence created by long association, the
Code outlines provisions covering long association of personnel with an audit client.
The provisions include a cooling-off period for public interest entities (PIEs) and limiting the number
of years the key audit partner (KAP) is allowed to serve on the audits. PIEs include all listed entities and
any entity defined by regulation or legislation as a public interest entity, including those entities for which
an audit is required to be conducted in compliance with the same independence requirements as those that
apply to the audit of listed entities.
The KAP must determine whether to treat entities as PIEs. This decision will be based on whether a
large number of stakeholders exist, the entity’s size or number of employees and the nature of the business.
Depending on the role of the KAP (e.g. engagement partner or engagement quality control review
(EQCR) partner), there will be a minimum cooling-off period (which is a period where the partner cannot
work on that engagement). For example, for the audit engagement partner, the cooling-off period will be
five years.
Table 2.1 summarises the partner rotation requirements as per the Code (s. R540.11-13) for audits of
public interest entities.

TABLE 2.1 Partner rotation requirements as per the Code

The Code

Role Maximum time-on period (years) Cooling-off period (years)

Engagement partner Seven Five

EQCR partner Seven Three

Other KAP Seven Two

Source: Adapted from International Ethics Standards Board for Accountants (IESBA) 2018, International Code of Ethics for
Professional Accountants (Including International Independence Standards), accessed May 2019, https://www.ifac.org/publications-
resources/2018-handbook-international-code-ethics-professional-accountants

The maximum seven-year time-on period required by IESBA is calculated on a cumulative basis and
need not be consecutive.
In response to these changes, the Accounting Professional & Ethical Standards Board (APESB)
approved amendments that reflect the Code and take into consideration the Australian requirements
imposed by the Corporations Act.
This applies in Australia as the applicable law (the Corporations Act) prescribes a cooling-off period that
is shorter than the Code. However, the transitional provision specifies a sunset to the three-year cooling-
off period. This will see the three-year cooling-off period transition to a five-year cooling-off period for
audits of financial statements for periods beginning after 31 December 2023. The requirements under the
Corporations Act for listed entities of five years on and two years off are more restrictive than the APES
110 for PIEs. Therefore, the legislative requirements take precedence.

Audit Firm Rotation

In recent years, attention has turned from audit partner rotation to potentially mandating audit firm rotation.
The European Commission (EC) has indicated that, even when key audit partners are regularly rotated,
the threat of familiarity persists. As a result, the EC has concluded that the mandatory rotation of audit
firms — not just of audit partners — is required. In 2016, the European Parliament enacted rules related
to the mandatory rotation of audit firms of PIEs (which includes publicly listed companies and banks).
These entities are now required to rotate their audit firm after a maximum engagement of ten years. This
ten-year period can be extended by up to ten additional years if audit tenders are carried out, and up to 14
additional years if the audited company appoints a joint auditor (i.e. more than one audit firm to carry out
its audit) (European Commission 2016).
Pdf_Folio:76

76 Advanced Audit and Assurance

 Where a group operates in many EU states, ‘each EU PIE within the group will have to comply with
the mandatory firm rotation rules applicable to the EU member state in which it is based.’ (KPMG 2014,
p. 2). How do the rules apply to non-EU companies? If a non-EU parent has controlled undertakings in the
EU, and any of these controlled undertakings are PIEs, then the PIE’s controlled undertakings will have to
rotate their external auditor in line with the national law of their Member State. However, if a PIE parent
in the EU has non-EU controlled undertakings, then the PIE definition does not apply. As such, they are
not required to rotate their auditor.
Figure 2.3 lists the arguments in favour of mandatory audit firm rotation over audit partner rotation and
arguments in favour of mandatory audit partner rotation over audit firm rotation.

FIGURE 2.3 Mandatory audit firm rotation and audit partner rotation arguments

Loss in client-specific
Increased level of knowledge will
scepticism adversely affect
audit quality

Rotation of key audit

personnel brings most of
Fresh perspective
the benefits of audit firm
rotation without the costs

Incentivises quality work

Auditing standards and
because work will be
ethics already require
periodically reviewed
professional scepticism
by another firm

Reduces over-reliance Audit standards and

on prior-year ethics already
audit work papers require independence

Mandatory audit Mandatory audit

firm rotation partner rotation

Auditor Independence for the Audit of SMEs

In Australia, both the Corporations Act and APES 110 Code of Ethics for Professional Accountants
(including Independence Standards) recognise that a small-to-medium enterprise (SME) auditor in the
private sector may have a closer relationship to the company than would be acceptable for a publicly listed
company. However, it is important that the auditor is aware of this potential lack of independence and the
need to maintain an appropriate level of professional scepticism.

Professional Conduct and Ethics

The credibility of a professional auditor’s services is founded on the values, norms and symbols displayed
by accountants in the performance of their duties. Such duties involve not only the exercise of competence
in the technical aspects of financial services, but also, more importantly, integrity and objectivity in
discharging these services. These professional conduct and ethical requirements were discussed in more
detail in module 1. In this module, matters concerning professional appointments for auditors, including
relevant threats and safeguards are highlighted.
Matters Concerning Professional Appointments for Auditors
The Code of Ethics also highlights other matters pertaining specifically to the auditors. A summary from
sections 310 to 360 is shown in table 2.2 to assist students to capture the essential elements of these matters
that may give rise to a breach of ethical behaviour.
Pdf_Folio:77

MODULE 2 Planning the Audit of Historical Financial Information 77

 TABLE 2.2 Threats and safeguards for professional appointment matters
Professional matters Examples of threats
Client acceptance/ • Threats to integrity may arise from
continuance issues associated with clients
(e.g. questionable conduct)
Engagement acceptance • A self-interest threat may result in lack
of competence
Changes in a professional • Threats to compliance in relation to a
appointment tendering process for the task
Conflict of interest • Threat to objectivity for two or
more clients
• Threat to compromise judgment
• Compromise of independence
Non-compliance with laws • Fraud, corruption and bribery
and regulations • Money laundering, terrorist financing
• Securities dealing, banking products,
etc. where non-compliance is apparent
Second opinions • Possible threat to professional
competence
• Opinion shopping by non-client on
accounting treatment
Fees • Threats to compliance if inappropriate
fees quoted
• Contingent fees may create threats to
compliance and self-interest
Pdf_Folio:78
78 Advanced Audit and Assurance
Examples of safeguards
• Obtain knowledge of governance
• Secure client’s commitment to address
the matter in question
• Periodic review on compliance matters
• Acquire necessary knowledge
• Assign staff with necessary
competence
• Use experts where necessary
• Comply with quality control procedures
• Contact with existing auditor regarding
matters pertinent to non-acceptance
• Notify existing auditor of the proposed
work
• Seek other information
• Based upon all specific facts and
circumstances (such as the nature
of the services, the size of the firm
and the client base), assess that a
reasonable and informed third party
would be likely to conclude that
compliance with the fundamental
principles might be compromised
• The significance of relevant interests
and the significance of the threats
should be considered
• Use separate teams, perform regular
reviews, disclosure of interests
• Assess the nature of the matter if it
is inconsequential. If not, take the
following steps in a timely manner:
obtain understanding of the matter,
address the matter with those charged
with governance, advise them to take
appropriate actions. Auditors are
required to identify and respond to
non-compliance, communicate with
those charged with governance and
consider implications.
• Further actions may be required to
disclose the matter to appropriate
authority and/or withdrawing from the
engagement
• Evaluate the significance of the opinion,
seek permission to contact existing
accountants for explanations, describe
limitations or withdraw from giving the
opinion
• Make client aware of the factors
• Assign appropriate time
• Disclose the basis of the fees
• Review by independent experts
 Gifts • Self-interest, compliance or objectivity • Depends on the nature, value, and
threats intent; or offer made in normal course
of business without specific intent

Custody of client assets • Compliance and objectivity threats • Shall not assume custody of client
monies or other assets unless it is
lawful, separate records are kept,
regular accountability

Source: Examples taken from Sections 310 to 360 of the Code, as at June 2019.

Professional accountants should evaluate the significance of threats to objectivity before accepting or
continuing with specific engagements. Some additional safeguards include clear guidelines for engagement
personnel on issues of security and confidentiality, and regular review of client engagements. Overall, the
auditor must observe objectivity at all times and judge, based on all relevant facts and circumstances, if
the threats posed are at an acceptable level and that there are safeguards to ensure that the fundamental
principles of ethics are adhered to. If that is not the case, the auditor should withdraw from the engagement,
seek advice and follow supervisory procedures, including discussing the issue with authorities or those
charged with governance of the client.

QUESTION 2.2

You are Mark Mitchell, an audit senior with the firm Pull, Lift, Tug & Co. You are planning the financial
report audit of Nestree Ltd, a manufacturer of confectionery.
From the review of the draft financial statements that you have received, Nestree appears to take
an optimistic approach to its valuation of development expenditure capitalised in intangible assets.
Executive remuneration includes a profit-related bonus.
(a) Evaluate the above situation and identify the ethical threat involved.
(b) How can the auditor avoid this threat?

Applying Professional Scepticism and Judgment

When planning and performing the audit with professional scepticism, auditors need to remain independent
of the entity, its management and its staff when completing the audit work. As such, auditors need to
maintain a questioning mind and thoroughly investigate all evidence presented by their client. This includes
seeking independent evidence to corroborate, or confirm, any information provided by their client. When
evidence contradicts documents held by their client or enquiries made of client personnel, including
management and those charged with governance, it should arouse the auditor’s suspicions.
Auditors are expected to possess the necessary professional scepticism required to probe and investigate
the reliability of the financial statements, the internal controls and the personnel involved in producing the
financial statements. In addition, they should not compromise their integrity and objectivity by succumbing
to management pressure. Auditing standards and rules of ethical conduct require professional scepticism
and cover threats to independence.
An attitude of professional scepticism involves matters outlined in figure 2.4.
In addition to scepticism, auditors are required to plan and perform the audit with professional judgment.
Professional judgment relates to the application of relevant training, knowledge, and experience that
auditors use while making informed audit decisions (ISA 200, para. 13). Auditors use judgment throughout
the entire audit — for example when determining if an information source is reliable and when deciding
sufficient appropriate audit evidence has been gathered to support the audit opinion. Table 2.3 identifies
many circumstances where professional judgment is required.

Pdf_Folio:79

MODULE 2 Planning the Audit of Historical Financial Information 79

 FIGURE 2.4 Threats and safeguards for professional appointment matters

Have a
• Critically assess the validity of
questioning
audit evidence
mind

• Recognise that management

Recognise can override internal controls
potential for • Do not rely on management being
fraud honest or acting with integrity,
regardless of past experience

Professional
scepticism

Does audit evidence support/contradict:

• documents
Be alert • responses to enquiries
• other information obtained from
management?

Do not:
• overlook unusual circumstances
• over-generalise
Be careful • use faulty assumptions
• rely on management honesty and integrity
• accept unpersuasive audit evidence
• accept management representations as a
substitute for sufficient appropriate audit evidence

TABLE 2.3 Examples of professional judgments made during an audit

Understanding • What environmental factors to examine

the entity and its • Which risk assessment procedures to use
environment • Which members of the audit team should be involved in discussions of potential fraud
• Assessing the appropriateness of suitable criteria for a greenhouse gases (GHG)
emissions assurance engagement

Assessing the risk of • Assessing inherent risk

material misstatement • Determining high-risk audit areas
• Assessing the probability of company failure
• Assessing the percentage of debtors that will be recoverable
• Assessing directors’ best estimate assumptions in the preparation of forecast
financial information
• Assessing whether the preparer has applied appropriate criteria (e.g. GRI
reporting standards)

Internal controls • Assessing control risk

• Extent of auditor reliance on internal controls

Pdf_Folio:80

80 Advanced Audit and Assurance

 Consideration of • Which fraud risk factors are present
fraud and error • Determining which trends and relationships indicate the risk of fraud
• The extent to which matters are documented
• Whether a sales overstatement is material
• Whether an item of non-compliance is material in a compliance audit
• Determining the level of pollution that is material in an environmental
assurance engagement

Communication • The appropriate person(s) to communicate with

• Matters to be communicated
• The level of detail to be communicated

Policies • The appropriateness of accounting policies used

• Whether policies used are consistent with prior years

Audit evidence • Nature, timing and extent of evidence

• Whether to rely on audit evidence from previous audits
• Sufficiency and appropriateness of audit evidence
• Conclusions on results of specific audit procedure
• Use of an independent expert

Analytical procedures • Audit strategy

• Which techniques to use
• Development of expectations
• Identification of significant fluctuations
• Assessing the appropriateness of data used by management in developing an
environmental report

Audit sampling • Whether or not to use statistical sampling

• Determining sample size
• Selection of items to test

Audit reporting • Whether a modified audit report is appropriate, and if so, which one
• Whether an emphasis of matter paragraph is appropriate
• Qualified, disclaimer, adverse opinions
• What key audit matters (KAMs) to include in the audit report, if any
• Whether a going concern basis is appropriate
• The wording of other assurance reports

Source: CPA Australia 2019.

The complexity of business transactions, expanded use of fair values and subjective estimates, and
the move to more principles-based accounting standards, all tend to heighten the degree of professional
judgment and scepticism auditors need to apply (Glover & Prawitt 2013).
The concepts of professional scepticism and professional judgment will be addressed throughout this
Study guide as we cover the process auditors use to detect material misstatements and reach their audit
opinion as to whether the financial statements are fairly presented in accordance with the applicable
financial reporting framework.
Review example 2.3 which demonstrates how professional scepticism is applied at various stages of
an audit.

EXAMPLE 2.3

Applying Professional Scepticism

The auditor is likely to apply professional scepticism at various stages of the audit — from client
acceptance and at various points during the audit process. Some typical examples are as follows.
• When assessing engagement acceptance. At this stage the auditor should consider whether the
management of the audit client acts with integrity and whether there are any matters that may impact
on the auditor being able to act with professional scepticism if they accept the engagement, such as
ethical threats to objectivity.

P df_Folio:81

MODULE 2 Planning the Audit of Historical Financial Information 81

 • When performing risk assessment procedures. An auditor should be sceptical when performing risk
assessment procedures at the planning stage of the audit. For example, when discussing the results of
analytical procedures with management, the auditor should not accept management’s explanations
at face value, and should obtain corroboratory evidence for the explanations offered.
• When obtaining audit evidence. The auditor should be ready to challenge management, especially
on complex and subjective matters and matters that required a degree of judgment to be exercised
by management. The reliability and sufficiency of evidence should be considered, especially where
there are risks of fraud. There may also be specific issues arising during an audit which impacts on
professional scepticism — for example, if management refuses the auditor’s request to obtain evidence
from a third party. The auditor will have to consider how much trust can be placed on evidence
obtained from management — for example, evidence in the form of enquiry with management or written
representations obtained from management.
• When evaluating evidence. The auditor should critically assess audit evidence and be alert for
contradictory evidence that may undermine the sufficiency and appropriateness of evidence obtained.
• When forming the auditor’s opinion. The auditor should consider the overall sufficiency of evidence
to support the audit opinion, and by evaluating whether the financial statements overall are a fair
presentation of underlying transactions and events.
Ultimately, the application of professional scepticism should reduce detection risk because it enhances
the effectiveness of applied audit procedures and reduces the possibility that the auditor will reach an
inappropriate conclusion when evaluating the results of audit procedures.
Source: ACCA n.d., ‘Professional scepticism’, Think Ahead, accessed June 2019, https://www.accaglobal.com/an/en/
student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/scepticism.html

Detecting Material Misstatements

The auditor is responsible for obtaining reasonable assurance that the financial statements are free from
material misstatement caused by fraud or error (ISA 240, para. 5). In examining the potential causes
of misstatement in financial statements, ISA 240 uses the concept of ‘intent’ to distinguish between
misstatements due to error and fraud.
Error includes the unintentional omission of an amount or a disclosure, such as:
• a mistake in gathering or processing financial statements data
• oversight or misinterpretation of facts resulting in an incorrect accounting estimate
• measurement, recognition, classification, presentation or disclosure errors arising from a mistake in the
application of accounting principles.
Fraud refers to an ‘intentional act’ and includes fraudulent financial reporting and misappropriation
of assets. ISA 240, paragraph 5 requires the auditor to consider the risks of material misstatement in the
financial statements due to fraud. Fraud is defined as an ‘intentional act by one or more individuals among
management, those charged with governance, employees, or third parties, involving the use of deception
to obtain an unjust or illegal advantage’ (ISA 240, para. 12).
To clarify the difference, errors include misstatements made by unintentional mistakes whereas fraud
covers misstatements made intentionally to deceive others. Auditors need to apply professional judgment
to distinguish between misstatements due to error and fraud. Maintaining an attitude of professional
scepticism is necessary to achieve this. The auditor must remain alert to the possibility of fraud,
notwithstanding any past experience or expectations of the honesty and integrity of the client (ISA 240,
para. 13).
The auditor may have additional responsibilities under law, regulation or relevant ethical requirements
regarding an entity’s non-compliance with laws and regulations (NOCLAR), including fraud. These
may differ from, or go beyond, ISA 240 and other ISAs, such as responding, communicating and
documenting identified or suspected NOCLAR (ISA 240, para. 9). For example, the Code requires the
auditor to take steps to respond to identified or suspected NOCLAR and determine whether further
action is needed (ISA 240, para. A6). Additionally, the auditor is also required to communicate
these matters with those charged with governance unless the communication is prohibited by law or
regulation (ISA 240, para. 43).
ISA 200 refers to the inherent limitations of an audit. Owing to those limitations, ISA 240, paragraph 5,
states that there is an unavoidable risk that some material misstatements may not be detected even when
the audit is properly planned and performed in accordance with ISAs. In other words, audit risk can be
managed, but cannot be eliminated.

df_Folio:82
P

82 Advanced Audit and Assurance

 Read ISA 240 paragraphs 4–16 and 41–44 before continuing your studies.
The next section covers the terms of audit engagements and the engagement letter. The key points
covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

2.1 Explain the responsibilities of management and the auditor in relation to an audit.
• Management and those charged with governance have the primary responsibility for the prevention
and detection of fraud.
• The auditor is responsible for obtaining reasonable assurance that the financial statements are free
from material misstatement caused by fraud or error.
• The auditor has additional responsibilities under law, regulation or relevant ethical requirements
regarding an entity’s non-compliance with laws and regulations (NOCLAR), including fraud.
2.2 Evaluate historical financial information by applying professional scepticism and judgment.
• The concepts of professional scepticism and judgment were introduced and linked to the decisions
auditors make when identifying material misstatements and when determining the appropriate audit
opinion based on the evidence gathered.
• Auditors must maintain an attitude of professional scepticism and remain alert to the possibility of
fraud during the conduct of the audit.
• Examples of where auditors use professional judgment during an audit were provided.
• The use of the audit risk model requires a significant degree of judgment by the auditor, especially
when determining the appropriate level of detection risk and extent of audit testing required to
maintain a low level of audit risk.
• Example 2.1 demonstrated the use of professional judgment to identify factors in a business situation
which increase or decrease inherent risk of an entity.
• Example 2.2 demonstrated the use of professional judgment to identify factors that increased the risk
of material misstatement at the financial statement level and to identify inherent risks at the assertion
level. It also required professional judgment to identify factors that increased or decreased the level
of control risk in the business scenario.
• Example 2.3 demonstrated how the auditor is likely to apply professional scepticism at various stages
of the audit of historical financial information.

2.2 TERMS OF ENGAGEMENTS

ISA 210 Agreeing the Terms of Audit Engagements is intended to assist auditors in the preparation of
an engagement letter for an audit of financial statements. Engagement letters confirm the auditor’s
acceptance of the appointment and outline the objectives and scope of the engagement, as well as the
responsibilities of both the auditor and management.
The scope of ISA 210 deals with the auditor’s responsibilities in agreeing to the terms of an audit engage-
ment with management/those charged with governance (ISA 210, para. 1). It includes the establishment
of certain preconditions of an audit.

PRECONDITIONS
The auditor needs to confirm that the preconditions of an audit are established by the following.
• Determining whether the financial reporting framework to be applied in the preparation of the financial
statements is acceptable (ISA 210, para. 6a). Financial reporting standards, such as International
Financial Reporting Standards (IFRS), are often used as the applicable financial reporting framework. In
Australia, the applicable financial reporting framework would include Australian Accounting Standards,
the Corporations Act and other relevant legislation that may be applicable to other entities (e.g. overseas
accounting pronouncements for Asian subsidiaries).
• Obtaining agreement from management that it acknowledges and understands its responsibilities,
including for:
– the preparation of the financial statements
– the internal control system necessary to enable the preparation of the financial statements that are
free from material misstatement due to fraud or error
– providing the auditor with necessary access and information (ISA 210, para. 6b).
Pdf_Folio:83

MODULE 2 Planning the Audit of Historical Financial Information 83

 Importantly, if these preconditions do not exist (e.g. if management does not provide the agreement
noted here) the auditor cannot accept the audit engagement unless required to do so by law or regulation.
You should now refer to ISA 210, paragraphs A2–A21 for a more detailed description of the
preconditions of an audit.

ENGAGEMENT TERMS AND LETTER OF ENGAGEMENT

ISA 210 includes requirements relating to the agreement on audit engagement terms. These terms need
to be agreed with management or those charged with governance as appropriate (ISA 210, para. 9). What
is appropriate will depend on the governance structure and relevant law or legislation in the particular
country. The engagement terms are detailed in the letter of engagement. It is required that the following
are included in an engagement letter:
• agreed terms of the engagement
• objective and scope of the audit
• responsibilities of the auditor, including the auditor’s responsibilities under law, regulation or relevant
ethical requirements that address reporting identified or suspected non-compliance with laws and
regulations (NOCLAR) to an appropriate authority outside the entity
• responsibilities of management
• identification of the applicable financial reporting framework
• reference to the expected form and content of any reports to be issued by the auditor and a statement
that there may be circumstances when the report may differ from the expected form and content
(ISA 210, para. 10 and A24).
You should now read through ISA 210, paragraphs 10–12 and A24–A26 to become familiar with the
content of an engagement letter, and then see Appendix 1 of ISA 210 for an example of an engagement
letter.
In Australia, when the audit is conducted in accordance with Part 2M.3 of the Corporations Act,
the auditor ordinarily includes an additional paragraph on independence in the written terms of the
engagement. This paragraph includes a statement confirming that the auditor meets the independence
requirements of the Corporations Act and that should the auditor become aware of contraventions, the
auditor will notify the entity on a timely basis. See ASA 210 Agreeing the Terms of Audit Engagements
Appendix 1 for an example of an engagement letter which includes this paragraph. The Corporations Act
contains general and specific provisions in relation to auditor independence, a range of specific restrictions
on the employment relationships existing between the audited entity and its auditor, and provisions relating
to the auditor’s attendance at an entity’s annual general meeting, which the auditor may also include in the
engagement letter.

CHANGES TO TERMS
ISA 210 covers recurring audits and acceptance of a change in the terms of an engagement. For recurring
audits, the auditor assesses whether the terms of the audit engagement must be revised and whether it is
necessary to remind the entity of the existing terms of the audit engagement (ISA 210, para. 13).
The auditor also needs to consider whether there is a need to send a new engagement letter. In practice,
many firms send a new engagement letter each year. This is particularly important if there is:
• Any indication that the entity misunderstands the objective and scope of the audit.
• Any revised or special terms of the engagement.
• A recent change of senior management [or those charged with governance].
• Any significant change in ownership [or in the] nature or size of the entity’s business
• A change in legal or regulatory requirements.
• A change in the financial reporting framework . . . [or] other reporting requirements (ISA 210,
para. A30).

If, prior to completion of the audit, the auditor receives a request from management to change the
engagement to a lower level of assurance (e.g. an audit to a review or a related service) they need to consider
the appropriateness of their reason for doing so (ISA 210, paras 14–17, A31–A33). For example, it may
be appropriate to do so when there has been a change in circumstances affecting the need for assurance or
a misunderstanding of the nature of an audit.

Pdf_Folio:84

84 Advanced Audit and Assurance

 QUESTION 2.3

You are considering whether to accept a new audit engagement for EZY Ltd when you notice that
management have imposed a limitation on the scope of the auditor’s work. As a result of the
limitation, you believe it will not be possible to give an opinion on the truth and fairness of the
financial statements.
Should you accept this audit engagement? Justify your answer by referring to the relevant ISA.

Review example 2.4, which covers the justification for sending out a new engagement letter for a
recurring audit engagement.

EXAMPLE 2.4

Engagement Letter for Recurring Audit

You have completed the CPA program while working for a mid-tier auditing firm in Hong Kong. You are
now on secondment with the firm in Sydney for two years. On arrival in Sydney, you are informed that
you will be working on the audit of JBR Ltd, a company that specialises in the management of retirement
villages. One reason you have been put on the audit is that the company is considering expanding into
Hong Kong and possibly other major Asian cities.
You ascertain that management is well respected in the industry, and the audit firm and management
have developed a good working relationship over the last five years. In fact, you note a recent press release
that states the company uses conservative accounting methods compared to other firms in the industry.
In a recent newspaper report, you note a quote from the CEO stating, ‘We pride ourselves on the quality of
the financial statements. Our auditors are very reputable, and we rely heavily on them for the preparation
of our financial statements’.
You have been asked to prepare an engagement letter to be sent to the client for this recurring audit
engagement.
............................................................................................................................................................................
Justify why it is necessary to send out an engagement letter for this recurring audit engagement.
Check your response against the suggested answer at the end of the book.

Following the discussion of the terms of audit engagements, including preconditions, the engagement
letter and the auditor’s choices when the terms are changed, we now discuss the auditor’s responsibilities
relating to communication of audit matters with those charged with governance.
Now that we have discussed all the preliminary engagement activities, in the next section, our focus will
turn to audit planning procedures.
The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

2.1 Explain the responsibilities of management and the auditor in relation to an audit.
• The auditor is required to obtain an agreement from management that it acknowledges and
understands its responsibilities for the preparation of the financial statements, the internal control
system used for the preparation of the financial statements and providing the auditor with access
and information required to conduct the audit.
• The auditor needs to confirm that the preconditions of an audit are established by determining
whether the financial reporting framework to be applied in the preparation of the financial statements
is acceptable.
• For recurring audits, the auditor assesses whether the terms of the audit engagement must be revised
and whether it is necessary to remind the entity of the existing terms of the audit engagement.
• The auditor needs to consider whether there is a need to send a new engagement letter to the entity.

df_Folio:85
P

MODULE 2 Planning the Audit of Historical Financial Information 85

2.3 AUDIT PLANNING PROCEDURES
ISA 300 Planning an Audit of Financial Statements, paragraph 4 states that ‘the auditor is to plan the audit
so that it will be performed in an effective manner’. This involves developing an overall audit strategy
(ISA 300, para. 7) and developing an audit plan (ISA 300, para. 9) in order to reduce audit risk to an
acceptably low level.
The reason for planning is to:
• ensure appropriate attention is given to important areas of the audit
• identify potential problems on a timely basis
• organise and manage the engagement properly
• assist in the selection of team members
• facilitate team members’ supervision
• assist in the coordination of work done (ISA 300, para. 2).
The nature and extent of planning activities will vary with:
• the size and complexity of the entity (i.e. greater complexity may result in more planning)
• the auditor’s previous experience with the entity (e.g. on a new audit one would expect planning to be
more extensive)
• changes in circumstances that occur during the audit engagement (e.g. if the entity increases the level
of management bonuses and their correlation with profitability levels, the auditor needs to consider this
in the audit plan; this situation increases the incentive for fraud and auditors must adjust their gathering
of evidence accordingly) (ISA 300, para. A1).
You should note the continual and iterative nature of planning. It is not a discrete phase of the audit, but
is a continuous process often beginning shortly after the completion of the previous audit and continuing
to the completion of the current audit (ISA 300, para. A2). As new information becomes available, the
audit plan is updated on an iterative basis. For example, the auditor may initially assess that the entity has
effective internal controls, and the audit plan prescribes tests of controls to be carried out with reduced
substantive tests. However, weaknesses in the internal control system found when carrying out tests of
controls will result in the audit plan being changed (e.g. increased substantive testing). Less reliance may
also be placed on analytical procedures if the weaknesses in internal control affect the data on which
the analytical procedures are being executed. As another example, the auditor may find during substantive
testing that controls are not working during a particular time of the year. Consequently, the audit plan will
need to be revised if these controls were previously relied on.
While the iterative nature of an audit plan is noted, certain audit planning activities and procedures need
to be coordinated early in the audit process, such as:
• conducting preliminary analytical procedures as part of risk assessment
• obtaining an understanding of the legal and regulatory framework applicable to the entity
• determining materiality levels
• considering the need to involve experts and specialists prior to identifying and assessing risks (e.g. in the
mining industry an auditor may need to consult a geologist prior to assessing risks related to inventory
and non-current assets)
• determining the nature, timing and extent of resources that will be required (ISA 300, para. A2).
Figure 2.5 presents an overview of the audit process from planning the audit through to reporting. This
module focuses on the planning stage, which involves risk assessment, the development of an overall audit
strategy and preparation of a detailed audit plan. As suggested by the figure, the audit plan is updated and
adapted as required as the audit progresses.

GUIDANCE MATERIALS FOR PLANNING AN AUDIT OF SMEs

The Small and Medium Practices Committee of the International Federation of Accountants (IFAC)
released the Guide to Using International Standards on Auditing in the Audits of Small- and Medium-sized
Entities to assist practitioners on the audits of SMEs. Details of how this can be obtained are contained in
the ‘Optional reading’ section of this module.
The IAASB and others have recognised the need for global solutions to address the challenges in relation
to audits of less complex entities (LCEs). The IAASB is investigating the potential possible actions to
overcome such issues by:
• revising the ISAs
• developing a separate auditing standard for audits of LCEs
Pdf_Folio:86

86 Advanced Audit and Assurance

• developing guidance for auditors of LCEs or other related actions (IAASB 2019c, p. 14).
The IAASB issued a discussion paper on this topic in 2019.
Also available for guidance on planning an audit of an SME is CPA Australia’s Small Entities Audit
Manual (SEAM). The 2018 version is available to members on their website. This resource is updated
yearly.

FIGURE 2.5 Audit planning overview

Audit planning

Risk assessment Risk response Reporting

Overall audit strategy

Engagement characteristics
Reporting objectives
Significant factors and experience (materiality, risk factors etc.)
Nature, timing and extent of resources necessary

Continually update and change audit plans as required

Detailed audit plan

Nature, timing and extent of planned procedures
Risk assessment procedures
Further audit procedures

Communications with management and

those charged with governance

Source: IFAC 2018b, p. 37.

OVERALL AUDIT STRATEGY

As part of the planning activities, the auditor is required to ‘establish an overall audit strategy that sets
the scope, timing and direction of the audit. [This strategy] guides the development of the audit plan’
(ISA 300, para. 7). In particular, the establishment of the audit strategy must involve the following
(ISA 300, paras 8, A8–A11).
• ‘Identify the characteristics of the engagement that define its scope’, such as the financial reporting
framework used, industry-specific reporting requirements and the locations of the components of the
entity. This step includes the auditor gaining an understanding of the legal and regulatory framework
applicable to the entity as well as an understanding of how the entity is complying with the framework.
• ‘Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of
the communications required’ — such as deadlines for interim and final reporting — and key dates for
expected communications with management and those charged with governance.
• ‘Consider the factors that are . . . significant in directing [the focus of] the engagement team’s efforts’,
such as determination of appropriate materiality levels, preliminary identification of areas where there
may be a higher risk of material misstatement, preliminary identification of material components and
account balances, evaluation of whether the auditor may plan to obtain evidence regarding the effec-
tiveness of internal control, and identification of recent significant entity-specific, industry, financial
reporting or other relevant developments. ‘Consider the results of preliminary engagement activities’
(e.g. client continuance activities, compliance with relevant ethical requirements, and establishing an
understanding of the term of the engagement).
• ‘Ascertain the nature, timing and extent of resources’ needed (e.g. staff needs, experts).
Read the appendix of ISA 300 now to gain an understanding of these four points.
Based on assessments of materiality, audit risk and what constitutes sufficient appropriate audit
evidence, the auditor has two main alternative strategies (with combinations in between) of either:
1. a lower assessed level of control risk approach
2. a predominantly substantive testing approach.
Pdf_Folio:87

MODULE 2 Planning the Audit of Historical Financial Information 87

 For the lower assessed level of control risk approach, the auditor’s planned assessed level of control
risk is low or medium. The plan involves obtaining a substantial understanding of the internal control
systems, planning extensive tests of controls but restricting the extent of substantive procedures.
For the predominantly substantive testing approach, the auditor’s planned assessed level of control
risk is high, and the plan requires a minimum of understanding of internal control, no tests of controls but
extensive use of substantive audit procedures.
Substantive procedures are aimed at detecting material misstatements in the dollar value of the
information contained in the accounting records or in the financial statements.
Tests of controls are audit procedures ‘designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level’ (ISA 200 Glossary).
Both substantive procedures and tests of controls will be discussed further at the end of this module
and revisited in modules 3 and 4 when performing audit procedures to collect audit evidence and when
evaluating audit evidence in order to express an opinion on the financial statements.

QUESTION 2.4

If inherent risk and control risk are high, why will detection risk be set as low, and what effect does
this have on the audit strategy?

The next step in audit planning is to develop an audit plan, which is discussed next.

THE AUDIT PLAN

The auditor is required to develop an audit plan (ISA 300, para. 9). The audit strategy guides the
development of this more detailed audit plan. The audit plan documents the auditor’s initial assessment of
the evidence that will be required to form an opinion and the method of obtaining this evidence. The audit
plan must be a dynamic document if it is to reflect the impact of information gathered during the course of
the audit. For example, a weakness identified in the internal controls may necessitate increased substantive
audit procedures for the accounts involved. This will require a modification of the audit plan.
The audit plan needs to include a description the following (ISA 300, para. 9).
• The nature, timing and extent of planned risk assessment procedures sufficient to assess the risks of
material misstatement.
• The nature, timing and extent of planned further audit procedures at the assertion level under
ISA 330. The plan for further audit procedures reflects the auditor’s decision whether to test the
operating effectiveness of controls, and the nature, timing and extent of planned substantive procedures.
• Other audit procedures required to be carried out during the engagement in order to comply with the
International Standards on Auditing (ISAs).
While the actual content of the audit plan will vary, it will generally include an outline of the general
audit approach to be followed without going into specific detail about the exact audit procedures that will
be used. In this sense, the audit plan acts as an overview of the audit, indicating:
• the major objectives of the audit
• the constraints within which the audit must be performed
• materiality and risk considerations
• an estimate of the resources required to carry out the audit.
To gain a better understanding of developing an audit plan, you should now refer to figure 2.6, which
provides an example of how to develop an audit plan for trade debtors.

df_Folio:88
P

88 Advanced Audit and Assurance

 FIGURE 2.6 Developing an audit plan for trade debtors

Overall assessment of risks at financial statement level Moderate

(High, Moderate or Low)

Assertions (Completeness, Accuracy/Valuation, Existence and Presentation) C AV E P

Assessed risks at assertion level (High, Moderate, or Low) L M M L

Changes in assessed risks from the previous period. None

Increased risks related to related party transactions and possible fraud resulting from Raj’s absence.

Questions to be considered in developing the receivables audit plan.

Planning considerations Response

1. Are there assertions that cannot be addressed No

by substantive tests alone?

2. Is internal control over related transaction Due to the small size of the company, there are
streams/processes expected to be reliable? limited controls. We obtained an understanding
If so, could the controls be tested to reduce of internal control, but we will not test controls or
need/scope for other substantive procedures? place any reliance on them.

3. Are there substantive analytical procedures The completeness of sales will be addressed by a
available that would reduce need/scope for combination of substantive analytical review and
other audit procedures? tests of details.

4. Is there a need to incorporate an element of Not considered necessary, as the receivables

unpredictability or further audit procedures balance at year-end relates primarily to Dephta.
(such as to address fraud, risk, etc.)?

5. Are there significant risks that require special The possibility of inconsistent revenue recognition
attention? or fraud will be addressed through suitably
tailored substantive tests of details.
Need to be mindful of undisclosed related party
transactions outside of the normal course of
business throughout the audit.

The following is a sample audit response to the assessed level of risk for accounts receivable.

Summary of Proposed Audit Response

(Check the applicable boxed under C AV E P) C AV E P

A. Substantive tests of details — all material classes of transactions, X X X

balances, and disclosure

B. Substantive tests of details — tailored to specific risks (sampling, fraud, X X X X

significant risks, etc.)

C. Substantive analytical procedures (proof in total, etc.) X

D. Tests of controls (operating effectiveness)

Based on professional judgment, are the procedures outlined above sufficient Yes Yes Yes Yes
to address the assessed risks? (Yes/No) If no, explain below.
Comments:
None

Source: IFAC 2018b, p. 182.

A more detailed plan of the audit procedures to be performed is often documented in the form of an
audit program. The audit program typically outlines the nature and extent of procedures and the assertions
addressed along with spaces to record details, such as who performed the procedure, working paper file
reference and the findings. The audit program should include sufficient detail of the work to be performed,
Pdf_Folio:89

MODULE 2 Planning the Audit of Historical Financial Information 89

a basis for coordinating, supervising and controlling the audit and a record of the work performed.
Figure 2.7 illustrates an audit program for the planned substantive procedures for inventory.

FIGURE 2.7 Audit program for substantive procedures for inventory

Prepared by: ____________ Date: ___________

Reviewed by: ___________ Date: ___________
XYZ Co. Ltd
Audit program for substantive procedures of inventories
30 June 2020
Substantive procedures W/P ref. Auditor Date
1. Verify totals and agreement of inventory balances and records that will be
subjected to further testing:
(a) Trace opening inventory balances to previous year’s working papers.
(b) Review activity in inventory accounts and investigate unusual items.
(c) Verify totals of perpetual records and other inventory schedules and
their agreement with closing general ledger balances.
2. Perform analytical procedures:
(a) Review industry experience and trends.
(b) Examine an analysis of inventory turnover.
(c) Review relationship of inventory balances with recent purchasing and
sales activities.
(d) Compare inventory balances with expected sales volume.
3. Test details of inventory transactions:
(a) Vouch additions to inventory records and to suppliers’ invoices.
(b) Trace data from purchases to inventory records.
(c) Test cutoff of purchases (receiving) and sales (shipping).
4. Observe the stocktake:
(a) Make test counts.
(b) Look for indications of slow-moving, damaged or obsolete inventory.
(c) Account for all inventory tags and count sheets used in the stocktake.
5. Test clerical accuracy of inventory records:
(a) Recalculate extensions of quantities times unit prices.
(b) Trace test counts to records.
(c) Vouch items on inventory listings to inventory tags and count sheets.
(d) Reconcile physical counts to perpetual records and general ledger
balances.
6. Test inventory pricing:
(a) Examine suppliers’ paid invoices for purchased inventory.
(b) Obtain market quotations and perform lower of cost and net realisable
value test.
(c) Review perpetual inventory records and purchasing records for
indications of current activity.
(d) Compare inventories with current sales catalogue and sales reports.
(e) Enquire about slow-moving, excess or obsolete inventories and
determine need for write-downs.
7. Confirm inventories at locations outside the entity.
8. Examine consignment agreements and contracts.
9. Confirm agreements for assignment and pledging of inventories.
10. Review disclosures for inventories in drafts of the financial statements
and determine conformity with the Corporations Act and applicable
accounting standards.

Source: Leung et al. 2018.

Various factors, including the size and complexity of the entity, the area of the audit (e.g. inventory,
financial instruments), the risks of material misstatement, and the capabilities and competence of personnel
performing the work (e.g. prior industry audit experience) all have an impact on the required direction and
supervision of the engagement team (ISA 300, para. A16). For example, if the work related to inventory
and the preparer was an audit manager with extensive manufacturing experience, the level of direction,
supervision and review would be less than if the preparer was an assistant whose previous audit experience
was with banks and insurance companies. Where there is an increase in the assessed risk of material
misstatement for the area of audit risk, there would be expected increases in the extent and timeliness of
direction and supervision of engagement team members and a more detailed review of their work.
Pdf_Folio:90

90 Advanced Audit and Assurance

 The auditor is required to document the overall audit strategy and the audit plan, including any significant
changes made during the audit engagement (ISA 300, para. 12).
To gain a better understanding of this documentation, you should now refer to ISA 300, paragraphs
A18–A20.

QUESTION 2.5

The auditor of LRS Ltd has completed the audit strategy and audit plan and is presently carrying
out substantive procedures. The auditor discovers some errors that suggest that the original audit
plan may have assumed incorrectly that the controls over inventory were strong. Is it too late to
change the audit plan? Why?

Audit assertions and audit materiality are two key issues in auditing and are thus key in developing the
audit plan. These are discussed next.

FINANCIAL STATEMENT ASSERTIONS

Financial statement assertions are ‘representations by management, explicit or otherwise, that are embod-
ied in the financial statements, as used by the auditor to consider the different types of potential
misstatements that may occur’ (ISA 315 (Revised), para. 4). Given the importance of ‘assertions’ for
understanding ISA 315 (Revised), we discuss the concept here.
Assertions used by the auditor are classified under two categories.
1. Classes of transactions and events, and related disclosures, for the period under audit (e.g. revenue and
expenses).
2. Account balances and related disclosures at the period end (e.g. assets, liabilities).
The assertions are set out in ISA 315 (Revised), paragraph A129 and are listed in table 2.4, including
their definitions.

TABLE 2.4 Financial statement assertions

Assertion Definition

Assertions about classes of transactions and events, and related disclosures

Occurrence Transactions and events that have been recorded or disclosed,
have occurred and such transactions and events pertain to the entity.
Completeness All transactions and events that should have been recorded have been recorded, and all
related disclosures that should have been included in the financial report have been included.
Accuracy Amounts and other data relating to recorded transactions and events have been recorded
appropriately, and related disclosures have been appropriately measured and described.
Cutoff Transactions and events have been recorded in the correct accounting period.
Classification Transactions and events have been recorded in the proper accounts.
Presentation Transactions and events are appropriately aggregated or disaggregated and clearly described,
and related disclosures are relevant and understandable in the context of the requirements of
the applicable financial reporting period.

Assertions about account balances, and related disclosures

Existence Assets, liabilities, and equity interests exist.
Rights and The entity holds or controls the rights to assets, and liabilities are the obligations of the entity.
obligations
Completeness All assets, liabilities and equity interests that should have been recorded have been recorded,
and all related disclosures that should have been included in the financial report have been
included.
Accuracy, Assets, liabilities and equity interests have been included in the financial report at appropriate
valuation amounts and any resulting valuation or allocation adjustments have been appropriately
and allocation recorded, and related disclosures have been appropriately measured and described.
Classification Assets, liabilities and equity interests have been recorded in the proper accounts.
Presentation Assets, liabilities and equity interests are appropriately aggregated or disaggregated and
clearly described, and related disclosures are relevant and understandable in the context of
the requirements of the applicable financial reporting framework.
P df_Folio:91

MODULE 2 Planning the Audit of Historical Financial Information 91

 To demonstrate the identification of relevant assertions related to potential misstatements, illustrated
examples are provided, along with the identification of the appropriate transaction or balance account.
Justifications are provided to demonstrate the use of professional judgment.

Potential Transaction (T)

misstatement or Balance (B) Assertion Justification
Credit memos Sales (T) Occurrence Assume a sale has taken place on credit and,
are not issued or therefore, both the sales transaction and
Trade debtors (B) Existence
recorded for returns trade debtors are recorded. Then the items
on a timely basis or are returned and as such, the transactions
at all. should be reversed when the credit memo
is issued. However, if the credit memo is not
issued, then the sales transaction and the
trade debtors are still recorded even though
the sale, in essence, did not occur and the
trade debtor’s balance does not actually exist
as the items were returned.

Note in this example, how occurrence is similar to existence except that it relates to transactions and
events which occur rather than statement of financial position items which exist.

Potential Transaction (T)

misstatement or Balance (B) Assertion Justification
Sales transaction is Sales (T) In this case, the sales transaction is not
not recorded upon Trade debtors (B) recorded, but the goods were shipped
shipment of goods. to a customer. This means that the sales
COGS (T) Completeness
transactions listed in the Income Statement
Inventory (B) Existence
will not be complete as it does not include this
sale. It also means if the sale was on credit,
then the trade debtor is not recorded; thereby,
the amount in the Statement of Financial
Position will not be complete. As the sales
transaction is not recorded, the inventory
balance would not be reduced by the amount
of goods shipped. This means some of the
inventory listed in the Statement of Financial
Position does not exist as it was shipped to
a customer. As the sale was not recorded,
the COGS would not include the value of the
goods that were shipped to the customer, so
the value of COGS in the Income Statement
would not be complete.

As illustrated in the above example, completeness relates to both classes of transactions and events and
account balances. The completeness assertion is generally one of the hardest to test for — looking for
things that should be but are not included in the entity’s records. Completeness is particularly important
for liabilities and expenses as understatement of these items results in profits being overstated.

Potential Transaction (T)

misstatement or Balance (B) Assertion Justification
Invoice misstates Sales (T) Accuracy When there are errors in any of the input
the quantity of COGS (T) data on invoices or other source documents,
goods shipped or this directly relates to the calculation of the
Trade debtors (B) Accuracy,
incorrect pricing. dollar amounts of recorded items. Therefore,
Inventory (B) valuation and
for Statement of Financial Position items
allocation
such as trade debtors and inventory, the
relevant assertion is Accuracy, valuation and
allocation. Whereas for Income Statement
transaction accounts, such as sales and
COGS, the assertion is Accuracy.

Note how, in establishing the accuracy assertion, the auditor is concerned that the details of the
transactions under review are completely correct. It is surprising how easily small errors of detail can
arise and how significant the impact of the mistakes can be. Consider the calculation of sales revenue by
Pdf_Folio:92

92 Advanced Audit and Assurance

multiplying sales price by quantity sold. If the decimal point is left out of the sales price, it is possible that
sales revenue may be inflated by a factor of 100.
Satisfying this objective may require the exercise of audit judgment in evaluating the reliability of
estimates and the appropriateness of accounting methods. For example, some assets, such as inventory,
are required to be stated at the lower of cost and net realisable value, and many allocations, such as
depreciation or the allowance for doubtful debts, can be made with a variety of measurement methods.
In addition, related disclosures must be appropriately measured and described. Similarly, for liabilities,
estimates are involved in the calculation of the balances for a range of provisions (e.g. provision for
employee entitlements).
Cutoff tests are a special category of tests of details of transactions that are related more to the closing
balance than to transactions. At the end of the reporting period, it is much more important to ensure that
transactions are recorded on the correct date, given the impact on the financial statements, particularly
the income statement. The purpose of cutoff tests is to ensure (1) completeness (all transactions occurring
before the end of the reporting period are recorded) and (2) occurrence (transactions occurring after the
end of the reporting period are excluded). Cutoff errors can significantly affect profit; for example, goods
received before the end of the reporting period and included in inventory but not recorded in purchases
until after the end of the reporting period (as illustrated in the preceding example), will overstate profit by
the amount of the purchases (Leung et al. 2019).

Potential Transaction (T)

misstatement or Balance (B) Assertion Justification
Inventories Purchases (T) Cutoff In this situation, the inventory has been
received before received in the current period, but the
Purchases (T) Completeness
the period-end are purchases transaction has not been recorded
Inventory (B)
not recorded as until the following period. As such, the
purchases until the inventory balance in the Statement of
next period, yet Financial Position is complete as it includes
are included in the the goods received in the current period.
inventory balance. On the other hand, purchases have been
recorded in the wrong period, which relates to
the cutoff assertion, and as such, purchases
would be understated (i.e. not complete).

In establishing the classification assertion, the auditor is concerned that the correct account is used in
recording a transaction. This is not always a simple matter. Consider, for example, the decision relating to
whether certain types of overhead costs should be capitalised or expensed.
In establishing presentation, the auditor is concerned that both transactions and events, as well as
year-end accounts, are appropriately aggregated or disaggregated and clearly described. A useful way
of thinking about assertions regarding presentation is that they primarily relate to the presentations and
disclosures contained in the notes to the accounts.
In establishing rights and obligations, the auditor is concerned with obtaining evidence that recorded
assets are future economic benefits controlled by the entity and that liabilities are the future sacrifices of
economic benefits that an entity is presently obliged to make as a result of past transactions or other past
events. The auditor needs to obtain evidence that the accounting recognition is appropriate. The rights and
obligations objective usually involves procedures to provide evidence that assets in the client’s possession
that have been sold or pledged are not reported as assets.
The audit procedures used to obtain evidence of rights and obligations may include examining land tax
assessments, rate notices, title deeds, correspondence and minutes of meetings of the board of directors,
and making enquiries of the client’s management to verify ownership (see the following example).

Potential Transaction (T)

Misstatement or Balance (B) Assertion Justification
The entity may not Fixed assets (B) Rights and To meet the recognition criteria of an asset,
have rights to all obligations the entity must have legal title to the fixed
assets included in asset, that is, they have ownership rights over
the Statement of the asset.
Financial Position.

P df_Folio:93

MODULE 2 Planning the Audit of Historical Financial Information 93

 Example 2.5 demonstrates how to identify financial statement assertions relating to misstatements
detected during the audit of sales and inventory for Beta Ltd. Review example 2.5 now.

EXAMPLE 2.5

Identifying Assertions
The auditor of Beta Ltd carried out audit procedures for sales and inventory and detected the following
misstatements.
1. Some inventory items were out on consignment and were not counted during the physical inventory.
2. During the physical count, the client’s employees mistakenly counted some items twice.
3. The basis of inventory valuation was not included in the draft financial statements.
4. Included in the inventory counts were some items that were held on consignment.
5. Some inventory items were listed at cost, but the realisable value was lower.
6. It was recognised that some sales were being recorded before they were shipped.
7. The sales price recorded for sales transactions was different to that agreed with the customer. It was
found to be taken from an outdated version of the sales price file.
............................................................................................................................................................................
For each misstatement, what financial statement assertion is relevant? Justify your selection.
Check your response against the suggested answer at the end of the book.

QUESTION 2.6

Assume you are the auditor for EquipMachines Ltd, a machinery company that sells high-tech
machines for the mining industry. You are concerned about the following two issues:
1. management override of internal controls
2. possibility of some of the high-tech inventory becoming obsolete.
For each of the above issues, would the risk be considered at the financial statement level or
the assertion level? Why?

Before we introduce the concept of materiality, documentation will be briefly discussed.

DOCUMENTATION
ISA 230 Audit Documentation deals with the auditor’s responsibility to prepare audit documentation
for an audit of financial statements. ISA 230 contains mandatory requirements relating to documentation.
Audit documentation needs to:
• provide evidence that the audit was planned in accordance with applicable auditing standards and legal
and regulatory requirements
• provide evidence that the audit was performed in accordance with applicable auditing standards and
legal and regulatory requirements
• provide evidence of the auditor’s basis for a conclusion (ISA 230, para. 2).
The form, content and extent of audit documentation will vary between audits and will depend on such
factors as the nature of the audit procedures to be performed and the extent of judgment required. Little
guidance is given to the auditor regarding exactly how much documentation is required. The problem the
auditor faces is that if an issue has been considered but not documented, it may be difficult to convince
others in later inspections that the issue actually has received consideration.
For example, as stated earlier, ASIC (2019) found that in 24% of the total key audit areas reviewed in
their 2018 audit inspection program, the auditor did not document evidence of having obtained sufficient
appropriate audit evidence to provide reasonable assurance that the overall financial report was free of
material misstatement.
The engagement letter, audit plan and detailed audit program are some examples of documentation
covered so far in this module. Other examples will be covered later in this module and in the remaining
modules.

df_Folio:94
P

94 Advanced Audit and Assurance

MATERIALITY
The concept of materiality is of fundamental importance to both preparers of financial statements and
auditors. The entity makes materiality judgments when preparing the financial statements; for example,
when making decisions about the recognition, measurement, presentation and disclosure of assets,
liabilities, equity, revenue and expenses. As such, materiality is of utmost importance to the auditor, as the
auditor gathers evidence to assess whether the financial statements are true and fair or whether material
misstatements exist.
However, there are no universally agreed-upon numeric guidelines or specific criteria for determining
whether a given fact is material. Further, materiality judgments are significantly influenced by surrounding
facts and circumstances.
In general terms, audit materiality may be defined as the highest level of misstatement that, in the
auditor’s judgment, will be tolerated by the user of the financial statements. If the decision maker would
reach a different decision if that person were aware of the fact in question, then the fact is material.
For audit planning purposes, when establishing the overall audit strategy, the auditor shall determine
materiality for the financial statements as a whole (overall materiality), usually by selecting a percentage
of particular benchmarks. To reduce the risk of a number of small errors or omissions aggregating to result
in a material misstatement, the overall materiality level is reduced to calculate a performance materiality
level to apply to audit procedures. Examples of potential benchmarks are provided in ISA 320, paragraph
A5; they include, ‘profit before tax, total revenue, gross profit and total expenses, total equity or net
asset value’. Ranges of these benchmarks commonly used in practice are 5–10% of net profit before tax,
0.5–1% total revenues or 0.5–1% of total assets. When net profit before tax varies considerably between
years, benchmarks such as total revenues or gross profit are likely to be more appropriate. Generally, there
is a high level of consistency in the use of quantitative benchmarks used in practice (see Eilifsen & Messier
2015).
While some auditors use one of these benchmarks, others use a blend of them, making several
calculations on a variety of bases and then taking the average of them. Others use a sliding scale, such
as a declining percentage of total assets.
The choice of a benchmark depends on value judgments about relevance, stability and predictability.
Profit may be the most relevant base for a company with publicly traded securities. However, because
profit can fluctuate significantly from year to year, it may lack stability. Also, it is not relevant to some
entities, such as not-for-profit organisations. As different approaches to calculating materiality can result
in substantially different amounts, the auditor’s judgment in the circumstances is critical.
The amount considered material does not remain fixed after its initial calculation. The auditor may revise
this judgment based on the results of audit tests and new information as the audit progresses. The auditor’s
approach in evaluating misstatements at the completion of the audit may be considerably different. This
means the amount estimated for overall materiality should not be confused with the amount used in the
evaluation of the materiality of individual misstatements.
The auditor’s use of materiality in evaluating misstatements will be influenced by qualitative consider-
ations, additional information and the nature of the decisions to be made. Qualitative considerations, for
example, may include the nature of the transaction (such as related-party transactions or possible illegal
acts). Amounts considered not quantitatively material may be considered qualitatively material if they
affect whether a company meets forecasted earnings per share numbers.
In this situation, earnings per share forecasts are likely to be important inputs to the decisions made by
investors as not meeting these forecasts often results in adverse effects on a company’s share price.
While, in general, materiality is concerned with the highest level of misstatement that can be tolerated
and hence the financial statements still fairly presented, equal regard should be given to a number of other
factors.
• The nature of the item in question should be considered. An item could be ‘material’ because of its
nature. For example, in Australia for listed companies, a Corporations Act disclosure item has to be
disclosed (e.g. audit fees), irrespective of whether it is material in dollar amount.
• Where financial limits are prescribed, like the borrowing limits set down in trust deeds, regard should
be given to the effect of identified errors of such limits even though the errors would not otherwise be
material. The breach of such limits can have significant consequence for companies and could even lead
to a questioning of the going concern basis.
The materiality of an item in relation to the financial statements taken as a whole affects the auditor’s
judgment regarding what is sufficient appropriate audit evidence, in accordance with ISA 500 Audit
Evidence. Those figures that are most material require more evidence, both in quantity and quality.
Pdf_Folio:95

MODULE 2 Planning the Audit of Historical Financial Information 95

 We have seen that audit risk is present to a greater or lesser extent in every audit and that absolute
certainty in auditing is not attainable. The auditor is concerned that the audit examination will provide
reasonable assurance that the financial statements are not misstated to a degree of materiality which, had
they been identified, would have resulted in a modified audit opinion.
The auditor should, therefore, plan the audit to minimise the risk of failure to detect errors that, in
aggregate, exceed an acceptable degree of materiality. Obviously, the lower the degree of materiality
deemed acceptable by the auditor, the more audit work that will have to be performed.
The decision as to what constitutes an acceptable degree of materiality will vary depending on the
circumstances of each engagement. The auditor must, in the final analysis, decide on an acceptable level
of materiality using individual professional judgment. However, some guidelines are provided in ISA 320
Materiality in Planning and Performing an Audit.

APPLICATION OF MATERIALITY CONCEPTS

Materiality issues are covered in ISA 320 and ISA 450 Evaluation of Misstatements Identified during
the Audit. ISA 320 covers the auditor’s responsibility to apply the concept of materiality in planning and
performing an audit of financial statements. ISA 450 covers how materiality is applied in evaluating the
effect of identified misstatements on the audit and will be discussed further in module 3.
The concept of materiality is applied in the following situations:
• audit planning
• performing the audit
• evaluating the effect of identified misstatements on the audit and of unrecorded misstatements, if any,
on the financial statements
• in forming the opinion in the auditor’s report (ISA 320, para. 5).
Relevant to audit planning, some key actions for the auditor related to audit materiality are:
• when establishing audit strategy, determining materiality for the financial statements as a whole (overall
materiality) and in some circumstances (see ISA 320, para. 10) materiality levels for particular classes
of transactions, account balances and disclosures
• determining performance materiality (as defined in ISA 320, para. 9) for the purposes of assessing the
risk of material misstatement and determining the nature, timing and extent of further audit procedures
(ISA 320, para. 11)
• revising materiality levels when the auditor becomes aware of information during the audit that would
have changed their initial materiality estimates (ISA 320, para. 12) and to consider whether to revise
performance materiality and the nature, extent and timing of audit procedures (ISA 320, para. 13).
Determining the levels of materiality requires the exercise of professional judgment in determining an
appropriate benchmark and the percentage to be applied to the chosen benchmark (e.g. 5–10% of net profit
before tax).
Example 2.6 demonstrates the use of professional judgment to determine the overall materiality for
STW Ltd. Review this example now.

EXAMPLE 2.6

Determining the Levels of Materiality

STW Ltd’s sales are consistently around $15 million per annum. Last year, net profit before tax was
$4 million and the auditor used 5% of net profit before tax as the materiality amount (i.e. $200 000).
In the current year, the company has faced large increases in raw materials and fuel costs with the result
that net profit before tax has fallen to $300 000. If the same materiality benchmark were used as in the
previous year, materiality would be set at $15 000 (i.e. 5% of $300 000), which would be very low.
............................................................................................................................................................................
Is it appropriate for the auditor to use same the benchmark for determining overall materiality in the STW Ltd
engagement in the current year?
Check your response against the suggested answer at the end of the book.

Identifying Risks of Material Misstatement

Consider that the following two risks were identified by the auditor.
• A risk that the allowance for doubtful debts is understated. Through the information obtained by the
auditor and their industry knowledge, the auditor becomes aware that the entity does not know that a
df_Folio:96
P

96 Advanced Audit and Assurance

 large debtor may not be in a position to pay the amount they owe. This is an example of a potential
material misstatement due to error.
• A risk that fictitious sales have been included in sales revenue. It has come to the auditor’s attention that
the documentation related to certain sales close to year-end may have been falsified by management
to increase profits to the level needed to meet analyst expectations and receive related incentive
bonuses.
Having identified the first risk, the auditor would need to assess whether it relates more pervasively to the
financial statements as a whole. This error is unlikely to affect assertions besides accuracy, valuation and
allocation of trade debtors and completeness of doubtful debts expense. The auditor then needs to consider
the likelihood of misstatement and whether the magnitude is such that it will be a material misstatement.
The likelihood of multiple misstatements is relatively low given that this error is due to a specific internal
factor.
The second identified risk will affect the assertion of occurrence of sales and existence of trade debtors.
There is also some likelihood of it relating to the financial statements as a whole, given that management
fraud may exist for other financial statement amounts. There is also, given the incentives, the possibility
of multiple misstatements — that is, the auditor has seen some documents that appear to be falsified and
would likely look closely at documentation for other sales transactions.
Example 2.7 provides an illustration of issues for consideration in planning for an audit. Review the
example now.

EXAMPLE 2.7

Impacts on Overall Audit Plan

You are planning the audit of LM Ltd, a soft drink manufacturer with bottling plants throughout the world.
Each country has its own bottling plant together with an accounting and administrative centre. Each
country prepares financial data monthly and submits it to head office in Sydney. The financial data from
each country has been shown to be very accurate in previous audits. You are planning the June 20X9
audit, and it is now April 20X9.
You have identified the following facts.
1. As a result of budget cuts and reduced employee numbers in some countries, management has
expressed some concern about recent financial data it has been receiving.
2. The cost of labour has been increasing quickly in some countries with the result that proposals have
been put forward to rationalise the number of plants across the world.
3. The US bottling plant has entered into a two-year contract with a local sugar supplier to maintain a
supply of quality sugar at predetermined prices.
4. A new ‘low-carb’ soft drink accounts for more than 20% of total revenues. At a recent sporting event in
the United Kingdom, there were large numbers of customers taken to hospital after having an allergic
reaction to the drink. This reaction has been traced to a new ingredient used worldwide, and the product
has been taken off the market temporarily.
............................................................................................................................................................................
For each of the facts identified, outline the impact on the overall audit plan for the 20X9 audit of LM Ltd.
Check your response against the suggested answer at the end of the book.

QUESTION 2.7

Consider each of the listed items and describe how they affect the risk of a material misstatement.
1. Management has a poor reputation in the business community over the integrity of recent
decisions.
2. Repairs and maintenance accounts were misstated in previous audits.
3. Management lacks experience.
4. The entity is facing a cash flow problem.
5. The inventory consists of a range of expensive jewellery.
6. Taxation calculations are extremely complex.
7. The entity is a computer manufacturer.
8. Management’s rewards are heavily dependent on financial results.
9. Provisions are a material liability.

P df_Folio:97

MODULE 2 Planning the Audit of Historical Financial Information 97

 10. The company has built a number of office blocks, which it retains as investments.
11. The entity has a range of transactions that are not part of normal processes.
12. The entity has just opened a major retail outlet in the United States.

Following the discussion on applying materiality concepts to various situations, the discussion turns to
distinguishing between overall and performance materiality.

Overall vs Performance Materiality

There is a distinction between overall materiality and performance materiality. Performance materiality
takes into account that planning the audit solely to detect individual material misstatements overlooks the
following:
• the aggregate of individually immaterial misstatements may cause the financial statements to be
materially misstated
• consideration of the possibility of undetected misstatements.
For example, performance materiality means the amount:
set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately
low level the probability that the aggregate of uncorrected or undetected misstatements exceeds materiality
for the financial statements as a whole (ISA 320, para. 9).

Overall materiality refers to a limit above which the financial statements would be considered to be
materially affected by the issue or misstatement. For example, assume that the overall materiality for
the audit of a company is set at $1 000 000. Any misstatement or error that exceeds $1 000 000 will be
considered material and would affect the audit report.
Performance materiality looks at individual items that are less than overall materiality but that could,
when added together, exceed overall materiality (see ISA 320, para. 9). It is important to note that when
actually performing the audit work and carrying out tests of detail, the auditor cannot just look at amounts
that exceed $1 000 000.
Example 2.8 demonstrates when performance materiality is applicable for audit tests. Review this
example now.

EXAMPLE 2.8

Performance Materiality
You have set overall materiality for the audit of ABC Ltd at $1 000 000.
When auditing property, plant and equipment (PPE), can you just select and test assets with a balance
greater than $1 000 000?
When auditing property, plant and equipment (PPE), the auditor cannot just select and test assets with
a balance greater than $1 000 000 because individual assets with a balance less than overall materiality
may result in a material misstatement when put together. The auditor would instead use ‘performance
materiality’ to select the items to be tested.
For the audit of ABC Ltd, performance materiality has been set at $500 000. You discovered assets
included in the fixed asset register that were in fact sold. The value of the assets are $550 000 and $670 000
respectively.
Should these assets be selected for testing?
If the auditor used overall materiality when performing the audit, these assets would not have been
selected for testing as they are below the set limit of $1 000 000.
However, when performing the audit, the auditor would use performance materiality, which in this
case was set at $500 000. This would enable the auditor to discover the two assets that were below
overall materiality individually, but whose combined misstatement exceeds overall materiality (i.e. the total
misstatement of the assets is above $1 000 000).
Materiality within a specific account or transaction would focus on the individual items making up the
total account balance and on those amounts in relation to the total account balance. See example below.
Assume that while auditing the debtors, the auditor selects a debtor with an account balance of
$650 000, since it exceeds the performance materiality of $500 000. The balance may comprise a number
of transactions ranging from a $50 sale on credit up to a large $650 000 transaction. In selecting the items
to be tested within this balance, the auditor would not normally select the smaller transactions (e.g. a $50
purchase) because they would not make a difference in relation to the overall balance.
df_Folio:98
P

98 Advanced Audit and Assurance

 Next, we discuss the engagement team’s meeting to discuss the susceptibility of the entity’s financial
statements to material misstatement.

Susceptibility of the Entity’s Financial Statements to Material

Misstatement — Team Meeting
ISA 315 (Revised) requires the engagement team to discuss the susceptibility of the entity’s financial
statements to material misstatement both at the financial statement and assertion level. The material
misstatement may result from fraud or error. The aim of the discussion is to gain a better understanding of
potential fraud or errors and how they could be perpetrated. Further, it gives the more experienced members
of the audit team the opportunity to provide insights and for team members to exchange information
about business risks, including how the financial statements may be susceptible to material misstatement
(including fraud, as per ISA 240) as discussed earlier in this module.
Two key components of the preceding discussion are professional judgment and professional scepticism.
Professional judgment is required in order to decide whom to include in the discussion, how and when
the discussion occurs and its extent. In module 1, the importance of professional scepticism in planning
and performing an audit was noted. The discussion among team members should emphasise professional
scepticism, which includes being alert to information that may indicate a material misstatement and the
rigorous follow-up of these indications.
Earlier in this module, the importance of the consultation process during audit engagements was
emphasised as part of the quality control process. The discussion among the engagement team about the
susceptibility of the entity’s financial statements to material misstatement raises some specific consultation
issues because:
• it allows the team members to exchange information about business risks and about how and where the
financial statements might be susceptible to misstatement due to error or fraud — the ‘where’ refers to
where in the financial statements and the ‘how’ refers to how the error or fraud may occur (e.g. How
could management manipulate the sales figure?)
• engagement team members obtain new information throughout the audit that may affect the assessment
of risks of material misstatement, and it is important that they share this information with other team
members.
Refer to ISA 315 (Revised), paragraph A21 for further details on this discussion among engagement
team members.
Example 2.9 highlights the use of professional judgment during engagement team meetings to discuss
the susceptibility of the entity’s financial statements to material misstatement. Review this example now.

EXAMPLE 2.9

Use of Professional Judgment

Auditors responsible for organising an engagement team meeting to discuss the susceptibility of the
entity’s financial statements to material misstatement use professional judgment in making many of the
required decisions when planning this meeting.
............................................................................................................................................................................
What decisions made by the auditor responsible for organising the engagement team meeting demonstrate
the use of professional judgment?
Check your response against the suggested answer at the end of the book.

Now that the preliminary audit procedures have been discussed and the key concepts have been
explained, it is time to consider the different phases of the audit.

PHASES OF AN AUDIT
Before we begin the discussion of the first phase of an audit, it is important to emphasise that each audit is
unique. For example, risks associated with the audit of a hardware store will not be the same as the risks
associated with an audit of a mobile phone store, even though both are retailers. Risks associated with the
oil and gas industry will be different from risks associated with the computer technology industry because
of different laws and regulations that apply to each industry. Auditors must tailor their audit to be specific
to each client, but broadly speaking, once the client acceptance or continuance decision has been made,
Pdf_Folio:99

MODULE 2 Planning the Audit of Historical Financial Information 99

there are three general phases of every audit, as shown in figure 2.8. In the remainder of this module, we
focus on the phase covering planning the audit. The phase covering performing the audit will be discussed
in module 3, and the phase covering conclusions and reporting will be discussed in module 4.

FIGURE 2.8 Phases of an audit

Planning the audit Performing the audit Conclusions and reporting

Understanding the entity Perform tests of controls Audit conclusions

Internal controls Perform substantive tests Forming an opinion
Risk assessments Reporting findings
Strategic analysis
Analytical procedures
Audit data analytics
Responding to assessed risks
Overall audit strategy

The phase covering planning the audit involves gaining an understanding of the entity, performing
analytical procedures, risk assessment of internal controls, fraud risk, going concern risk, climate-related
risks, related-party risk, identifying factors that may impact the risk of a material misstatement occurring in
the financial statements, NOCLAR, performing a materiality assessment, and developing an overall audit
strategy.
The phase covering performing the audit involves the performance of detailed tests of controls and
detailed testing of transactions and account balances, called substantive testing.
The phase covering conclusions and reporting involves an evaluation of the results of the detailed testing
in light of the auditor’s understanding of the client and forming an opinion on the fair presentation of the
client’s financial statements. The auditor’s reporting obligations are also fulfilled during this phase.
ISA 300 Planning an Audit of Financial Statements requires auditors to plan the audit by assessing risk
to reduce audit risk to an acceptably low level. As described earlier, audit risk is the risk that an auditor
expresses an inappropriate audit opinion when the financial statements are materially misstated.
An auditor will perform various risk assessment procedures to ensure that appropriate attention is paid
to the accounts and transactions most at risk of being materially misstated. For example, the inventory
account at The Boeing Company has a higher risk of material misstatement than the prepaid expenses
account. Why is that? First, think about the difference in the dollar amount of the two accounts. Inventory
will most likely be the largest current asset, and prepaid expenses will be one of the smallest. Also, the
number and complexity of transactions in the inventory account will be much higher than the number of
transactions in the prepaid expenses account. Therefore, auditors should plan to devote more audit time
to the inventory account than to the prepaid expenses account. This Boeing example illustrates that the
risk assessment phase of the audit provides the opportunity to optimise efficiency and effectiveness when
conducting an audit. Efficiency refers to the amount of time spent gathering audit evidence. Effectiveness
refers to minimising audit risk.
You should also understand that the risk assessment process is an iterative process. Auditors make
preliminary risk assessments while planning the audit. Those risk assessments are later confirmed, or
refuted, when auditors perform tests of internal controls, or tests of account balances, transactions or
disclosures. On occasion, auditors might obtain information in the phase covering performing the audit
that causes them to revise their preliminary conclusions drawn during the audit planning phase. Auditors
must be open to evaluating evidence obtained at any phase of the audit and to considering its implications
for risk assessments made earlier in the audit.
Figure 2.9 provides a graphical depiction of the audit planning phase of the audit and some key concepts
that are applied during risk assessment. Once the elements of risk assessment have been considered,
auditors can develop their audit strategy (discussed earlier in this module).
Materiality, professional scepticism, audit risk and audit strategy were discussed earlier in this module,
and each of the risk assessments included in figure 2.9 will be discussed in the remaining sections of this
module. The outcome of these risk assessments will inform the audit strategy, which will be discussed
further in the final section of this module.
Pdf_Folio:100

100 Advanced Audit and Assurance

 FIGURE 2.9 Risk assessments made during the audit planning phase

Materiality Professional scepticism Audit risk

Understand the entity

and the industry
Compliance with
Fraud risk
laws and regulations

Closing procedures Client performance

Risk assessment measurement

Understand internal Analytical procedures

controls and IT

Corporate governance Related parties

Audit strategy

The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

2.1 Explain the responsibilities of management and the auditor in relation to an audit.
• The auditor is responsible for planning the audit so that it will be performed in an effective manner.
• The auditor is responsible for determining the overall audit strategy and preparing an audit plan
based on their risk assessment.
• The auditor is responsible for documenting the procedures undertaken during the audit and their
findings.
• The auditor is responsible for setting overall and performance materiality levels.
2.3 Apply the processes and procedures undertaken by auditors in planning an audit.
• Audit planning activities and procedures that need to be coordinated early in the audit process were
identified.
• As part of the planning activities, the auditor is required to establish an overall audit strategy that sets
the scope, timing and direction of the audit. This strategy guides the development of the audit plan.
• The auditor has two main alternative overall audit strategies and chooses the strategy based on an
assessment of materiality, audit risk and what constitutes sufficient appropriate audit evidence. The
strategies range from a lower assessed level of control risk approach to a predominantly substantive
testing approach.
• Auditors document a detailed plan of the audit procedures to be performed in the form of an audit
program.
• Auditors use management’s assertions embodied in the financial statements to consider the different
types of potential misstatements that may occur.
• Auditors gather evidence to assess whether the financial statements are true and fair or whether
material misstatements exist.
• Some audit firms use a rule-of-thumb approach to determine planning or overall materiality by
selecting a percentage of particular benchmarks such as 5% of profit before tax.
• The risk assessments made during the planning stage of the audit were identified in preparation for
further discussion later in the module.
• Example 2.5 demonstrated the identification of assertions relevant to audit procedures performed
for sales and inventory.
• Example 2.6 provided an example of when the overall materiality benchmark used in the previous
year may not be suitable for the current year.
P df_Folio:101

MODULE 2 Planning the Audit of Historical Financial Information 101

 • Example 2.7 provides an illustration of issues for consideration in planning for an audit.
• Example 2.8 demonstrates when performance materiality is applicable for audit tests rather than
using overall materiality.
2.6 Apply the appropriate standards that relate to audit planning.
• ISA 230 Audit Documentation specifies the auditor’s responsibility to prepare audit documentation
for an audit of financial statements.
• ISA 300 Planning an Audit of Financial Statements specifies the requirements for planning an audit
of financial statements.
• ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understand-
ing the Entity and Its Environment specifies how auditors use management’s assertions embodied
in the financial statements to consider the different types of potential misstatements that may
occur.
• ISA 320 Materiality in Planning and Performing an Audit outlines the auditor’s responsibility to apply
the concept of materiality in planning and performing an audit of financial statements.

2.4 UNDERSTANDING THE ENTITY AND

ITS ENVIRONMENT
ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understanding
the Entity and Its Environment establishes mandatory requirements and provides application and explana-
tory material to the auditor on obtaining an understanding of the entity and its environment and on assessing
the risks of material misstatement in the financial statements.
Under ISA 315 (Revised), para. 11, the understanding of the entity and its environment includes the
following aspects.
• ‘Industry, regulatory and other external factors, including the applicable financial reporting framework’
(discussed in ISA 315 (Revised), paras A25–A30).
• ‘Nature of the entity’: business operations, ownership, governance structures investments and investment
activities, financing and financing activities and financial reporting practices (discussed in ISA 315
(Revised), paras A31–A35).
• ‘The entity’s selection and application of accounting policies’ (discussed in ISA 315 (Revised),
para. A36).
• ‘Objectives and strategies and those related business risks that may result in risks of material misstate-
ment’ (discussed in ISA 315 (Revised), paras A37–A43).
• ‘Measurement and review of the entity’s financial performance’ (discussed in ISA 315 (Revised),
paras A44–A49).
These topics are discussed in the following sections.

THE ENTITY’S INDUSTRY, REGULATORY AND OTHER

EXTERNAL FACTORS
Industry Conditions
Understanding industry conditions includes understanding the market for a client’s products, the com-
petition, the client’s and competitors’ capacity relative to market conditions, and price competition. For
example, if an entity has high fixed costs and low contribution margins, and is faced with intense price
competition, the auditor should expect some financial difficulties for the entity. In high technology
industries, the auditor needs to be aware that the introduction of new technologies by competitors may
make the entity’s technology obsolete. Certain industries may also have transactions that increase the risks
of material misstatements. For example, some industries have long-term contracts that involve significant
estimates of revenues and costs that give rise to risks of material misstatements. More generally, if the
industry has weak conditions overall, there is more sensitivity from the market to bad news. This increases
pressure on management to meet targets and may, therefore, increase the risk of earnings management.
Information on the industry and economic conditions can be obtained from trade journals, industry
statistics compiled by government or private agencies, data accumulated by the audit firm, and professional
guidance statements where available.

df_Folio:102
P

102 Advanced Audit and Assurance

Regulatory Environment
The auditor should also understand the entity’s regulatory environment. The regulatory environment can
have direct economic consequences and affect accounting and disclosure requirements.
Economic consequences can arise from the government imposing (or taking away) tariffs and other trade
barriers that may have a material impact on a company. Economic consequences also arise from regulatory
approval or otherwise of certain products. For example, in the pharmaceutical industry, approval or
otherwise of products under the Therapeutic Goods Act 1989 can have significant economic consequences.
Environmental requirements affecting the industry or entity’s business, such as climate-related policies,
may have an impact. Climate-related risks are discussed later in this module under risk assessments. Other
areas affecting the regulatory environment include changes to taxation, fiscal policies and foreign exchange
controls.
ISA 250 (Revised) Consideration of Laws and Regulations in an Audit of a Financial Statements states
that the auditor must obtain a general understanding of the legal and regulatory framework applicable to
the entity and the industry and the entity’s level of compliance.
The effect of laws and regulations on financial statements varies considerably depending on whether
they have a direct or an indirect impact on the financial statements. The auditor should be aware that non-
compliance with relevant laws and regulations (NOCLAR) may materially affect the financial statements
because it may result in fines, litigation or other consequences for the entity that may have a material effect
on the financial statements (ISA 250 (Revised), para. 2).
NOCLAR is discussed further under risk assessments later in this module.

Other External Factors

The general economy and its effect on the entity’s business should also be considered by the auditor. This
includes the general level of economic activity, interest rates and the availability of financing, and the level
of inflation or currency revaluation.
For example, during the global financial crisis (GFC) that began late in 2007, operating cash flow and
capital spending deteriorated and borrowing capacity dwindled. The stock market dropped significantly,
adversely affecting investor wealth and making equity capital difficult to obtain. Companies responded
by laying off employees and restructuring. These economic conditions create circumstances that require
write-offs of trade debtors, write-downs in the value of inventory, or significant reductions in the value of
assets. These conditions increase the inherent risk of misstatements and require close examination by the
auditor.

NATURE OF THE ENTITY

Auditors should also obtain an understanding of the nature of the audit client when planning the audit. The
following discussion covers both what the auditor should understand and how the auditor would use this
knowledge in audit planning.

Business Operations
Knowledge of the entity’s business operations includes understanding such matters as the entity’s:
• business model — method of obtaining revenues (e.g. manufacturing, retailing, import–export trading,
banking, utility) (discussed in the next section)
• products or services and markets (e.g. major customers and contracts, terms of payment, profit margins,
market share, competitors, exports, pricing policies, reputation of products, warranties, back orders,
marketing strategy, objectives)
• conduct of operations (e.g. stages and methods of production, business segments, fixed vs variable costs,
details of declining or expanding operations)
• location of production facilities, warehouses and offices
• employment (e.g. wages levels, union contracts, superannuation benefits, incentive bonus programs,
government regulation relating to employment matters)
• transactions with related parties.
An auditor usually expects differing financial positions, results of operations and cash flows for
manufacturers as opposed to service entities. Companies in the airline or hotel industries, for example,
have high fixed costs, and capacity use is an important aspect of the business. The auditor of the airline
might focus on the relationship between fuel costs, employee compensation and revenues. This type of
information helps the auditor develop a knowledgeable perspective about financial amounts and disclosures
that are specific to the entity.
Pdf_Folio:103

MODULE 2 Planning the Audit of Historical Financial Information 103

 Auditors also use knowledge of the entity’s operations to identify significant inherent risks. Auditors
of manufacturing companies are usually concerned about the fairness of assertions relating to receivables
and inventories, whereas such assertions might not be significant for service companies. A bank auditor
might focus on the fairness of the entity’s loan loss reserves because of the centrality of business loans to
the bank’s business operations.
Another important aspect of understanding business operations involves obtaining knowledge of
related-party transactions. Related-party transactions are transactions between a company and its manage-
ment, principal owners, their immediate family members, and/or affiliated companies. These transactions
represent high inherent risks because they may not have the economic substance of an arm’s-length
transaction between two independent parties. ISA 550 Related Parties describes important audit procedures
that should be performed in planning an audit. Related-party risks are discussed later in this module.
The Entity’s Business Model
A business model essentially describes everything about how the business creates and delivers value
to its stakeholders. As such, there are countless different business models being used successfully by
organisations around the world. Many successful businesses adapt various elements of existing business
models, and some develop entirely new business models to respond to customer needs or changing
technology.
Any element of a business model can be improved to create competitive advantage, including aspects
relating to:
• business systems — the configuration of the organisation (its internal workings and its interactions with
suppliers and partners)
• products and services — the organisation’s product or service and approaches to distribution and pricing
• the customer experience — how the organisation interacts with its customers (Doblin 2015).
Some of the main business model innovations currently transforming the business world are next-
generation outsourcing and offshoring, the freemium model, crowdsourcing, subscription models, online
marketplaces, cloud solutions, on-demand, the gig economy and the sharing economy.
It is necessary for the auditor to develop a comprehensive understanding of the client’s business model
because it will help auditors assess the client’s business risks and the risk of material misstatements in
the financial statements. In particular, with knowledge of the way an organisation creates value and the
sustainability of its competitive advantage, the auditor is in a much better position to make professional
judgments about:
• the risks faced by the entity and the entity’s responses
• appropriate recording of transactions
• the appropriateness of assumptions underlying accounting estimates
• the valuation of assets
• the client’s ability to continue as a going concern
• the likelihood of management fraud.

Investments
Knowledge of the entity’s investing activities includes understanding the entity’s:
• capital investment activities, including investments in plant and equipment and technology and any
recent or planned changes
• acquisitions, mergers or disposals of business activities (planned or recently executed)
• investments and disposition of securities and loans
• investments in non-consolidated entities, including partnerships, joint ventures and special-purpose
entities.
A crucial decision for any business is its investment in productive assets. A forest products company is
usually concerned about its investments both in timber and timberlands and manufacturing capacity. The
company’s ability to generate revenues depends on these investments. Critical investments for technology
and pharmaceutical companies are their investments in research and development. Software companies
invest in people, and although this human capital cannot be capitalised on the balance sheet/statement
of financial position, it is nevertheless important to revenue generation. Understanding the nature of an
entity’s investments helps the auditor develop expectations of financial statement amounts and disclosures.
In an environment where public companies are under significant pressure to perform, an auditor should
understand the relationships between productive assets and a company’s revenues and cost. It is essential
for auditors to understand the economic drivers of financial results. For example, technology companies
might spend very large amounts of money on a manufacturing line for a product that might have a useful
Pdf_Folio:104

104 Advanced Audit and Assurance

life of 18 to 24 months. This understanding is critical for estimating depreciation expense and matching
expenses with revenues.
Financing
Knowledge of the entity’s financing activities includes understanding the entity’s:
• debt structure, including covenants, restrictions, guarantees and off-balance-sheet financing arrange-
ments
• group structure — major subsidiaries and associated entities, including consolidated and non-
consolidated structures
• leasing of property, plant and equipment for use in the business
• beneficial owners
• use of derivative financial instruments.
Decisions about the acquisition and financing of productive assets go hand in hand. Many companies
now use complex transactions with related companies, along with intricate operating agreements to
accomplish both specific financial reporting and operating objectives. The use of special-purpose entities or
variable-interest entities to structure the use of assets and keep debt off the statement of financial position
is a significant inherent risk for auditors of both public and private companies. Sophisticated financing
structures may increase the risk of misapplication of applicable accounting standards.
During good economic times, companies might commit to financial guarantees that seem to be only a
remote possibility. During an economic downturn, however, the need to make good on guarantees might
become a reality. Auditors should be alert to the violation of debt covenants or events that might trigger
guarantees, for such events might raise substantial doubt about an entity’s ability to continue as a going
concern.

THE ENTITY’S SELECTION AND APPLICATION OF

ACCOUNTING POLICIES
Knowledge of the entity’s business operations may influence the selection and application of accounting
policies. For example, the terms and conditions of sales made in the normal course of business will
influence revenue recognition principles. The extent to which an airline offers frequent flyer benefits
influences the application of accounting for frequent flyer liabilities. Finally, the expected product life
cycle, which can be very short for some technology companies, will influence the useful life of related
manufacturing equipment.
It is important that the auditor should evaluate the accounting policies selected by the entity to ensure
that they are appropriate for the business and also consistent with the industry. The airline industry, for
example, has specific accounting practices for accounting for the liability associated with frequent flyer
benefits. The software industry has specific industry practices associated with the question of when the
costs of developing software should be capitalised rather than expensed. This understanding is essential for
developing a knowledgeable perspective about the entity’s accounting practices and whether they present
fairly in accordance with applicable accounting standards.
In obtaining the understanding of accounting policies, the auditor should be aware of the methods to
account for significant and unusual transactions and also those in areas where there is limited guidance.
The auditor should also carefully evaluate any changes proposed to accounting policies.
We will now consider the gathering and use of knowledge about the entity’s objectives, strategies and
related business risks for the purpose of understanding the entity and its environment.

THE ENTITY’S OBJECTIVES, STRATEGIES AND RELATED

BUSINESS RISKS
ISA 315 (Revised) defines business risk as ‘a risk resulting from significant conditions, events, cir-
cumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives
and execute its strategies, or from the setting of inappropriate objectives and strategies’ (para. 4). The
importance of understanding strategy is outlined in ISA 315 (Revised), para. 11, which requires an
understanding of ‘the entity’s objectives and strategies, and those related business risks that may result
in material misstatement’ (ISA 315 (Revised), para. 11d).

Pdf_Folio:105

MODULE 2 Planning the Audit of Historical Financial Information 105

 Paragraph 11(d) of ISA 315 (Revised) states that the auditor shall evaluate an entity’s objectives,
strategies and related business risks in order to obtain an understanding of whether they are associated
with risks of material misstatement.
These terms are defined as follows.
• An entity’s objectives are the overall plans for the entity as defined by those charged with governance
and management.
• An entity’s strategies are the operational approaches by which management intends to achieve its
objectives.
• Business risks result from significant conditions, events, circumstances, actions or inactions that could
adversely affect the entity’s ability to achieve its objectives and execute its strategies, or from the setting
of inappropriate objectives and strategies.
Some matters the auditor may consider in the evaluations include:
• industry developments (e.g. a possible business risk may be that in a changing industry, the entity may
not have the appropriate personnel or expertise to deal with the changes)
• new products and services (e.g. a possible business risk may relate to whether the new products and
services are accepted in the market)
• expansion of the business (e.g. a potential business risk might be that the estimated demand associated
with the expansion has not been accurately estimated)
• current and prospective financing requirements (e.g. a business risk is loss of financing because of
inability to meet debt covenant requirements).
Business risk is broader than simply examining the entity for the risk of material misstatements.
However, business risk includes the risk of material misstatements. The requirements on auditors for
evaluation of an entity’s objectives and strategies and related business risks is only to the extent that these
may result in material misstatement of the financial statements.
To illustrate the relationship between business risks and risk of material misstatement, consider
the following valuation assertion example. Assume a client’s competitive advantage relies heavily on
continually creating innovative products and, as a result, their ability to charge higher prices than their
competitor. The auditor would monitor rates of innovation and, potentially, customer satisfaction with
products compared to those of the competitor. If the level of innovation falls behind that of the competitor,
then there will be an increased risk related to the accuracy, valuation and allocation assertion for both
equipment and trade debtors. This relationship is illustrated in figure 2.10.
An understanding of the business risk increases the likelihood of identifying risks of material mis-
statement. Most business risks eventually have financial consequences that affect the financial statements.
However, these effects may not be immediate, and they may not result in material misstatement.

FIGURE 2.10 The interrelationship of business risk and audit risk

Inherent risk: The

chance of
misstatement if no
Business risk: Risk internal controls
Risk of material
that an event or Could prevent it
misstatement:
action could lead to The financial
adversely affect a Control risk: The risk
statements could
company's ability to that the company's
be materially
achieve its internal controls will
misstated
objectives not prevent or detect Audit risk: The risk
and correct that the auditor
misstatements gives an inappropriate
audit opinion on
Inverse financial information
relationship that is materially
misstated
Detection risk: The
risk that substantive
procedures will not
detect a
misstatement

Source: Leung et al. 2018, p. 254.

Pdf_Folio:106

106 Advanced Audit and Assurance

 QUESTION 2.8

What is the relationship between business risk and the risk of material misstatement?

Example 2.10 provides an opportunity to identify specific business risks faced by an entity. Review the
example now.

EXAMPLE 2.10

Identifying Business Risks

A business risk approach recognises that most business risks will eventually have financial consequences
and have an effect on the financial statements. The auditor identifies the risks that the business faces and
is then able to identify any corresponding audit risk. The approach allows the auditor to gain a greater
understanding of the business and the overall risks it faces and, therefore, increases the likelihood of
identifying the risks of material misstatement of the financial statements.
The following facts relate to Sporty Pty Ltd.
1. Sporty operates fitness centres across Australia.
2. The company is owned by the five directors who have financed the purchase of shares by taking out
personal loans which are secured on their homes.
3. The directors aim to expand the business and then float the company on the ASX.
4. The strategy involves charging lower prices than their competitors in order to attract new members.
5. The directors are expanding by buying out small independent fitness clubs.
6. The purchase and refurbishment of the new clubs are financed by bank loans.
............................................................................................................................................................................
Identify the specific business risks faced by Sporty Pty Ltd.
Check your response against the suggested answer at the end of the book.

Appendix 2 of ISA 315 (Revised) provides a detailed list of conditions and events that may indicate
risks of material misstatement. Read Appendix 2 ‘Conditions and Events That May Indicate Risks of
Material Misstatement’ of ISA 315 (Revised) to gain an understanding of the conditions and events that
may indicate a risk of material misstatement.
A proposed revision of ISA 315 (Revised) is expected to become effective for audits of financial
statements for periods beginning on or after 15 December 2020. This update was deemed necessary
to modernise the standard for changes in a continually evolving environment. In particular, changes to
improve guidance have been made to:
• promote a deeper understanding of the entity’s business model
• explicitly acknowledge how auditors may use automated tools and techniques, such as data analytics,
to perform risk assessment procedures
• enhance the auditor’s required understanding of the entity’s use of information technology for financial
reporting (IAASB 2018).
Later in this module, the various techniques used in understanding a client’s business are discussed in
detail.

QUESTION 2.9

Your client is a manufacturer of golf equipment accessories, including golf bags, golf buggies
and various attachments (e.g. water-bottle holders, scorecard holders). The year 20X9 has been
particularly profitable with the introduction of a golf bag with wheels attached that has proven
extremely popular with travellers. Suggest some potential business risks faced by the client.

P df_Folio:107

MODULE 2 Planning the Audit of Historical Financial Information 107

MEASUREMENT AND REVIEW OF THE ENTITY’S FINANCIAL
PERFORMANCE
Auditing standards also require auditors to obtain an understanding of the measurement and review of
the entity’s financial performance, including both internal and external measures. Such measures might
include:
• key ratios and operating statistics
• key performance indicators
• employee performance measures and incentive compensation plans
• industry trends
• the use of forecasts, budgets and variance analysis
• analyst reports and credit rating reports.
A company might use a variety of financial and non-financial measures to monitor performance. Today,
many companies measure the efficiency of the manufacturing process by comparing the quantity of
raw material used to the quantity of finished goods produced, the labour hours involved in producing
finished goods, and materials and labour variances. In addition, they might monitor the effectiveness of
the manufacturing process using quality control statistics or measures of the amount of rework required to
meet standards. This information is essential for developing a knowledgeable perspective about reported
amounts for inventory and cost of sales.
Many performance measures are produced by the entity’s information system. If management assumes
that data used for reviewing the entity’s performance are accurate without having a basis for that
assumption, errors may exist in the information, potentially leading management (or the auditor using
the same information) to incorrect conclusions about performance. If the auditor uses management’s
performance measures to form an audit conclusion (e.g. in performing analytical procedures), they should
consider the reliability of the information system that produces the measure and whether the measure is
sufficiently precise to detect material misstatements.
Management and auditors use performance measure information in different ways. When reported
measures differ from management’s expectations, management may take corrective action to improve the
entity’s performance. For example, poor inventory turnover might cause a company to offer more attractive
pricing in order to sell inventory. However, the auditor should consider whether a deviation in performance
measures might indicate a risk of misstatement in underlying financial information. A decline in inventory
turnover might mean that certain manufacturing costs are being capitalised as part of inventory rather than
being expensed. Deviations from expected performance measures are critical when assessing the inherent
risk associated with financial statement assertions.
Auditors are required to perform analytical procedures in planning the audit, which will usually involve
the use of management performance measures. Analytical procedures are discussed later in this module.
Following procedures performed to understand the entity and its environment, the auditor is required to
obtain an understanding of internal controls relevant to the audit. This topic is discussed in the next section.
The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

2.1 Explain the responsibilities of management and the auditor in relation to an audit.
• The auditor is responsible for obtaining an understanding of the entity and its environment, including
its industry, regulatory and economic factors; nature of the entity; the entity’s selection and
application of accounting policies; the entity’s objectives, strategies and related business risks; and
measurement and review of the entity’s financial performance.
2.3 Apply the processes and procedures undertaken by auditors in planning an audit.
• Auditors obtain an understanding of the entity and its environment to enable them to plan the audit.
2.6 Apply the appropriate standards that relate to audit planning.
• ISA 250 (Revised) Consideration of Laws and Regulations in an Audit of a Financial Statements states
that the auditor must obtain a general understanding of the legal and regulatory framework applicable
to the entity and the industry and the entity’s level of compliance.
• ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understand-
ing the Entity and Its Environment establishes mandatory requirements and provides application and
explanatory material to the auditor on obtaining an understanding of the entity and its environment
and on assessing the risks of material misstatement in the financial statements.

df_Folio:108
P

108 Advanced Audit and Assurance

2.5 THE ENTITY’S INTERNAL CONTROLS
ISA 315 (Revised), para. 12, requires that ‘the auditor shall obtain an understanding of internal control
relevant to the audit’. This understanding of internal control is used by the auditor to identify ‘types of
potential misstatements and factors that affect the risks of material misstatement, and in designing the
nature, timing and extent of further audit procedures’ (ISA 315 (Revised), para. A50).
Internal control consists of five components, as shown in figure 2.11 (ISA 315 (Revised), para. A59).

FIGURE 2.11 Internal control components

ol
ntr t
Co nmen ass Ris
es k
iro sm
v
en en

and communicatio
Information sys
Financial Reporting
Objectives

tem
n
s
M
on l
it o t ro
rin
g C o n iti e s
iv
a ct

Source: IFAC 2018b, p. 113.

The requirements for each of these five components are covered in ISA 315 (Revised), paragraphs
14–24 with the relevant application and explanatory material in ISA 315 (Revised), paragraphs
A77–A121. You should read these sections now.
The ISA 315 (Revised) paragraphs outline certain requirements of which an auditor must have an
understanding. These are:
• the control environment, including evaluating whether management has created and maintained a culture
of honesty and ethical behaviour and the appropriateness of the control environment (ISA 315 (Revised),
para. 14)
• whether the entity has a process for:
– identifying business risks relevant to financial reporting objectives
– estimating the significance of the risks
– assessing the likelihood of their occurrence
– deciding the actions to address these risks (ISA 315 (Revised), para. 15) — various different actions
are required by the auditor depending on whether the entity has established such a process (ISA 315
(Revised), paras 16–17)
• an understanding of the information system — including the related business processes — related to
financial reporting (ISA 315 (Revised), paras 18–19)
• an understanding of control activities relevant to the audit, which are the ones the auditor judges to be
necessary to understand in order to assess the risks of material misstatement at the assertion level, and
design further audit procedures responsive to those assessed risks (ISA 315 (Revised), para. 20), and an
understanding of how the entity has responded to risks arising from IT (ISA 315 (Revised), para. 21)
• an understanding of the major activities that the entity uses to monitor internal control over financial
reporting (ISA 315 (Revised), para. 22)
Pdf_Folio:109

MODULE 2 Planning the Audit of Historical Financial Information 109

• where internal audit exists, an understanding of the nature of internal audit responsibilities, reporting
structure and activities performed (ISA 315 (Revised), para. 23)
• an understanding of the sources of information used in the entity’s monitoring activities (ISA 315
(Revised), para. 24).
The components of internal control are discussed next.

COMPONENTS OF INTERNAL CONTROL

Internal control consists of five components (ISA 315 (Revised), para. A59): control environment, the
entity’s risk assessment process, information system, control activities and monitoring of controls.

Control Environment
The control environment sets the tone of an organisation. It ‘includes the governance and management
functions and the attitudes, awareness and actions of those charged with governance and manage-
ment concerning the entity’s internal control and its importance in the entity’ (ISA 315 (Revised),
paras A77–A78).
The tone of an organisation influences the control-consciousness of its people. Some elements of an
entity’s control environment have a pervasive effect on assessing the risks of material misstatement. For
example, an entity’s control-consciousness is influenced significantly by those charged with governance,
because one of their roles is to counterbalance pressures on management in relation to financial reporting
that may arise from market demands or remuneration schemes.
It is important that management, overseen by the board of directors, places a strong emphasis on
fraud prevention and fraud deterrence. Fraud prevention is enhanced by management establishing and
maintaining internal control, overseen by the board, including controls relevant to achieving financial
reporting quality. The importance of the ‘tone at the top’ in creating a culture of honesty and ethical
behaviour cannot be overestimated.
The auditor considers the following in evaluating the design of the entity’s control environment.
• Communication and enforcement of integrity and ethical values. Examples include the existence and
implementation of codes of conduct and other policies regarding acceptable business practice, conflicts
of interest, or expected standards of ethical and moral behaviour.
• Commitment to competence. Examples include job descriptions or other means of defining tasks that
comprise particular jobs; staff selection procedures.
• Participation by those charged with governance. Examples include the independence of the board from
management so that necessary, or even difficult and probing, questions are raised.
• Management’s philosophy and operating style. Examples include the nature of business risks accepted
and the attitudes and actions towards financial reporting, including the aggressiveness of the choice of
accounting policies.
• Organisational structure. Examples include the appropriateness of the entity’s organisational structure
and its ability to provide the necessary information flow to inform managers.
• Assignment of authority and responsibility. Examples include the assignment of responsibility and
delegation of authority throughout the organisation.
• Human resource policies and practices. Examples include the extent to which policies and procedures
for hiring, training, promoting and compensating employees are in place (ISA 315 (Revised), para. A78).

The Entity’s Risk Assessment Process

In evaluating the entity’s risk assessment process it is important to consider the adequacy of the mechanism
for identifying risks arising from both external and internal sources and the thoroughness of the risk
analysis process, including estimating the significance of the risks, the likelihood of them occurring and
determining needed action (ISA 315 (Revised), paras 15–17). Techniques such as SWOT analysis and data
analytics are very useful for identifying risks.
The use of technology and data analytics in an increasingly complex and high-volume data environment
provides opportunities for auditors to obtain a more effective and robust understanding of the entity and its
environment, thereby enhancing the quality of the auditor’s risk assessment and response (IAASB 2016).
This deeper understanding of the entity and its environment should improve the auditor’s ability to apply
professional scepticism and professional judgment during the audit.

Pdf_Folio:110

110 Advanced Audit and Assurance

Information System and Communication
The information system relevant to financial reporting objectives (which includes the accounting system)
consists of procedures and records to initiate, record, process and report entity transactions and maintain
accountability for the related assets and liabilities (see ISA 315 (Revised), paras A90–A92) (Leung et al.
2019).
A major focus of the accounting system is on transactions. Transactions consist of exchanges of assets
and services between an entity and outside parties, as well as the transfer or use of assets and services
within an entity. It follows that a major focus of control policies and procedures related to the accounting
system is that transactions are handled in such a way that the financial statements are presented fairly in
accordance with accounting standards.
An effective accounting system should provide a complete audit trail or transaction trail for each
transaction. An audit trail is a chain of evidence from initiating a transaction to its recording in the general
ledger and financial statements (Leung et al. 2019).
A key component of a successful information system is effective communication. Both internal and
external communication needs to be communicated on a timely basis to ensure information can be used in
decision making and to facilitate the functioning of internal control.
Refer to ISA 315 (Revised), paragraphs A90–A95 for further discussions on these items.
As outlined in module 1, some entities are considering using blockchain-based accounting systems. In
the next section, we briefly look at some of the benefits associated with using this innovative technology.
Blockchain — Capturing all the Data all the Time
Blockchain-based accounting systems could greatly expand the scope and quality of the information able to
be captured within accounting systems. As a distributed, tamperproof ledger, a well-designed blockchain
doesn’t just cut out intermediaries, reduce costs, and increase speed and reach. It also offers greater
transparency and traceability for many business processes.
Smart contracts hosted in a blockchain give rise to the ability to invoke and record the transactions
automatically. The automated nature of record keeping reduces the costs and risks of errors or fraud
encountered in manual record keeping and also reduces the associated costs (Carlin 2018).
By capturing each transaction, and all relevant supporting documents and associated data in timestamped
records in the blockchain, the entire life of every accounting incident can be captured. Entire business
processes — including accounting processes, but also numerous other dealings, such as the supply
chain — spanning over multiple departments or companies, become easily traceable (Andersen 2016;
O’Leary 2017).

Control Activities
Control activities are the policies and procedures that help ensure management directives are carried out
and include those listed here.
• Authorisation. Examples include the level of management with authority to authorise expenses to a
particular level to ensure that only authorised purchases are made. Other examples include controls
to ensure that goods are not shipped to a customer with bad credit risk or that goods are not shipped
to a customer if the invoice value is greater than the approved credit limit without authorisation of
management as there would be a high risk of non-payment for goods.
• Performance reviews. Examples include actual performance versus budgets, forecasts, prior periods and
competitors; major initiatives are tracked to measure the extent to which targets are being reached.
• Information processing. Examples include controls performed to check accuracy, completeness and
authorisation of transactions; a customer’s order is only accepted after reference to an approved customer
file and credit limit.
• Physical controls. Examples include that equipment, inventories, cash and other assets are secured
physically, such as in a secure location.
• Segregation of duties. Examples include division of duties among different people to reduce the risk of
error; responsibilities for authorising transactions, recording transactions and handling the related asset
are segregated.
Refer to ISA 315 (Revised), paragraphs A99–A104 for a discussion of which control activities are
relevant to the auditor.

Pdf_Folio:111

MODULE 2 Planning the Audit of Historical Financial Information 111

Monitoring of Controls
Monitoring assesses the quality of a system’s performance over time. It involves assessing the design and
operation of the controls on a timely basis. Necessary corrective action may need to be taken for changes in
conditions. Monitoring is used to ensure that the internal controls continue to operate effectively (ISA 315
(Revised), paras A110–A111). Examples of ongoing monitoring activities include regular management
of supervisory activities, communication from external parties that corroborates internally generated
information (e.g. a client paying an invoice indicates the invoice is likely to be correct) and comparison of
records with physical assets (e.g. inventory stocktake).

QUESTION 2.10

Discuss the main factors that may result in an internal control system failing.

Following the discussion of the components of internal control, we look briefly at internal controls in
SMEs before taking a closer look at controls in an IT environment.

INTERNAL CONTROLS IN SMEs

The information system and related business processes and internal controls in SMEs are likely to be less
sophisticated than in larger businesses. SMEs may not need such extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies. Understanding the entity’s information
system relevant to financial reporting may, therefore, be easier in an audit of small businesses, but remains
important (ISA 315 (Revised), para. A96).
The auditor of an SME must consider the following potentially unique characteristics of SMEs in the
conduct of the audit:
• concentration of ownership or operational control in one or a few individuals creating a potential
situation of owner/manager dominance
• limited segregation of duties
• greater potential for management override of the internal control structure
• management personnel or employees with limited accounting knowledge
• an inactive or ineffective governing body (e.g. a board of directors)
• clerical and administrative personnel with easy access to assets and systems
• record-keeping systems that are often informal
• inadequate documentation of transactions.
In SMEs, segregation of duties is extremely difficult. Controls are often of an informal nature, the
most effective control frequently being the owner/manager’s knowledge and constant involvement in
the business itself. They are usually in a position to better monitor and control the business’s internal
controls and operations. However, there are differences of opinion as to whether auditors should rely on
owner/manager controls. While some auditors consider that reliance on owner/manager controls is justified
because of the owner/manager’s intimate knowledge of the business, others consider that such controls
should not be relied upon due to the potential for management override. In evaluating owner/manager
controls, the auditor needs to:
• consider whether each control upon which reliance will be placed is adequately designed to meet the
control objective
• ascertain whether the control procedure performed by the owner/manager represents an incompatible
function
• assess the risk of management override of the control procedure.
The issue of management involvement and override needs to be considered when assessing risks. While
the potential for management override exists in all businesses, it is likely to be easier to initiate and more
difficult to detect when there are fewer employees. From an audit viewpoint, this does not mean that
the SME is unauditable, but rather, that the auditor must take into account management override in the
assessment of audit risk (ISA 315 (Revised), paras A57–A58).
Many SMEs fail because management has not recognised the importance of accurate and reliable
accounting and cash flow information and budgetary controls. If the management or proprietors of a SME
have a very casual attitude towards internal control, this attitude may well render the entity unauditable.
df_Folio:112
P

112 Advanced Audit and Assurance

In these cases, the auditor should be alert to such situations by performing investigative procedures prior to
accepting an audit engagement. However, if these situations are encountered during the audit, the terms of
the engagement should be re-evaluated, and the auditor should consider whether an opinion on the financial
statements can be expressed.
Some of the areas to which the auditor needs to pay particular attention include:
• unrecorded revenues and expenses
• overstated/understated assets and liabilities
• related-party transactions
• large complex transactions near balance sheet date.

QUESTION 2.11

A SME has an insufficient number of employees to permit segregation of incompatible duties.

How could effectiveness of internal control over employee activities be best enhanced in this
situation?

CONTROLS IN AN IT ENVIRONMENT
The IT environment influences the internal control and the procedures adopted by an entity. The following
seven factors explain why.
1. There is a breakdown of the traditional division of duties between personnel and departments and
a concentration of the recording, processing and control functions within the IT department. This
concentration of functions has resulted in a greater reliance being placed on program controls, including
authorisation of transactions, by users to ensure the reliability of IT outputs.
2. The human scrutiny and checking inherent in manual systems disappears. This loss of human involve-
ment, coupled with the lack of visible evidence in IT, may reduce the potential to detect errors and
increase the potential for individuals to gain unauthorised access to information and assets or alter
information to the detriment of the entity.
3. The concentration of system expertise and control within the IT department, coupled with the
concentration of computer resources in one of a few locations within the entity, may increase the
potential risk of fraud or error and make detection difficult.
4. The partial or complete loss of traditional audit trails, as well as the temporary nature of such audit
trails in IT and the absence of source documents and visible output, will have a direct bearing on the
auditor’s assessment of the risks of material misstatements.
5. Access to computer programs and data files by multiple users increases the potential for unauthorised
access to, and alteration of, data and programs in the absence of appropriate controls.
6. IT ensures that all transactions entered are subject to the same processing procedures, thus increasing
the reliability of the system through the reduction of random errors. Poor programming, however, may
result in the occurrence of systematic errors, the effect of which can be greater than random errors if
not discovered.
7. IT may be designed to permit the single transaction update of multiple or database computer files as
well as the automatic initiation and execution of transactions. A risk is that an error in one data item
can potentially affect a number of different applications across the entity.

Types of Controls
Controls over IT systems are effective when they maintain the integrity of information and the security of
the data, such as systems process, and include effective general IT controls and application controls (ISA
315 (Revised), para. A107).
General IT controls refer to the overall controls an entity has over its entire IT environment. These
controls affect all applications processed by the IT department. The purpose of general IT controls is to
establish a framework of overall control of the IT activities and to provide a reasonable level of assurance
that the overall objectives of internal control are achieved.
Application controls refer to controls that are specific to individual accounting applications — that
is, they relate to, and are unique to, particular accounting systems (e.g. debtors, creditors, payroll and
inventory). The purpose of IT application controls is to establish specific control procedures over the
Pdf_Folio:113

MODULE 2 Planning the Audit of Historical Financial Information 113

accounting applications in order to provide reasonable assurance that transactions are authorised and
recorded and are processed completely, accurately and on a timely basis.
In addition to general and application controls, the auditor should be aware of manual follow-up
procedures for the transactions identified by application controls and user controls directly relating to
assertions. Figure 2.12 illustrates the important audit strategies for performing tests of controls when
accounting and control systems rely extensively on IT.

FIGURE 2.12 Overview of computer controls

Input

Computer processing
Computer general and programmed
control procedures application control
procedures

Output of processed
Exception reports
transactions and reports

User controls
Manual follow-up
over assertions

Source: Leung et al. 2018, p. 369.

The integrity of the system output and financial statement representations depends on the effectiveness
of general controls. Because of the pervasive impact of general controls, significant weaknesses in general
controls may affect the reliability of application controls due to the potential risk of undetected fraud or
error in processing transactions.

General Controls
Organisational and management controls are designed to establish the:
• organisational structure of IT activities
• policies and procedures necessary to ensure the performance of duties
• segregation of incompatible functions.
In an IT environment, it is important to separate the systems development, systems maintenance,
database administration and operating functions. The IT department should be:
1. independent of the functions of initiating or authorising transactions and maintaining custody of assets
— it should not change or correct data that originated outside the department
2. segregated and separated from other user departments — there should be clearly defined lines of
authority and responsibility between IT personnel.
In the case of small IT installations, such as in a small business environment, it may not be possible
to achieve a satisfactory segregation of duties. If any degree of segregation can be achieved, however,
it should be between programming and operations. Adequate supervision may compensate for a lack of
segregation of duties.
Systems development and program maintenance controls are designed to establish control over:
• program changes
• the conversion, testing, implementation and documentation of new or revised systems, and access to
system documentation
• the authorisation and approval of new or revised IT systems
Pdf_Folio:114

114 Advanced Audit and Assurance

• adherence to a formal development process that ensures system design standards, programming
standards and documentation standards are met.
Program changes are of particular interest to the auditor, as data may be lost or altered when a new
program is introduced. The objectives of program change controls are to ensure that all changes to
programs are properly approved and authorised and that all authorised changes are completed, tested and
correctly implemented. Users should participate in authorising, testing and approving the implementation
of program changes.
Computer operation controls are designed to ensure the proper operation of systems by operators.
More specifically, they are designed to ensure that IT systems are used for authorised purposes only,
that access to computer operations is restricted to authorised personnel and that errors are detected during
processing.
Operator activity should be appropriately restricted and/or monitored (e.g. through access control
software), responsibilities for operational duties should be clearly defined, all operating tasks should be
scheduled, and operator logs should be reviewed and compared to schedules. Only authorised work should
be scheduled and run. Computer access should be controlled by the use of passwords. Physical access
should be controlled, for example, by the use of security keys and identification cards. Where the security
of physical access becomes more critical, organisations have the opportunity to use other physical controls
such as fingerprints, and voice and eye identification systems.
System software relates to operating systems that are designed to translate program languages into
machine-readable form, allocate computer resources to users and applications, and manage job scheduling
and multiprocessing. The operating system should protect itself from users, and users from each other and
themselves as well as other influences, such as environmental factors.
Examples of system software controls include restricting access to system software and related docu-
mentation to authorised personnel through the control of access privileges and passwords. System software
changes should be controlled by a formal system of authorisation, approval, testing, implementation and
documentation. Monitoring keystrokes, events and modifications to system software through the use of
software logs would help to provide an audit trail.
Data entry and program controls are concerned with the authorisation of transactions entered into the
system (inputs should be received on a timely basis and reviewed to ensure they are from an authorised
source) and restricting access to:
• data and programs to authorised personnel only
• terminals and other computer hardware to only authorised individuals, computer operators and super-
visors
• files and library
• documentation.
Access may be controlled by physical or electronic means such as security guards and automated key
cards.

Other General IT Controls

To maintain continuity of operations, management should ensure that the entity has adequate backup and
recovery procedures, physical safeguards against loss or destruction and contingency plans.
1. Backup and recovery procedures. Adequate procedures should be in place to enable restoration of the
availability and integrity of applications and data in the event of a system or application failure. A
disaster recovery plan should clearly document the actions to be taken before, during and after a disaster.
2. Physical safeguards. The proper construction of the computer centre can reduce the risk of damage
from security or environmental hazards. Appropriate measures for protecting the physical environment
include having fire-detection and suppression equipment, alarms to detect problems and strong rooms
with restricted access.
3. Contingency plans. The continuity of computer and related business functions should be protected
against unscheduled interruptions by adequate contingency plans for disaster recovery, which include
provisions in the event of complete loss of central site computer facilities.
IT Controls and Cloud Computing
In recent years there has been widespread usage of cloud computing. While it provides many benefits,
such as scalability, flexibility and lower capital investment; it introduces major risks that organisations
need to manage. For example, risks relating to the availability, confidentiality and integrity of the entity’s
information.
Pdf_Folio:115

MODULE 2 Planning the Audit of Historical Financial Information 115

 Cloud computing technology is deployed in four general types, based on the level of ownership and
technical architectures. These include public cloud, private cloud, hybrid cloud and community cloud.
The service delivery is grouped into specific categories: infrastructure as a service (IaaS), platform as
a service (PaaS) and software as a service (SaaS). Each of these categories requires a different level of
responsibility for the cloud vendor and the entity. However, the entity needs to have robust internal controls
in place regardless of the level of control it has over the data.
Auditors need to remember that although the responsibility for performing IT controls can be out-
sourced, accountability always remains with the auditor’s client. Cloud computing service providers have
the expertise required to maintain controls over the stored data and to keep pace with the changing
environment. Most cloud computing service providers offer security as part of their service packages.
Auditors need to identify all systems relevant to the financial audit, including any operational and
financial systems — regardless of whether they are on-site or in the cloud — and any interfaces that
relay the information between them (Zaher 2018). Auditors need to determine the impact on the audit as
‘moving to the cloud can introduce risks with the integrity of data, the accuracy of reports, susceptibility
to fraud or cyber attack, segregation of duties, the availability of records, and even compliance’ (Zaher
2018).
Deloitte (2014b, p. 17) recommends using a risk-based approach to understanding and managing the
various cloud models and the related threats and risks. These risks include:
• evaluating service delivery risks — virtualisation risks and IaaS, PaaS and SaaS risks
• understanding deployment risks — general types (public, private, hybrid and community)
• evaluating business model risks — cloud consumer and provider risks
• performing an analysis of the security risks.
Key considerations relating to cloud computing security risks include (ACSC 2019):
• maintaining availability and business functionality (e.g. vendor’s disaster recovery plan, client’s backup
plan, impact of outages, data integrity and availability and data restoration)
• protecting data from unauthorised access by a third party (e.g. sensitivity of data, legislative obligations,
data encryption and data ownership)
• protecting data from unauthorised access by the vendor’s customers (e.g. customer segregation,
dedicated servers and media sanitisation)
• protecting data from unauthorised access by rogue vendor employees (e.g. data encryption key
management, visitors to data centre, vetting and auditing vendor’s employees and physical tampering
by vendor’s employees)
• handling security incidents (e.g. timely vendor support, access to logs, data spills).
Digital content, such as videos and interactive activities in the e-text, support this module. You can
access this content on My Online Learning.
Example 2.11 deals with the identification and purpose of controls adopted by Acme Ltd, which is
planning to computerise its payroll system. Review the example now.

EXAMPLE 2.11

General Controls
Acme Ltd is planning to update its accounting system. Computer hardware will be purchased from a
national vendor. Software will be written by members of the organisation’s IT staff. The update of the
accounting system will take place in phases, with the payroll function being completed first.
The payroll system functions in the following sequence.
• An employee’s immediate supervisor reviews and approves timesheets.
• The timesheets are sent to the payroll department where they are reviewed for completeness and
obvious errors.
• The timesheet data is converted into a transaction file for uploading into the payroll system.
• The transaction file is uploaded to the payroll system.
• Outputs include:
– online payment details
– a payroll journal
– payroll summary
– error listings.

df_Folio:116
P

116 Advanced Audit and Assurance

 The four general control categories covering the development and operation of this IT system are
1) organisational; 2) system development; 3) operations; and 4) data processing.
............................................................................................................................................................................
For each general control category listed above, outline the:
1. specific control(s) required
2. purpose that each control serves
3. techniques that would be used to assess each control.
Check your response against the suggested answer at the end of the book.
Source: Adapted from the CIA exam of Institute of Internal Auditors, United States.

Application Controls
The purpose of application controls is to provide reasonable assurance that transactions are appropriately
authorised and recorded, and are processed accurately, completely and in a timely manner and that incorrect
transactions are rejected, corrected and resubmitted. Application controls include controls over:
• input
• processing and computer files
• output.
Prior to relying on the general and application controls, the auditor should conduct a preliminary
evaluation of the controls to determine whether they are effective and efficient. Weakness in the general
controls may preclude reliance on application controls.
Input Controls
Input controls are designed to provide reasonable assurance that:
• transactions are authorised, and accurately and completely converted into machine-readable form, that
is, not lost, added to, duplicated or improperly changed
• incorrect transactions are rejected, corrected and resubmitted.
Proper Authorisation
Proper authorisation can be achieved through the following procedures.
• Duties are segregated.
• Access controls, data entry and program controls are used, such as field tests, reasonableness tests, limit
tests, validity tests, completeness tests and sequence tests.
• Transactions are authorised by affixing a signature or stamp onto source documents. (If the documents
are electronic, a digital signature and time stamp can be attached.)
• Transactions are approved by a responsible supervisor or through the use of special forms, access to
which is restricted to those designated to initiate transactions.
Accurate Conversion
Accurate conversion requires the following.
• Adequate document design (standardisation). This is a very important input control that aids in
safeguarding assets and in contributing to the accuracy of output information. Forms should be pre-
printed and standardised to reduce and monitor errors. Unchanged information can be pre-printed as
formatted forms, which are more readable, and all documents should be pre-numbered and sequentially
accounted for.
• Adequate training and supervision.
• Data entry manuals (written procedures). These deal with data conversion and the correction of
errors.
• Appropriate chart of accounts. Using one of these to code data can greatly reduce transcription and
transposition errors.
Completeness of Data
The following input controls are designed to ensure the completeness of data.
• ‘Turnaround documents’ are documents produced by the computer system that are later resubmitted
into the system. This minimises errors in data preparation when the output that has already been verified
becomes input. Most bills, including domestic power and telephone bills, are turnaround documents.
• Control totals are effective in ensuring that all data are accurate and complete: data have not been lost,
suppressed, duplicated, added or otherwise improperly changed. One control total is manually computed
Pdf_Folio:117

MODULE 2 Planning the Audit of Historical Financial Information 117

 while another is accumulated by the computer, and the two are compared. Control totals deal with value
fields, such as total cash receipts, sales and accounts payable, and include the following.
– Record counts. Transactions or records entered are counted before and after entry and processing,
then reconciled.
– Batch totals. An information field is totalled, usually in dollar amounts, for all records of a batch.
Batch totals scan similar items and verify totals after each processing step.
– Hash totals. Non-financial fields are totalled for control purposes only (e.g. all sales invoice numbers
in a batch).
– Check digits. These are redundant digits inserted in account numbers (e.g. part number, file number)
and verified for correctness by a key-entry device prior to processing.
Reasonableness of Data
The following input controls relate to the reasonableness of data.
• Limit test. Ensures that an item in a data field is not greater or less than a predetermined limit (e.g. hours
worked per week should not exceed 70 hours).
• Range test. Related to a limit test. A limit test specifies a lower or upper limit whereas a range test
specifies both limits (e.g. employees should work between 30 and 60 hours per week).
• Reasonableness (logic) test. Determines whether various data items are normal or reasonable. It ensures
that illogical combinations of inputs are rejected by checking the logical relationship between items (e.g.
Do net payroll deductions exceed 30% of gross pay?).
Error Correction and Data Resubmission
The following input controls relate to error correction and data resubmission.
• Responsibility for error correction. This should be assigned to a group, such as the control group, or to
a specific individual, such as an internal auditor.
• Error log. An error log should be maintained for all data rejected during input. As they are entered in the
log, the errors should be fully accounted for and then checked off as they are corrected and re-entered
into the system.
• Review and approval of corrections. This should be done by an independent official who should approve
the re-entry of corrected items.
• Prompt re-entry of corrections into the system. A well-defined procedure should be established for
promptly re-entering corrections as input into the system.
Processing Controls
Processing controls are designed to ensure the accuracy and reliability of data processing — that is, that
all authorised transactions are properly processed; that no authorised transactions are omitted, duplicated
or improperly changed; and that no unauthorised transactions are added. Processing errors should be
identified, corrected and resubmitted on a timely basis.
Completeness and Accuracy of Data
The following processing controls relate to completeness and accuracy of data.
• Run to run controls. Use batch control totals to monitor each processing step; at each processing
checkpoint, errors are recorded in an error file and the batch control totals adjusted. The batch totals
are recalculated and compared to the original totals to determine the accuracy and completeness of
batch processing.
• Transaction codes. Verified at each processing step to ensure the right application process is being
applied.
• Check-digit test. These are redundant digits inserted in account numbers (e.g. part number, file number)
and verified for correctness by a computer edit run during processing (e.g. a suffix digit related
algorithmically to the preceding digits of the number). A check digit permits the detection of data coding
errors by ensuring the integrity of codes.
• Sequence test. Verifies that the fields in sequential items are in the proper alphanumeric sequence (e.g.
pre-numbered purchase orders in sequence).
• Audit trail. Automatic transactions may be logged or uniquely identified by the use of tags.
Maintaining Accuracy During Processing
The following controls relate to the maintenance of accuracy during processing.
• Control totals. Provision for accumulating control totals is written into the computer program to facilitate
the balancing of input totals with processing totals for each run.
Pdf_Folio:118

118 Advanced Audit and Assurance

• Console messages. Indicated on console input/output devices such as video display units (VDUs) or
printers. Console messages attempt to reduce the possibility of operator errors, such as loading incorrect
files or incorrect batches of data. Many programs are interactive and should prompt operators to take
action.
• Rounding test. Ensures that rounding errors are properly controlled through the use of a balancing
equation to prevent an out-of-balance situation.
• Error log. Errors detected during processing are generated to an error log, usually kept on magnetic tape.
At the conclusion of processing, the errors are investigated, and the data are corrected and re-entered
into the system.
• Limit and reasonableness checks. A limit or reasonableness test would compare data with an expected
limit (e.g. the product of payroll rates times hours worked would be included on an exception report and
not processed if it exceeded a predetermined limit).
• Before-and-after report. This report shows a summary of the contents of a master file before and after
each update.
• File identification labels. External labels are physically attached to magnetic tape or disks to permit
visual identification of a file. Internal labels are in machine-sensible form and are matched electronically
with specified operator instructions (or commands) that have been incorporated into the computer
program before processing can begin or be successfully completed.
Updating Correct Files
The following controls relate to updating the correct files.
• Proper training and supervision.
• File run and control instructions aid in ensuring that correct files are processed, updated and properly
controlled and should specify the following for each file:
– file name and number
– updating cycle
– retention cycle for data.
• Internal labels consist of a header label and a trailer label. A header label is the first record in a file
and indicates file contents, identification number and file destruction data. This label ensures that the
correct files are mounted and updated and that files are not inadvertently destroyed. A trailer label is the
last record in a file and contains record counts, other control totals, and an end-of-file code. The trailer
label separates one file from another and thus ensures that the entire file is processed and that files are
not commingled. Internal labels are automatically checked for correctness by the computer.
Output Controls
Output controls are designed to ensure that the results of processing are reliable, distributed to authorised
personnel only, and are not lost, corrupted or have their confidentiality compromised. Output control may
be exercised where the control group (or clerk) or users reconcile output control totals with input and
processing control totals. Output may be compared to details on source documents. The review of output
by control groups and users is important in determining the overall reasonableness of processing results.
The review may be done by visual scanning, or manual or electronic editing. User departments should scan
output for exceptions or unusual items and should anticipate reports at designated times. System output
should be tested at proper times by the control group to ensure that it has been distributed only to authorised
user departments. The supervision of output and the shredding of waste or discarded reports are essential
to prevent the loss of confidentiality and misdirection of output.
Example 2.12 outlines the controls in an IT environment. Read the background information presented
here and then review the suggested approach to this task.

EXAMPLE 2.12

Controls in an IT Environment
China Wide Consortium (CWC) has recently converted its phone sales ordering service to an e-commerce
system where customers can place their orders and have them processed over the internet.
Under this new system, online customer purchases are initiated when customers access CWC’s home
page, click on the ‘Customer order’ icon, order the goods on the relevant template and then click on the
‘Submit’ icon. Clicking on the ‘Submit’ icon transfers the customer’s order to CWC’s central processing
facility. This then responds to customers, via an email message, informing them that the order has been
P df_Folio:119

MODULE 2 Planning the Audit of Historical Financial Information 119

 received and the goods will be delivered within a specified timeframe. This process also initiates the
electronic credit card transfer of monies from the customer bank account into CWC’s bank account. The
customer banking details are obtained when customers sign up for the online sales and delivery service.
Before CWC began providing this online sales-order service, the general manager, Angie Fung, hired
Jing Wu, an old school friend who had recently been made redundant, to take care of ‘the computer side
of things’. CWC also hired Melissa, a recent computer studies graduate, to help supervise data entry and
local area network (LAN) operations.
All sales orders are processed using the CWC computer system. The system is in a separate office space
next to the accounts department above the cafeteria. In this office, 20 personal computers are linked via
a LAN. Because customer demand is constant, 18 computer operators work three shifts, accepting sales
orders around the clock. In an attempt to maintain the computer operators’ enthusiasm, Jing allows the
operators to bring in their own computer games to play during times when orders are ‘light on’. The
staff appreciate this gesture and, as a consequence, respect Jing and her endeavours to keep their work
interesting even though they work in very poor physical conditions. In particular, temperature variations
are always extreme — too cold in winter and too hot in summer. In an attempt to make conditions more
pleasant in the summer months, Jing allows staff to open windows to let a breeze flow through the office.
Jing set up CWC’s home page and wrote the programs for processing customer orders. Additionally,
she prepares just-in-time orders from suppliers, updates and controls inventory records, transfers credit
card receipts to CWC’s bank account and reconciles credit card deposits with individual customer
sales accounts. Jing also helps Melissa maintain the LAN. Because Jing was asked to set up the
computer system in such a short timeframe, most of the details of the system are in Jing’s head, and
the documentation, where it does exist, is sketchy and difficult to interpret. On the advice of Jing, Angie
copies monthly backup files and keeps these in her office until they are replaced with the following month’s
backup files.
Since the online system is relatively new, Jing is working 12 hours a day, seven days a week to keep
the system functioning smoothly. Angie is so impressed with Jing’s work ethic that she has asked Jing if
she can prepare and complete the company’s bank reconciliation. Jing agrees to do this for an increased
salary of $10 000 per annum as it will help pay off her $450 000 mortgage in a shorter time span.
............................................................................................................................................................................
Outline the risks impacting the effectiveness of internal controls in CWC’s IT environment.
Check your response against the suggested answer at the end of the book.

Following obtaining an understanding of the entity and its environment, including internal controls, in
the next section, we turn our focus on risk assessments for specific matters that are likely to be significant
risks.
The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

2.1 Explain the responsibilities of management and the auditor in relation to an audit.
• The auditor is responsible for gaining an understanding of the entity’s internal controls.
2.2 Evaluate historical financial information by applying professional scepticism and judgment.
• The deeper understanding of the entity and its environment obtained from the use of IT and data
analytics should improve the auditor’s ability to apply professional scepticism and professional
judgment during the audit.
2.3 Apply the processes and procedures undertaken by auditors in planning an audit.
• Auditors obtain an understanding of the entity’s internal controls to enable them to assess the
effectiveness of internal controls and plan the appropriate audit strategy.
2.4 Apply techniques to analyse factors that could impact fraud risk.
• Because of the pervasive impact of general controls, significant weaknesses in general controls may
affect the reliability of application controls due to the potential risk of undetected fraud or error in
processing transactions.
• Auditors need to determine if moving data to the cloud has introduced fraud risks.
2.5 Design appropriate processes and procedures undertaken by auditors to identify and assess
risks during audit planning.
• Auditors need to determine if moving data to the cloud has introduced risks with the integrity of data,
the accuracy of reports, susceptibility to fraud or cyber attack, segregation of duties, the availability
of records, and even compliance.

df_Folio:120
P

120 Advanced Audit and Assurance

 • The use of technology and data analytics in an increasingly complex and high-volume data
environment provides opportunities for auditors to obtain a more effective and robust understanding
of the entity and its environment, thereby enhancing the quality of the auditor’s risk assessment and
response.
• Example 2.11 requires the identification of general controls adopted by Acme Ltd, which is planning
to computerise its payroll system. This example demonstrates how auditors identify general controls
and their purpose and determine techniques that would be used to assess risks relating to each
general control.
• Example 2.12 demonstrates the identification of internal control concerns in an IT environment.
2.6 Apply the appropriate standards that relate to audit planning.
• ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understand-
ing the Entity and Its Environment establishes mandatory requirements and provides application
and explanatory material to the auditor on obtaining an understanding of the entity’s internal
controls.

2.6 RISK ASSESSMENTS FOR SPECIFIC MATTERS

The auditor performs risk assessment procedures to identify the risk factors that could result in a material
misstatement in the entity’s financial statements. In the previous two sections, the requirement for obtaining
an understanding of the entity and its environment, including internal controls, were discussed. In this
section, the focus turns to identifying significant risks due to error or fraud, accounting estimates, related
parties, going concern, climate-related issues and NOCLAR.
Note that the auditor needs to use professional judgment to determine the depth of understanding of the
entity that is required.
The first topic addressed in this section is the evaluation of fraud risk.

FRAUD RISK
The engagement team must discuss the susceptibility of the entity’s financial statements to material
misstatement due to fraud or error (ISA 315 (Revised), para. 10). These engagement team meetings provide
an opportunity for more experienced team members to share their insights (ISA 240, para. A11). Significant
risks determined in audit team meetings, and the way that the risks are to be addressed in the audit, must
be documented. ISA 240, paragraph A12 presents a list of issues that are ordinarily discussed, such as
consideration of circumstances that may indicate the possibility of fraud. The first point on the exchange
of ideas about potential frauds is often referred to as fraud brainstorming.
The auditor is required to perform certain procedures to obtain information for use in identifying the
risks of material misstatement due to fraud (ISA 240, para. 17). Enquiries are a major risk-identification
technique. The auditor is required to ask management, those charged with governance (i.e. the board) and
the internal auditor (where applicable) about:
• their assessment of the risk of material misstatement due to fraud
• procedures carried out by management for identifying and responding to risk at the account balance,
transaction class and disclosure levels, and the nature and extent of the board’s oversight of these
procedures
• their knowledge of any actual, suspected or alleged fraud (ISA 240, paras 18–22).
Factors to be considered include management’s own assessment of the risk of financial statements
misstatement due to fraud and detection and prevention measures implemented in response to these
perceived risks. Where an entity has multiple locations and/or business segments, the auditor must also
gain an understanding of the nature and extent of monitoring by management of each location and segment.
They must also ascertain whether any specific risk factors pertain to individual sites. Communications with
those charged with governance as well as employees regarding the risk of fraud and business practices
and ethical behaviour are also important. The frequency, nature (formal vs informal) and extent of such
communications are also part of the process.
ISA 240, paragraph A16 recognises that enquiries of management may be useful in detecting employee
fraud but of limited value in detecting management fraud. This is why enquiries are also to be sought from
others within the entity.

Pdf_Folio:121

MODULE 2 Planning the Audit of Historical Financial Information 121

 In general, there are benefits to obtaining evidence outside the control of management where there is
the potential for the existence of fraud. For example, external evidence related to airline flights may be
available from airports, or trips made by trucking companies may be supported by toll records.
A special case in relation to the risk of revenue fraud is made in ISA 240. Paragraph 27 notes that
the auditor should presume the risk of fraud in revenue recognition. Paragraph A29 makes particular
reference to overstatement through the premature recognition of revenue or the recording of fictitious
revenues.
Another approach that is used in practice to overstate revenue is the recording of revenue for a financial
year where goods have been shipped to a customer before year-end, but the customer has right of return
of all products and does not have to pay until the goods are sold onward to a third party. This practice is
known as ‘channel stuffing’. Where channel-stuffing revenue is recognised, accounting numbers can be
manipulated to whatever level desired by placing the necessary quantity of inventory with a customer.
The presumption of fraud risk relating to revenue extends the attitude of professional scepticism
normally required of auditors. Where, after completing suitable procedures, the auditor concludes that
there is no material risk of misstatement due to fraud relating to revenue recognition, the auditor must
document their reasons for this conclusion (ISA 240, para. 48).

Types of Fraud
There are four broad types of fraud. Examples of these types of fraud are shown in figure 2.13.

FIGURE 2.13 Examples of the four types of fraud

Bribery and corruption frauds Cyber frauds

• Money laundering • Ransomware

• Embezzlement • Extortion
• Kickbacks • Phishing
• Shell company schemes • Brute force attack
• Bribes to influence decision making • Disruption of business practices
• Manipulation of contracts • Insider trading
• Substitution of inferior goods • Data theft (e.g. theft of intellectual
property and trade secrets)
• Traditional fraud conducted
through the internet

Financial reporting frauds Misappropriation of assets frauds

• Improper asset valuations • Using a company credit card for

• Unrecorded liabilities
• Timing differences –– bringing forward the
recognition of revenues and delaying the
recognition of expenses
• Recording fictitious sales
• Understanding expenses
• Inappropriate application of accounting
principles
personal use
• Employees remaining on the payroll after
ceasing employment
• Unauthorised discounts or refunds to
customers
• Theft of stock by employees or customers
• Using a company car for unauthorised
personal use

Financial Reporting Frauds

Financial reporting fraud is defined in ISA 240 (para. A2) as ‘intentional misstatements including
omissions of amounts or disclosures in financial statements to deceive financial statement users’). It can
be accomplished by:
1. Manipulation, falsification (including forgery), or alteration of accounting records or supporting docu-
mentation from which the financial statements are prepared.
2. Misrepresentation in, or intentional omission from, the financial statements of events, transactions or
other significant information.
3. Intentional misapplication of accounting principles relating to amounts, classification, manner of
presentation, or disclosure (ISA 240, para. A3).

Pdf_Folio:122

122 Advanced Audit and Assurance

 Fraudulent financial reporting ‘can be caused by the efforts of management to manage earnings in order
to deceive financial statement users by influencing their perceptions as to the entity’s performance and
profitability’ (ISA 240, para. A2). This can commonly involve:
• accounting estimates — including of fair value — that cannot be adequately supported by evidence
• inappropriate choice of, or changes in, accounting policy
• other activities designed to create a picture of the entity that is misleading.
For these activities to comprise fraudulent financial reporting, there must be an intent to deceive or
mislead.
Fraud can be difficult to detect when it involves sophisticated, carefully organised schemes designed to
conceal the fraud. These can include forging, not recording transactions and intentional misrepresentations
to management. There are examples where management has gone to great lengths to cover up a fraud (see
the fraud case study later in this module). Collusion between managers and employees to commit fraud is
particularly difficult to detect. Furthermore, it is more difficult (higher risk) to detect management fraud
compared to employee fraud, as management is often in a position to cover up fraud by manipulating
records and overriding control procedures (ISA 240, paras 6–7).
Examples of management override include:

1. Recording fictitious journal entries, particularly close to the end of an accounting period, to manipulate
operating results or achieve other objectives.
2. Inappropriately adjusting assumptions and changing judgments used to estimate account balances.
3. Omitting, advancing or delaying recognition in the financial statements of events and transactions that
have occurred during the reporting period.
4. Omitting, obscuring or misstating disclosures required by the applicable financial reporting framework,
or disclosures that are necessary to achieve fair presentation.
5. Concealing facts that could affect the amounts recorded in the financial statements.
6. Engaging in complex transactions that are structured to misrepresent the financial position or financial
performance of the entity.
7. Altering records and terms related to significant and unusual transactions (ISA 240, para. A4).

Auditors need to be aware that fraud may be perpetrated in a variety of ways. Perpetrators of fraud are
likely to know of the procedures that the auditor will perform to detect fraud, and therefore may carry out
the fraud strategically to reduce the effectiveness of these audit procedures. There is a checklist of ‘red
flags’ that indicate the possibility of fraud in ISA 240, Appendix 3. A sample of these red flags is provided
in figure 2.14. Perpetrators of fraud aiming for concealment may consult the checklist and design their
fraudulent activities so that suspicion is not aroused.
Refer to the checklist of ‘red flags’ that indicate the possibility of fraud in ISA 240, Appendix 3 for a
more detailed list of indicators.

Misappropriation of Assets Frauds

‘Misappropriation of assets involves the theft of an entity’s assets and is often perpetrated by employees in
relatively small and immaterial amounts. However, it can also involve management who are usually more
able to disguise or conceal misappropriations in ways that are difficult to detect’ (ISA 240, para. A5).
According to PwC (2018), the perpetrators of fraud are:

• mainly employed by the victim organisation (52%)

• often senior management (24% of reported internal frauds)
• often ‘frenemies’ (such as agents, vendors, shared service providers and customers) (68% of external
frauds).
Examples of misappropriation of assets are:
• embezzling receipts . . .
• stealing physical assets or intellectual property . . .
• causing an entity to pay for goods and services not received . . .
• using an entity’s assets for personal use (ISA 240, para. A5).

According to PwC in 2018, 45% of respondents indicated their organisations had experienced fraud
by misappropriation of assets; cybercrime (31%); consumer fraud (29%) and business misconduct (28%).
The PwC report also states that organisations are using innovative and sophisticated technologies such as
machine learning, predictive analytics and other artificial intelligence techniques to fight fraud.
Pdf_Folio:123

MODULE 2 Planning the Audit of Historical Financial Information 123

 FIGURE 2.14 Red flags that may indicate fraud

Broad area Specific examples

• Tips or complaints to the auditor about

alleged fraud
Discrepancies in the financial • Last-minute adjustments that significantly
records affect financial results
• Unsupported or unauthorised balances or
transactions

• Unavailable or missing electronic evidence,

Conflicting or missing evidence
inconsistent with the entity’s record
retention practices or policies
• Missing inventory or physical assets of
significant magnitude
• Documents that appear to have been
altered

• An unwillingness to address identified

Problematic or unusual relationships
between the auditor and
management
deficiencies in internal control on a
timely basis
• Denial of access to key IT operations staff
and facilities, including security, operations,
and systems development personnel
• Undue time pressures imposed by
management to resolve complex or
contentious issues

• Tolerance of violations of the entity’s code

of conduct
• Accounting policies that appear to be at
Other variance with industry norms
• Frequent changes in accounting estimates
that do not appear to result from changed
circumstances

Source: Adapted from ISA 240, Appendix 3.

False or misleading records or documents are often used to conceal the fact that assets are missing or have
been used without proper authorisation. Not all misappropriation of assets leads to material misstatements
as the dollar amount may be below the materiality threshold. However, it could indicate a pattern of small
misappropriations being repeated either frequently or infrequently.
Bribery and Corruption Frauds
Bribery involves influencing someone’s behaviour by giving or receiving an unearned reward — often
referred to as a kickback. Corruption involves seeking advantage through illegitimate means through
unlawful or improper behaviour. Bribery and corruption often go hand-in-hand with money laundering,
which is the process of concealing the origins of money gained from illegal activities.
Cyber Frauds
Cyber frauds include deliberate deception for unfair or unlawful gain through the internet. This is a growing
area of fraud and includes traditional types of fraud conducted through the internet. One of the biggest
concerns in this area is data theft. Of particular concern are the theft of intellectual property, trade secrets
and client data. Cyber frauds have the potential to disrupt the business’s operations. Types of cyber frauds
identified in the 2018 Global Economic Crime and Fraud Survey are shown in figure 2.15
You can read more about recent trends in fraud and misappropriation of assets in PwC’s
‘Pulling fraud out of the shadows: Global Economic Crime and Fraud Survey 2018’, available at:
www.pwc.com/gx/en/forensics/global-economic-crime-and-fraud-survey-2018.pdf

Fraud Risk Factors

Fraud, by its nature, is usually difficult to detect. Furthermore, fraud risk factors cannot be ranked in order
of significance or importance, as these will vary with the size, complexity and ownership characteristics
of the entity. However, an understanding and knowledge of a client’s internal and external environments
Pdf_Folio:124

124 Advanced Audit and Assurance

may alert the auditor to fraud risk factors indicative of opportunities and/or incentives to commit fraud.
Such factors include:
• the need to meet expectations of third parties
• inappropriately designed compensation schemes
• a weak or ineffective control environment.

FIGURE 2.15 Types of cyber frauds that companies were a victim of through cyber attack

Intellectual property 12%

(IP) theft 11% Procurement fraud

Extortion Insider trading

21% 10%

Politically
Asset 24% 5% motivated or state
misappropriation sponsored attacks

Other
Disruption of business 30% 8%
processes

Source: PwC 2018, p. 20.

Three conditions are generally present when fraud exists:

1. incentive or pressure to commit fraudulent financial reporting . . .
2. a perceived opportunity to commit fraud . . .
3. . . . be able to rationalize committing a fraudulent act . . . (ISA 240, para. A1).

These three factors are often referred to as ‘the fraud triangle’ (see figure 2.16) First, the incentive
(or pressure) arises from a perceived benefit from committing fraud. Second, opportunity results from
the conditions that allow fraud to occur. The third element of the triangle, attitude or rationalisation, is the
propensity of the perpetrator of the fraud to rationalise the fraud by justifying or making excuses for the
fraud in their own minds. For example, a manager who works extremely long hours and is not paid for
the extra hours may inappropriately rationalise that a fraud is not unreasonable under the circumstances.

FIGURE 2.16 The fraud triangle

Opportunity

Incentives/pressures Attitudes/rationalisation

Source: Leung et al. 2018, p. 258.

Pdf_Folio:125

MODULE 2 Planning the Audit of Historical Financial Information 125

 ISA 240 Appendix 1 ‘Examples of fraud risk factors’ also draws on the concept of the fraud triangle to
categorise fraud risk factors that may be indicative of fraudulent financial reporting or misappropriation of
assets. It should be noted, however, that these are examples only and do not represent an exhaustive list and
are not relevant in all circumstances. Furthermore, some factors are more significant for some entities than
others, depending on the size of the entity and its ownership and industry characteristics. Finally, these
risk factors may not be readily apparent to the auditor, as such factors are generally reflective of a state of
mind that may give rise to fraudulent activity.
In the corporate context, ISA 240, Appendix 1, classifies incentives/pressures into four categories.
• ‘Financial stability or profitability is threatened by economic, industry, or entity operating conditions’.
• ‘Excessive pressure exists for management to meet the requirements or expectations of third parties’.
• ‘Information available indicates that the personal financial situation of management or those charged
with governance is threatened by the entity’s financial performance’.
• ‘There is excessive pressure on management or operating personnel to meet financial targets . . .
including sales or profitability incentive goals’.
ISA 240, Appendix 1, under the heading ‘Opportunities’, identifies four corporate characteristics that
represent risk factors relating to misstatements arising from fraudulent financial reporting.
• ‘The nature of the industry or the entity’s operations provides opportunities to engage in fraudulent
financial reporting’.
• ‘The monitoring of management is not effective’.
• ‘There is a complex or unstable organizational structure’.
• ‘Internal control components are deficient’.
Past corporate failures demonstrate that a dominant manager or director is a potential weakness because
such domination represents an opportunity for that manager or director to override controls.
Appendix 1 of ISA 240 also provides a list of attitudes/rationalisations, which are another element
of the fraud triangle that is often present when fraudulent financial reporting occurs. You should read
ISA 240, Appendix 1 now.
Review example 2.13 which discusses the use of software robots to catch fraud.

EXAMPLE 2.13

Use of Software Robots to Catch Fraud

According to Pinsker (2019), some organisations are now using software robots to catch fraud in expense
reports. The robots allow a 100% overview of transactions. SAP Concur’s Detect by App Zen, which
launched in 2016, is one example; Oversight Systems is another. The robot analyses expenses looking for
risk. The algorithm clears employee expense reports with no issues almost instantly allowing payments to
be made within two days. If a red flag is raised, the transaction goes to a human auditor for checking. This
process has significantly reduced the number of transactions needing to be reviewed before payment.
SAP Concur’s Detect and Oversight Systems customers have identified a range of red flags, including:
• expenses disallowed by corporate policy (e.g. in-room services)
• expenses claimed more than once
• lost sunglasses or new clothing
• car parking fees claimed multiple times (Pinsker 2019).
Audit clients using such a tool to detect fraud demonstrate a strong anti-fraud culture with detection
controls in place to identify fraud and errors.

QUESTION 2.12

How could professional scepticism be encouraged within the engagement team, with respect to
the susceptibility of the entity’s financial statements to material misstatement due to fraud?

The next significant risk factor to be discussed relates to auditing accounting estimates.

AUDITING ACCOUNTING ESTIMATES

Many accounts in financial statements involve accounting estimates, which means that they cannot be
measured precisely. These commonly have a high risk of material misstatement. It is recognised that the
nature and reliability of information available to management to make these estimates can vary widely.
df_Folio:126
P

126 Advanced Audit and Assurance

For example, there may be little estimation uncertainty around an appropriate allowance for doubtful debts
when there is a generally accepted method to make the estimate, management has a history of reliably
estimating and there has been little change in underlying circumstances. For other accounts, there may
be a large amount of estimation uncertainty, such as the accounting estimate relating to the outcome of
litigation, to such an extent that disclosure (as a contingent liability), rather than recognition of a provision,
is the appropriate accounting treatment.
Other examples include estimating:
• net realisable values for inventory
• revenues from long-term contracts
• future liabilities on product warranties and guarantees.
The IAASB issued a revised International Standard on Auditing 540 (Revised): Auditing Accounting
Estimates and Related Disclosures in October 2018. The standard is effective as from 15 December 2019.
As such, only the requirements of the revised standard will be discussed in this module.
The revised standard highlights three factors that are important in the identification, assessment and
response to the risk of material misstatement relating to accounting estimates.
1. Complexity — the increasingly complex business environment and the resulting increase in complexity
of making accounting estimates.
2. Use of judgment by management — in relation to the selection, application and development of
appropriate methods and appropriate assumptions, as well as the selection of data. Such judgments
by management increase the risk of intentional and/or unintentional management bias.
3. Estimation uncertainty — arising from the factors that give rise to an inherent lack of precision in the
measurement of accounting estimates (ISA 540).
The standard also highlights the need for enhanced professional scepticism in relation to the use of com-
plex estimation models and forward-looking information in determining estimates, and internal controls
surrounding accounting estimates. Professional scepticism plays a central role in the audit of accounting
estimates. Key provisions in ISA 540 (Revised) include enhanced risk assessment requirements, more
granular requirements related to obtaining audit evidence, and requirements to ‘stand back’ and evaluate
the audit evidence obtained, particularly when the inherent risk is not low.
The auditor is required by ISA 540 (Revised) to separately assess ‘inherent risk for purposes of assessing
the risks of material misstatement at the assertion level for accounting estimates’ (para. 4). Depending on
the nature of specific accounting estimates, the susceptibility of an assertion being materially misstated
may be subject to estimation uncertainty, subjectivity, complexity, or other inherent risk factors, and any
interrelationships among them.
In addition, ISA 540 (Revised) also requires control risk to be separately assessed when assessing the
risks of material misstatement at the assertion level for accounting estimates (para. 6). The assessment of
control risk takes into account whether the auditor plans to rely on the operating effectiveness of controls.
However, to rely on the controls, the auditor must perform tests of controls.
ISA 540 (Revised) (para. 7), emphasises that audit procedures need to respond to the reasons for
the assessed risks of material misstatement at the assertion level, taking into account the inherent risk
factors and the auditor’s assessment of control risk. The standard outlines how the exercise of professional
scepticism increases when accounting estimates are subject to greater estimation uncertainty, complexity,
subjectivity or other inherent risk factors (ISA 540 (Revised), para 8).
Auditors are also required to evaluate whether the accounting estimates and related disclosures are
reasonable based on the audit procedures performed and the evidence obtained, taking into consideration
the applicable financial reporting framework. Estimates often involve data analysis and forecasting future
events, such as sales revenue.
Auditors need to gain an understanding of the requirements of the financial reporting framework, how
management has identified the transactions, events or conditions giving rise to the need for an accounting
estimate to be recognised or disclosed, and the process by which management has made the estimate. This
includes understanding the data on which it is based, whether management has used an expert, and the
key assumptions underlying the estimate (ISA 540 (Revised), para. 13). In SMEs, management are likely
to be actively involved in the financial reporting process, including preparation of accounting estimates.
Therefore, controls over the estimating process may not exist or may operate informally. For this reason,
the auditor is likely to perform substantive procedures in response to the assessed risks.
Further details of the risk assessment procedures and the auditor’s responses to assessed risks for
accounting estimates are contained in ISA 540 (Revised), paragraphs 8–36. Read these sections and
the associated application and other explanatory material now.
Pdf_Folio:127

MODULE 2 Planning the Audit of Historical Financial Information 127

RELATED-PARTY RISK
Another risk assessment procedure is the search for related party relationships and transactions. Due to the
sensitive nature of related party transactions, management may want to conceal related party transactions
rather than disclose them in the financial statements. This is made possible as management is usually
responsible for identifying and approving related party transactions, and management have the opportunity
to override controls so that transactions are not recorded. Fraud risk is another issue relating to related
parties.
Related parties include:
• affiliates of the entity
• investments in other entities accounted for by the equity method
• trusts for employee benefit plans, such as pensions, that are managed by or under the trusteeship of
management
• principal owners of the entity and their immediate family members
• management of the entity and their immediate family members
• other parties that can significantly influence management or operating policies of the entity (Johnson &
Wiley 2019, p. 4–22).
Financial reporting frameworks require disclosure of related party relationships, transactions and
accounts so financial statement users can understand their potential effects on the financial statements.
It is particularly important to identify the existence of related parties so that transactions with related
parties can be identified throughout the audit. For example, the auditor might identify related parties by
requesting information from management, reviewing shareholder listings of closely held companies to
identify principal shareholders, reviewing filings with ASIC and other regulatory agencies, or reviewing
previous years’ working papers for the names of known related parties.
Companies can have transactions with related parties frequently in the normal course of business, but
because they are related parties, there is a risk that some of the transactions may not be accounted for
according to their true substance. In other words, transactions with related parties may not be the same as
arm’s-length transactions between independent and unrelated buyers and sellers or borrowers and lenders.
For example, a company may loan money to an affiliated company, but have no scheduled terms for how
or when the money will be paid back. Should this be accounted for as a loan? Is that the true substance
of the transaction? If related party transactions are not accounted for properly, then one or more material
misstatements could occur in the financial statements.
Discussion among audit team members should include an emphasis on maintaining professional
scepticism and considering how related parties may be involved in fraud. The existence of related parties
is a fraud risk factor because fraud may be more easily committed among related parties. For example,
transactions between the client and a known business partner of a key manager could be arranged for the
purpose of misappropriating (stealing) assets. Another example would be a major stockholder paying back
a loan at period end, but the client lending the same amount of money back to the stockholder shortly after
period end. This is a scheme referred to as ‘period-end window dressing’.
Auditors use specific procedures to confirm related parties that have been identified by manage-
ment and to identify additional related parties that management’s processes may not have identified
(see ISA 550 paras 12–14 and A9–A21). Auditors should always be mindful of potential related parties
because client circumstances could change and new relationships could be created at any time during the
client’s year. Auditors should document all identified related parties and the nature of the relationships. If
any of the related party relationships or transactions are identified as posing a significant risk of material
misstatement, auditors will plan to gather more evidence or adjust audit procedures, as needed, during the
risk response phase of the audit.

EXAMPLE 2.14

Applying Professional Scepticism

Juan is assigned to the audit of MED Inc., a new client that manufactures medical supplies made from
fabrics, such as bandages, blankets and head caps for newborn babies. Throughout the year, MED Inc.
hires temporary workers as needed to meet demand when customers place large or unexpected orders.
MED Inc. uses the services of three personnel agencies to find temporary workers and pays finder’s fees to
the personnel agencies. While reviewing the amounts paid to the three personnel agencies, Juan notices
that one agency is being paid considerably more than the other two. Juan meets with the controller,
df_Folio:128
P

128 Advanced Audit and Assurance

 Amanda, to gain a better understanding of the transactions with the personnel agencies. Amanda says,
‘The primary agency we use is Any Time Workers. The agency opened last year, and it’s actually owned
by the wife of our VP of Operations. She has done a great job keeping us supplied with workers so we
can keep up with demand’. Back at his desk, Juan documents his conversation with Amanda and notes
this is a related party situation.
What Potential Risks are Created by this Situation?
First, there is a disclosure risk. The audit team must ensure that MED Inc. is disclosing the related party
and the transactions.
Second, the existence of related party transactions is a fraud risk factor.
Could the payments to MED Inc. be a misappropriation of assets?
Is MED Inc. paying Any Time Workers above-market prices for its services, or paying for services it has
not actually received?
Could inflated payments represent additional compensation for the VP of Operations, via his wife’s
company, to avoid payroll tax expenses associated with making bonus payments?
This type of thought process is an example of Juan using professional scepticism. He will keep these
risks in mind when planning the audit procedures related to the transactions with the personnel agencies.
Source: Adapted from Johnson & Wiley 2019, p. 4–23.

GOING CONCERN RISK

As part of the planning process, the auditor needs to consider whether there are events or conditions that
may cast doubt on the entity’s ability to continue as a going concern. This allows for timely discussions with
management about their assumptions and for a review of their plans to resolve any identified going concern
issues. The auditor needs to remain alert for such events or conditions throughout the audit and, if any are
identified, consider whether and how they affect the assessment of the risks of material misstatement.
Standards and guidance for planning the audit and performing risk assessment procedures with regard to
the going concern basis of accounting are contained in ISA 570 (Revised) Going Concern (paras 10–11).
In some cases, management may have already made a preliminary assessment before the auditor
performs the risk assessment procedures. If so, the auditor needs to review management’s risk assessment
to determine whether it has identified events or conditions that may cast significant doubt on the entity’s
ability to continue as a going concern, and evaluate management’s plans to address them (ISA 570
(Revised), para. 10(a)).
If management has not made such a preliminary assessment, the auditor will usually discuss with them
the basis for their intended use of the going concern basis of accounting, and enquire whether events
or conditions exist that may cast significant doubt on the entity’s ability to continue as a going concern
(ISA 570 (Revised), para. 10(b)).
Risk factors associated with the auditor’s assessment of the going concern basis of accounting should
include:
• Fixed-term borrowings approaching maturity without realistic prospects of renewal or repayment.
• Indications of withdrawal of financial support by creditors.
• Inability to pay creditors on due dates.
• Loss of a major market, key customer(s), franchise, license, or principal supplier(s).
• Labour difficulties.
• Emergence of a highly successful competitor.
• Pending legal or regulatory proceedings against the entity that may . . . result in claims that the entity is
unlikely to be able to satisfy.
• Uninsured or underinsured catastrophes (ISA 570 (Revised), para. A3).

The going concern basis of accounting is fundamental to the preparation of financial statements. Under
the going concern basis of accounting, an entity is expected to continue in business for the foreseeable
future. There is no intention or necessity to liquidate or otherwise cease its operations. The foreseeable
future is referred to as the relevant period in auditing standards and covers at least 12 months from the date
of the financial statements (ISA 570 (Revised), para. 13).
When the entity is considered to be a going concern, its ‘assets and liabilities are recorded on the basis
that the entity will be able to realize its assets and discharge its liabilities in the normal course of business’
(ISA 570 (Revised), para. 2). If an entity is not a going concern, assets and liabilities are recorded at
liquidation values.
Pdf_Folio:129

MODULE 2 Planning the Audit of Historical Financial Information 129

Management Responsibilities — Going Concern
Unless management intends to either liquidate the entity or cease trading, or has no realistic alternative
but to do so, financial statements are required to be prepared on a going concern basis. Management is,
therefore, required to make an assessment of an entity’s ability to continue as a going concern (IAS 1
Presentation of Financial Statements, paras 25–26; ISA 570 (Revised), para. 3).
In Australia, the Corporations Act requires that a formal statement regarding the solvency of the entity
be made by members of the governing body and that the statement be included as part of the financial
report on which the auditor’s opinion is expressed.
When, in making its assessment, management is aware of material uncertainties related to events or
conditions that may cast significant doubt upon the entity’s ability to continue as a going concern, those
uncertainties must be disclosed. When the financial statements are not prepared on a going concern basis,
that fact shall be disclosed, together with the basis on which the financial statements are prepared and
the reason why the entity is not regarded as a going concern (IAS 1, paras 25–26; ISA 570 (Revised),
para. 3).
It is recognised that management’s assessment of the going concern basis of accounting involves making
a judgment, at a particular point in time, about the future outcome of events that are inherently uncertain.
ISA 570 (Revised), paragraph A3 provides an extensive list of events or conditions that may cast significant
doubt on the entity’s ability to continue as a going concern.

Auditor Responsibilities — Going Concern

The auditor’s responsibility with regard to going concern is to consider the appropriateness of manage-
ment’s use of that basis of accounting in preparing financial statements, and to consider whether there are
material uncertainties about the entity’s ability to continue as a going concern that need to be disclosed in
the financial statements.
ISA 570 (Revised), para. 7 makes it clear that the auditor’s going concern assessment is often based
on the prediction of uncertain future events. Where there is no reference to going concern problems in
the auditor’s report, this cannot be taken as a guarantee of the entity’s ability to continue as a going
concern.
ASA 570 (Revised) Going Concern, paragraph Aus 13.1 requires the auditor to assess the appropriate-
ness of management’s going concern basis of accounting for the relevant period. ASA 570 defines this
period to be approximately 12 months ‘from the date of the auditor’s current report to the expected date
of the auditor’s report for (a) the next annual reporting period in the case of an annual financial report; or
(b) the corresponding reporting period for the following year in the case of an interim reporting period’
(ASA 570, para. Aus 13.2).
You should now read ISA 570 (Revised), paragraph A3 to familiarise yourself with the list of examples
of events or conditions which may cast significant doubt on the entity’s ability to continue as a going
concern.
Another significant risk factor impacting on financial reporting relates to climate change. It is discussed
next.

CLIMATE-RELATED RISK
To date, climate change risks have generally been reported in the operating and financial review or
management commentary sections within the annual report. As these sections are outside the financial
statements and associated notes, it is defined in the auditing standards as ‘other information’. Therefore,
auditors are only required to read it to identify if any material inconsistencies with the audited financial
statements or any material misstatements of fact exist. Consideration of this other information is limited
to the auditor’s knowledge obtained in the audit.
However, the AASB/AUASB issued a joint guidance statement on the integration of climate-related
risks into financial statement materiality considerations. Auditors will need to consider if their client’s
climate-related risks are material, and if material, whether those risks are adequately disclosed in the
financial statements. Climate-related risks are considered material if they are important to investors’
decision making. As such, if climate-related risks are addressed in the financial statements, then it will
be subject to the scrutiny of an audit, necessitating engagement of expertise to understand those risks and
their impact on the financial statements (Grayston 2019).
This shift of emphasis from ‘other information’ to the financial statements is particularly significant
for auditors as they are required to provide an opinion on the financial statements but not on additional
Pdf_Folio:130

130 Advanced Audit and Assurance

material in the annual report. Even though the guidance is not mandatory, it represents the IAASB’s best
practice interpretation of materiality and has potential financial reporting implications relating to:
• asset impairment;
• changes in the useful life of assets;
• changes in fair valuation of assets . . .;
• increased costs and/or reduced demand for products and services . . .;
• potential provisions and contingent liabilities arising from fines and penalties; and
• changes in expected credit losses for loans and other financial assets (AASB & AUASB 2018, p. 11).
In June 2017, the Task Force on Climate-related Financial Disclosures (TCFD) released a final report
outlining their recommendations on climate-related financial disclosures along with supporting documents
to support its implementation.
Since the TCFD released its recommendations, both the ASX and ASIC have shown their support. The
ASX Corporate Governance Council has indicated it will incorporate more guidance on the disclosure of
climate risk and suggests listed companies with material exposure implement the TCFD recommendations
(Price 2018). Likewise, ASIC recommended that listed companies with material exposure to climate risk
consider reporting under the TCFD framework (ASIC 2018).
The AASB/AUASB bulletin warns that ‘entities can no longer treat climate-related risk as merely a
matter of corporate social responsibility and may need to consider them also in the context of their financial
statements’ (AASB/AUASB 2018, p. 3). Expectations regarding consideration of climate-related risk for
the June 2019 reporting period will necessitate auditors having sufficient understanding of relevant climate
risks to enable them to challenge their clients about the assumptions used to determine financial impacts
and disclosures (Grayston 2019).
Management will need to be satisfied that there are reasonable grounds to base their view that all
potential material climate-related risks likely to impact the entity’s performance and prospects have
been appropriately disclosed or resolved as not material. Management will need to ensure that voluntary
disclosures relating to climate-related risks are consistent with annual report disclosures/statements and
any continuous disclosures made. External auditors and management will need to consult on how to address
the challenges of assurance over disclosure of climate-related risks within the annual report or a separate
sustainability report (Barker 2019).
Another significant risk area is detecting non-compliance with laws and regulations (NOCLAR), which
is discussed next.

NON-COMPLIANCE WITH LAWS AND REGULATIONS

(NOCLAR)
ISA 250 (Revised) is designed to assist the auditor in identifying material misstatement of the financial
statements due to NOCLAR. The auditor is not responsible for preventing NOCLAR and cannot be
expected to detect all NOCLAR (ISA 250 (Revised), para. 4). It is ultimately the responsibility of
management and those charged with governance to ‘ensure that the entity’s operations are conducted in
accordance with the provisions of laws and regulations, including compliance with the provisions of laws
and regulations that determine the reported amounts and disclosures in an entity’s financial statements’
(ISA 250 (Revised), para. 3).
Following the changes that led to the restructured Code, which increased professional accountants’
responsibility in relation to NOCLAR, the IAASB implemented some significant amendments to ISA 250
(Revised). These changes address actual or perceived inconsistencies of the approach in identifying and
dealing with instances of NOCLAR. The revised standard permits accountants to set aside the duty of
confidentiality in order to disclose NOCLAR to appropriate public authorities in certain circumstances.
ISA 250 (Revised) requires the auditor to consider the entity’s compliance with laws and regulations
by obtaining a general understanding of the legal and regulatory framework applicable to the entity, and
how the entity is complying within that framework. The auditor shall also enquire of the management as to
whether the entity is in compliance with such laws and regulations and must inspect any correspondence
with the relevant licensing or regulatory authorities.
Non-compliance is defined in ISA 250 (Revised), para. 12, as:
Acts of omission or commission, intentional or unintentional, committed by the entity, or by those charged
with governance, by management or by other individuals working for or under the direction of the entity,
which are contrary to the prevailing laws or regulations. Non-compliance does not include personal
Pdf_Folio:131

misconduct unrelated to the business activities of the entity.

MODULE 2 Planning the Audit of Historical Financial Information 131

 When there is no evidence of NOCLAR, no further audit procedures are required (ISA 250 (Revised),
para. 18). However, if NOCLAR is identified or suspected, ISA 250 (Revised) makes a clear distinction
between the effect of the two different categories of laws and regulations on financial statements:
1. direct — where NOCLAR directly affects the determination of material amounts and disclosures in the
financial statements such as tax and pension laws and regulations (ISA 250 (Revised), para. 6(a))
2. indirect — where NOCLAR does not directly affect the financial statements, but may be fundamental
to the entity’s ability to continue its business, or to avoid material penalties; Examples include
compliance with the terms of an operating licence, compliance with regulatory solvency requirements,
or compliance with environmental regulations (ISA 250 (Revised), para. 6(b)).
The auditor is required ‘to obtain sufficient appropriate audit evidence regarding compliance with the
provisions of those laws and regulations’ if NOCLAR is expected to have a direct effect on the financial
statements. However, if NOCLAR is likely to have an indirect effect on the financial statements, then ‘the
auditor’s responsibility is limited to undertaking specified audit procedures to help identify [NOCLAR]’
(ISA 250 (Revised), para. 7).
Examples of laws and regulations that may be included are discussed in ISA 250 (Revised),
paragraph A6.
It is important to note that section 360 of the Code goes beyond ISA 250 (Revised) where it calls
for auditors to have regard to the wider public interest implications of the matter in terms of potentially
substantial harm to stakeholders whether in financial or non-financial terms. Non-financial harm could be,
for example, breaches of environmental laws and regulations endangering the health or safety of employees
or the public.
You should now read ISA 250 (Revised), paragraphs A28–A33 to familiarise yourself with the revised
requirements to report identified or suspected NOCLAR to an appropriate authority outside the entity.

QUESTION 2.13

ISA 250 (Revised) and section 360 of the Code provide guidance to help the auditor in working out
how best to respond to identified or suspected NOCLAR. Outline how the auditor should respond
when the following NOCLAR are discovered during an audit.
(a) The audit client narrowly missed a deadline for filing its tax return.
(b) The auditor found that the audit client has not been sufficiently accruing and paying its
employees’ superannuation/pension fund commitments.

Our next section discusses the various risk assessment procedures that auditors use in obtaining an
understanding of the entity, including internal controls and identified significant risks.
The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

2.1 Explain the responsibilities of management and the auditor in relation to an audit.
• The auditor is responsible for assessing the risk of fraud, appropriateness of accounting estimates,
related parties risk, going concern risk, climate-related risk and NOCLAR.
• During the risk assessment phase, the objective of the auditor is to gain an understanding of a client’s
related party relationships and transactions.
• Management is required to make an assessment of an entity’s ability to continue as a going concern.
• The auditor’s responsibility with regard to going concern is to consider the appropriateness of
management’s use of that basis of accounting in preparing financial statements, and to consider
whether there are material uncertainties about the entity’s ability to continue as a going concern that
need to be disclosed in the financial statements.
• The AASB/AUASB issued a joint guidance statement on the integration of climate-related risks
into financial statement materiality considerations. Auditors will need to consider if their client’s
climate-related risks are material, and if material, whether those risks are adequately disclosed in
the financial statements.
• Expectations regarding consideration of climate-related risk for the June 2019 reporting period
will necessitate auditors having sufficient understanding of relevant climate-related risks to enable

df_Folio:132
P

132 Advanced Audit and Assurance

 them to challenge their clients about the assumptions used to determine financial impacts and
disclosures.
• It is ultimately the responsibility of management and those charged with governance to ensure that
the entity’s operations are conducted in accordance with the provisions of laws and regulations,
including compliance with the provisions of laws and regulations that determine the reported
amounts and disclosures in an entity’s financial statements.
• The auditor is required to obtain sufficient appropriate audit evidence regarding compliance with the
provisions of those laws and regulations if NOCLAR is expected to have a direct effect on the financial
statements. However, if NOCLAR is likely to have an indirect effect on the financial statements,
then the auditor’s responsibility is limited to undertaking specified audit procedures to help identify
NOCLAR.
2.2 Evaluate historical financial information by applying professional scepticism and judgment.
• Example 2.14 demonstrates the thought process involved when using professional scepticism to
consider related-party risks. The auditor would keep these risks in mind when planning the audit
procedures related to the transactions with the related parties.
• The presumption of fraud risk relating to revenue extends the attitude of professional scepticism
normally required of auditors.
2.3 Apply the processes and procedures undertaken by auditors in planning an audit.
• As part of audit planning, auditors are required to assess the risk of material misstatements for
specific matters such as fraud, accounting estimates, related parties, going concern, climate-related
risks and NOCLAR.
• As part of the planning process, the auditor needs to consider whether there are events or conditions
that may cast doubt on the entity’s ability to continue as a going concern.
• The auditor is required to consider the entity’s compliance with laws and regulations, by obtaining
a general understanding of the legal and regulatory framework applicable to the entity, and how the
entity is complying within that framework.
2.4 Apply techniques to analyse factors that could impact fraud risk.
• The audit team use a brainstorming session as the first point on the exchange of ideas about
potential frauds. This process often includes four main steps: 1) identifying fraud risks; 2) generating
potential frauds that could have occurred; 3) assessing the likelihood of fraud on the engagement and
4) developing responses to fraud risks.
• The fraud triangle explains the three conditions that are generally present when fraud exists.
• Example 2.13 explains how software robots are being used to catch fraud.
2.5 Design appropriate processes and procedures undertaken by auditors to identify and assess
risks during audit planning.
• The auditor is required to perform certain procedures to obtain information for use in identifying
the risks of material misstatement due to fraud. Enquiries are a major risk-identification technique.
The auditor is required to ask management, those charged with governance (i.e. the board) and the
internal auditor (where applicable) for details of their risk assessment.
• Auditors use specific procedures to confirm related parties that have been identified by management
and to identify additional related parties that management’s processes may not have identified.
2.6 Apply the appropriate standards that relate to audit planning.
• ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
recognises that enquiries of management may be useful in detecting employee fraud but of limited
value in detecting management fraud. This is why enquiries are also to be sought from others within
the entity.
• ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements provides
examples of how management overrides internal controls and lists red flags that may indicate
potential fraud.
• ISA 250 (Revised) Consideration of Laws and Regulations in an Audit of a Financial Report requires
the auditor to consider the entity’s compliance with laws and regulations by obtaining general
understanding of the legal and regulatory framework applicable to the entity, and how the entity
is complying within that framework.
• ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understand-
ing the Entity and Its Environment establishes the requirement for the engagement team to discuss
the susceptibility of the entity’s financial statements to material misstatement due to fraud or error.
• ISA 550 Related Parties provides audit guidance associated with related party transactions and
disclosures.
• ISA 570 (Revised) Going Concern provides guidance for planning the audit and performing risk
assessment procedures with regard to the going concern basis of accounting.
• ISA 570 (Revised) Going Concern provides an extensive list of events or conditions that may cast
significant doubt on the entity’s ability to continue as a going concern.

P df_Folio:133

MODULE 2 Planning the Audit of Historical Financial Information 133

2.7 RISK ASSESSMENT PROCEDURES
Risk assessment procedures are performed when obtaining an understanding of the entity and its
environment. In the previous sections, we identified the factors that need to be assessed in order for the
auditor to obtain the required level of understanding. Next, our discussion turns to the methods used to
obtain this understanding during the risk-assessment phase of the audit.

METHODS USED FOR RISK ASSESSMENT

There are three methods that are required to be used for risk assessment purposes outlined in ISA 315
(Revised), paragraph 6. However, in many situations, the results from performing one type of procedure
may lead to performing other procedures. For example, findings from performing analytical procedures
on preliminary operating results may require follow-up questions for management, which may then lead
to requests to inspect certain documents or observe activities being performed by employees.
Enquiries should be sought from a range of personnel within the entity rather than confining it to
management and accountant. This is especially important in SMEs as the owner is usually the manager.
The types of enquiries should be about trends, unusual events, the functioning of internal control, major
business risks and any instances of management override.
If a possible fraud involving senior management or those charged with governance is discovered, the
auditor should consult with the engagement partner, and consider obtaining legal advice on how to proceed.
It is important that privacy and confidentiality requirements are properly followed and that the code of
ethics is not violated.
The following risk assessment procedures are mandated.
• Enquiries of management and others within the entity. ‘Others’ include those charged with governance;
internal audit personnel; employees involved in initiating, processing or recording complex or unusual
transactions; in-house legal counsel; marketing or sales personnel. The types of enquiries are discussed
in ISA 315 (Revised), paragraph A7.
• Analytical procedures. Evaluations of financial information made by a study of plausible relationships
among both financial and non-financial data. Analytical procedures include comparisons of the entity’s
financial information with prior period information, budgeted information and similar industry infor-
mation. They also include a consideration of the relationship, such as between elements of financial
information where one would expect a predictable pattern (e.g. gross margin to sales) and between
financial and non-financial information (e.g. payroll costs and employee numbers).
• Observation and inspection. Observation and inspection may support the enquiries discussed previously
and provide information about the entity and its environment. ISA 315 (Revised), paragraph A18,
suggests that such audit procedures include observation and inspection of:
– the entity’s operations
– documents
– reports prepared by management and those charged with governance
– the entity’s premises and plant facilities.
Many auditors use strategic analysis techniques such as SWOT analysis, PEST and PESTEL analyses
and value-chain analysis to obtain an understanding of the entity and its environment. These methods are
discussed next before expanding on the use of analytical procedures and audit data analytics.

QUESTION 2.14

Provide one example of an audit procedure for each of the four procedures listed below.
1. Observation of the entity’s operations
2. Inspection of documents
3. Inspection of reports prepared by management and those charged with governance
4. Inspection of the entity’s premises and plant facilities.

Strategic Analysis
As part of the strategic analysis of the entity, the auditor obtains information about the:
• broad environment in which the client operates
• industry within which the organisation operates
df_Folio:134
P

134 Advanced Audit and Assurance

• markets in which it operates
• organisation’s products and services
• external forces that impact on it
• nature of suppliers, customers and alliance partners
• client’s strategy to achieve its sustainable comparative advantages
• business risks that threaten the success of the strategy
• organisation’s response to these risks.
At the conclusion of the strategic analysis, the auditor should have a good understanding of where the
organisation is situated in its environment and its strategic direction.
After completing the strategic analysis, it is important for the auditor to consider:
• the implication of the organisation’s strategy and business risks for underlying accounting choices and
financial statement assertions
• whether accounting estimates and valuations are consistent with the significant business risks
• how the business risks impact on additional work at the business process or transaction levels.
Consider the following potential impacts of strategic analysis on the audit process.
• Expectations. Knowledge of specific business risks affects what an auditor will expect to see in the
financial statements. For example, increased competition from lower-priced competitors should result
in the auditor expecting to see lower margins and/or lower turnover. The better the auditor understands
the client’s strategy, the more likely they will know how the client will react to price cutting and the
likely impacts.
• Going concern risk. Some threats have the potential to seriously affect profits and may indicate that the
organisation is not viable, given its present strategies and markets. Going concern issues may need to
be addressed.
• Inherent risk. Some threats provide a direct indication that a financial statement assertion is incorrect.
For example, inherent risks such as the loss of brand reputation can negatively influence sales, resulting
in inventory valuation issues and, potentially, equipment valuation issues due to impairment resulting
from the lost sales.
• Control risk. Some threats put pressure on management related to holding their jobs and receiving
potential bonuses, with the potential for inappropriate responses (Knechel & Salterio 2017).
Table 2.5 outlines a series of strategic business risks and the potential audit implications that result from
these risks.

TABLE 2.5 Risk assessment: strategic risks and potential audit implications

Source of
Strategic business risk/threat threat Potential audit implications

Competitors begin offering extended Competitors • Inherent risk: Increase in warranty commitments may
warranty protection on products. require that warranty expense estimates be increased
above historical patterns.

Competitors are rapidly increasing the
rate paid to key senior accounting and
management personnel.
Competitors • Control risk: Reliability of decision making and
information processing may decrease with employee
turnover.
• Inherent risk: Allocations of labour costs may need to
be revised based on relative changes in salary levels.
• Inherent risk: Accruals for benefits may need to be
increased.

Top-grade raw materials are in
extremely short supply due to bad
weather conditions in producing
regions.
Suppliers • Inherent risk: Wastage and spoilage rates may need
to be increased in standard costing formulas.
• Inherent risk: Valuation problems related to purchase
commitments may exist.
• Control risk: Pressure to cut corners to meet
customer demand.

Customer industries are in a recession. Economic, • Inherent risk: Receivables may not be collectible at
customers historical rate and allowance for doubtful debts may
need to be increased.
• Going concern risk: Shrinking customer base.

P df_Folio:135

(continued)

MODULE 2 Planning the Audit of Historical Financial Information 135

 TABLE 2.5 (continued)

Source of
Strategic business risk/threat threat Potential audit implications

Consumer tastes have changed,
necessitating improved functionality
and quality in company products.
Social, • Going concern risk: Loss of market share.
customers • Inherent risk: Inventory on hand may become
obsolete or out of favour so that carrying values may
not be realisable.
• Control risk: Pressure to hit sales targets to protect
jobs and/or bonuses.

The preferred distribution channel
for the company’s product changes
from retail locations to internet,
telemarketing and home delivery.
Technology, • Inherent risk: Existing distribution channels may need
customers to be shut down with resulting restructuring cost
(lay-offs, asset disposal).
• Going concern risk: Inability to adapt on a timely
basis.

New entrant to the market is Technology, • Inherent risk: Inventory valuation may need to be
technologically superior to current new reduced to lower of cost or market value due to
products. entrants obsolescence or excess quantities.
• Going concern risk: Loss of market share.

Government imposes new regulations
on distribution of a company’s
product.
Social, • Going concern risk: Loss of market share if not
political adaptable.
• Inherent risk: Inventory valuation may need to be
reduced to lower of cost or market value due to
obsolescence or excess quantities.
• Control risk: Efforts to circumvent regulations to meet
sales targets.

Activists protest the company’s Social • Inherent risk: Valuation of capitalised development
approach to research and develop- costs if associated product demand drops.
ment (R&D). • Control risk: Efforts to hide or disguise nature of R&D.

Foreign currency fluctuations squeeze Economic • Inherent risk: Proper treatment of exchange gains
profit margins on international sales. and losses.
• Inherent risk: Accounting treatment of financial
derivatives.

Manufacturing facilities become non- • Inherent risk: Impairment of fixed assets.

competitive due to age and inability to Technological • Going concern risk: Tightening margins leading to
upgrade processes. losses if prices cannot be increased.

Source: Adapted from Knechel, W. R. & Salterio, S. 2017, Auditing: Assurance and Risk, 4th edn, Taylor & Francis, New York,
pp. 163–5.

Strategic Analysis Techniques

The auditor is required to develop an understanding of the client’s business strategies and identify the
external forces that threaten the success of these strategies. Using this knowledge, the auditor identifies
the key competencies and related business processes that drive the organisation’s implementation of its
strategy and its interactions with its environment.
A PEST or a SWOT analysis is commonly used to identify factors that have the greatest impacts on the
business value of the proposition. Likewise, value-chain analysis is often used to analyse the specific
activities a business performs to create a competitive advantage. However, these traditional forms of
analyses are being replaced with innovative methods such as data visualisation and data analytics. This
change has been necessary due to the volatile business climate and ‘difficulty in predicting the external
environment of the marketplace and of customers’ behaviour’ (Boobier 2018, p. 195). Data analytics
provide insights that enable a better understanding of an entity’s performance and external forces, leading
to a greater understanding of the marketplace.
We will discuss each technique in turn.
Pdf_Folio:136

136 Advanced Audit and Assurance

SWOT Analysis
A SWOT (Strengths, Weaknesses, Opportunities and Threats) analysis examines both the organisation’s
external environment and its internal capabilities. SWOT analysis is used to determine whether the
organisation’s strategies are producing a good fit between the organisation’s resource capability (in terms
of resource strengths and weaknesses) and its external environment (including opportunities in the market
and threats to market share and profitability). An example SWOT analysis is provided as figure 2.17 to
highlight major issues to consider in performing a SWOT analysis.

FIGURE 2.17 SWOT analysis

Strengths Weaknesses

• A strong statement of financial position • Lacks a clear strategic direction

with ability to borrow
• A strong brand name, good
reputation
• Advantages over competitors, such as
lower unit costs
• Technological advantages, superior
intellectual capital, including patents
• Leader in supply chain management
• High product quality and customer
service reputation
• Strong international distribution
capability
• Strategic alliances, such as those in
the airline industry
• A weak statement of financial position
including high debt
• High unit costs relative to competitors
• Outdated equipment
• Poor brand image or customer service
reputation
• Distribution restrictions
• Limited R&D capacity
• Difficulties in recruiting and retaining staff
• Limited product lines

Opportunities Threats

• Expanding into new geographic • Entry of new competitors

markets
• Expanding the company’s product lines
• New opportunities to cut costs
• Falling trade barriers
• Competitors’ brand image deteriorating
• Rising demand in one or more market
segment(s)
• Opportunities for new alliances that
expand the company’s market coverage
• Openings to take advantage of
emerging new technologies
• Opportunities to introduce the
company’s products/services to new
geographic areas
• Substitute products becoming available
• Pressure on profit margins from
competitors
• Foreign exchange rate fluctuations and
shifts
• Costly new regulatory requirements
(e.g. product labelling)
• Growing bargaining power of customers/
suppliers
• Changing tastes away from the industry’s
product and/or company’s products
• Demographic changes affecting the
demand for the company’s product

Source: CPA Australia 2019.

Just making lists of the strengths, weaknesses, opportunities and threats is not sufficient. It is important
to use the SWOT analysis to learn about the entity’s situation and what impact it is likely to have on the
audit.
Strengths refer to characteristics, expertise, assets, etc. that provide a competitive advantage (e.g.
technological know-how, natural resources, strong management, good location, valuable brands, superior
products, strong alliances). A weakness is a condition that puts it at a competitive disadvantage (e.g. lack
of technological know-how, poor location). Entities have a range of market opportunities, and they need to
appraise the profit potential of the opportunities most likely to be successful. In addition, entities face
threats to their profitability and competitiveness from the environment, for example, due to changing
customer tastes and new technologies.
Example 2.15 demonstrates how risks identified during a SWOT analysis impacts on audit planning.
Review this example now.

Pdf_Folio:137

MODULE 2 Planning the Audit of Historical Financial Information 137

 EXAMPLE 2.15

Identifying Risks
The client, FB Ltd, is a manufacturer of timber flooring. During a SWOT analysis, it is identified that more
than 90% of the company’s production is supplied to one customer LR Ltd (a larger retailer of home
furnishings). There are many alternative suppliers, and LR Ltd has mentioned the possibility of switching
to another supplier.
............................................................................................................................................................................
What impact does this information have on identifying risks faced by FB Ltd?
Check your response against the suggested answer at the end of the book.

PEST and PESTEL Analyses

A PEST (Political, Economic, Social and Technological) analysis is a traditional method used to understand
the forces acting on an entity’s external environment. Figure 2.18 provides an example of PEST factors
that affect business entities.

FIGURE 2.18 PEST analysis

1. What environmental factors are affecting the entity?

2. Which of these are the most important at the present time? In the next few years?

Political

• Government outsourcing
• Government policy
• Social welfare policies
• Taxation laws

Economic
• Business cycles
• Disposable income and savings rates
• Inflation rates
• Interest rates
• Money supply
• Unemployment levels

Social
• Attitudes to work and leisure balance
• Education levels
• Income distribution trends
• Lifestyle changes
• Mobility of the labour force
• Population demographics, ageing
• Workforce diversity

Technological
• Government and industry focus on
technological effort
• Government and industry spending on
research and development
• New discoveries/development
• Obsolescence rates for equipment
• Speed of technology transfer

Source: CPA Australia 2019.

The PEST framework can under-emphasise environmental and legal issues. In light of this weakness, the
PEST analysis may be extended to PESTEL (political, economic, social, technological, environmental and
legal) analysis. Figure 2.18 can be converted to a PESTEL framework by adding an environmental category
df_Folio:138
P

138 Advanced Audit and Assurance

(e.g. energy consumption, environmental issues, waste disposal) and a legal category (e.g. employment
laws, health and safety issues, industry deregulation, product safety). An example of a PESTEL analysis
for the airline industry is provided as figure 2.19.

FIGURE 2.19 PESTEL analysis for the airline industry

1. What environmental factors are affecting the entity?

2. Which of these are the most important at the present time? In the next few years?

Political
• Government stability in routes flown
• Traffic rights and freedom (e.g. what countries
can the aircraft land in)
• Route restrictions (e.g. open-sky agreements)
• Airport restrictions
• Taxation on tickets
• Terrorist activities

Economic • Inflation, employment, economic growth

• Industry capacity
• Increased competition in general and on specific routes
• World fuel prices
• Currency trends and fluctuations
• Strength of aircraft suppliers
• Availability of staff (e.g. pilots)
• Greater competition

Social • Population demographics

• Attitude to leisure and work
• Changes in the propensity to travel
• Appeal of substitute products (e.g. rail, telephone
conferences)
• Rising expectations for plane comfort/services
• Changes in economic distribution
• Employees requiring greater flexibility

Technological • New types of aircraft

• New capabilities of aircraft
• Electronic tickets
• Better databases (e.g. frequent flyers)
• Upgrading of IT systems
• Integrated reservation systems with alliance
partners
• Availability of internet to compare prices

Environmental
• Environment regulation related to noise and
pollution emission
• Airport curfews related to noise level
• Community around airports
• Fuel consumption
• Carbon emissions

Legal

• Safety regulations
• Foreign ownership regulations
• Employment law

P df_Folio:139

MODULE 2 Planning the Audit of Historical Financial Information 139

 In carrying out a PEST or PESTEL analysis, it is important to consider which environmental factors
are affecting the entity at the present and which factors are going to be most important over the next
few years. It should also be noted that some factors will be especially important for some entities but
not others. For example, environmental protection laws are critical for mining and chemical entities;
interest rates for banks; lifestyle changes for sports goods manufacturers; rates of obsolescence for
computer manufacturers; safety for an airline. Interest rate changes are more important for entities with
high debt/equity levels than those with low debt/equity levels; foreign trade regulations are important
to importers/exporters.
Value-Chain Analysis
To enable the auditor to understand the entity’s business model, an understanding of the value chain is
required.
Entities develop a competitive advantage through particular activities or processes that they perform
better than their competitors. A ‘value chain’ is usually considered as the series of activities or processes
within and around an entity that creates a product or service that is valued by customers. A value chain
generally consists of five primary activities that take place in the following order:
1. inbound logistics
2. production operations
3. outbound logistics
4. marketing and sales
5. services.
These activities are directly concerned with the creation or delivery of a product or service. Table 2.6
provides some examples of primary activities and examples of weaknesses and subsequent business risks
that should alert the auditor to increased risk of material misstatement in the financial statements.
Primary activities cannot be successfully undertaken without the benefit of support activities. Support
activities are those that improve the effectiveness and efficiency of the primary activities. Table 2.7 provides
some examples of support activities and potential deficiencies in these support activities that need to
be considered by the auditor to the extent that they may indicate an increased likelihood of a material
misstatement.
Tables 2.6 and 2.7 illustrate a range of business risks that can result from weaknesses in the value
chain. For example, an entity’s comparative advantage may be its ability to procure high-quality raw
materials (e.g. grapes for high-quality wine) or talented staff (e.g. a consulting firm). In this case,
inbound logistics, procurement and human resource management will all be critical. This understanding
is important for the auditor in identifying present and future business risks and considering their related
audit implications.

Examples of primary activities, weaknesses, risks and their possible risk of

TABLE 2.6 misstatement in the financial statements

Possible risk of
Primary activity Example Weakness/risk misstatement

Inbound logistics Purchasing, receiving, Deficiencies in these • Completeness and

storing and distributing activities resulting in valuation of inventory
materials — includes longer storage periods • Recognition of liabilities
material handling and can lead to increased • Timing of expenses
inventory control. spoilage.
Increased audit risks
relate to spoilage costs,
which affect inventory
valuation.

Operations Converting inputs into the If operations become • Measurement of cost of

final product or service — less competitive or goods sold (COGS)
includes production setup, technologically obsolete, • Cost allocation issues
machining, packaging, it has implications for
assembly and testing. asset impairment and
raises potential going
concern problems.

Pdf_Folio:140

140 Advanced Audit and Assurance

 Outbound logistics Collecting, storing and
distributing the product
to customers — includes
warehousing, material
handling and transport.
Marketing and sales Activities making
customers aware of the
product/service and able to
purchase them — includes
advertising, selection of
distribution channels,
selling.
Services Activities to enhance or
maintain the value of
a product or service —
includes warranty activities,
customer support.
Source: CPA Australia 2019.
TABLE 2.7 Examples of support activities, deficiencies and implications for audit risk
Support activity Example
Firm infrastructure Planning, finance, accounting, quality
control, information management
aimed to support the entire value
chain.
Human resource Activities involved with recruiting,
management training, staff development,
rewarding.
P df_Folio:141
MODULE 2 Planning the Audit of Historical Financial Information 141
Transport delays can • Sales cutoff
result in dissatisfied • Revenue recognition
customers and • Allocation of delivery
increased difficulty in costs
collection of receivables
(trade debtors valuation).
Damage during
transport can result in
stock returns (inventory
valuation issue).
Outdated distribution • Revenue recognition
channels (e.g. decrease • Collectability of trade
in-store sales and not debtors
catering for customers
who wish to buy
online) can create risks
related to inventory
obsolescence and
the potential need to
close down present
distribution channels
with resulting potential
restructuring costs,
including asset disposal
and redundancies (asset
impairment issues:
increased risk related
to valuation of inventory,
PPE and potentially
intangibles).
Poor installation can • Warranty expenses and
lead to future increased liabilities
warranty costs and • Capitalise versus
the risk of provision expense
for warranties being
understated.
Deficiency/Related risk of misstatement
Deficiencies in this firm infrastructure may
lead to poor estimates of financial amounts
(e.g. allowance for doubtful debts, fair value
estimates for impairment decisions).
Changes in human resource management
related to recruiting and rewarding policies
may increase the likelihood of error and
fraud — that is, recruiting, training and staff
development policies potentially affect the
likelihood of error; changes to reward systems
can affect the likelihood of fraud (e.g. increased
incentives).
(continued)
 TABLE 2.7 (continued)

Support activity Example Deficiency/Related risk of misstatement

Technology Improving products and processes Deficiencies in product design and process
development used in production (e.g. research development can lead to poor product
and development, product design, quality (and consequent effects on inventory
process development). valuation and warranty provisions) or late
deliveries (and consequent effects on
collectability of trade debtors difficulty of
achieving sales targets, etc.).

Procurement Activities/processes for acquiring Purchase of equipment that doesn’t fully

inputs needed to produce the suit the organisation’s requirements may
organisation’s products/services. result in delays in production and may lead to
dissatisfied customers and consequent effects
on collectability of trade debtors, difficulty in
achieving sales targets etc.

Source: CPA Australia 2019.

Example 2.16 focuses on the breakdown of Creamy Ltd’s value chain. Review the example now to see
how this impacts on the audit.

EXAMPLE 2.16

Value Chain Analysis

Creamy Ltd has produced a very popular fruit-based ice cream. However, due to problems with its
distribution system, its ability to deliver on time has declined. This has resulted in a significant drop in
its customer satisfaction index.
............................................................................................................................................................................
What are the audit implications of the breakdown in Creamy Ltd’s value chain?
Check your response against the suggested answer at the end of the book.

Analytical Procedures
An important technique for understanding the client and the industry is analytical procedures. Analytical
procedures refers to the investigation and analysis of fluctuations and relationships to determine whether
there are inconsistencies with other relevant information or deviations from predicted amounts.
The risk assessment procedures outlined in ISA 240, paras A13–A28, require auditors to consider
unusual or unexpected relationships and other information derived from analytical procedures, audit team
discussions and other internal/external sources that may be indicative of material financial statement
misstatement due to fraud. Analytical procedures to test expected relationships between financial statement
items and accounts may assist the auditor to identify unusual transactions and events. In addition,
auditors are required to ‘evaluate whether unusual or unexpected relationships that have been identified
in performing analytical procedures . . . indicate risks of material misstatement due to fraud’ (ISA 240,
para. 23).
Analytical procedures include:
• comparisons with prior periods, anticipated results (e.g. budgets and forecasts) and industry comparisons
• consideration of relationships between elements of financial information that would be expected to
follow a predictable pattern
• relationships between financial information and relevant non-financial information.
Certain elements of financial accounting would be expected to conform to predictable patterns, for
example:
• gross margin and sales
• sales commission and sales
• trade debtors and sales
• interest expense to borrowings.

df_Folio:142
P

142 Advanced Audit and Assurance

 For other costs, such as advertising, training, and repairs and maintenance, the amount spent is more
likely to be discretionary, and the relationship of these amounts to sales is less predictable. There are also
likely to be relationships between financial information and non-financial information, for example:
• payroll and staff numbers
• motor vehicle costs and number of vehicles
• workers compensation insurance and staff numbers.
Analytical procedures can be used for the following purposes.
• Planning the nature, extent and timing of other audit procedures. This will include obtaining a
better understanding of the client and the industry, highlighting changes in profitability trends and
unusual/unexpected relationships. For example, analytical procedures are used to compare account
balances and transactions with other financial and non-financial information in order to identify unusual
fluctuations or values. Overall, the aim is to direct attention to areas with the highest potential for
material misstatement.
• As a substantive procedure when its use can be more effective or efficient than tests of details for the
specific financial statement assertion.
• As a final overall review at the completion of the audit. This is to give an indication of the reasonableness
of the financial statements taken as a whole.
This module is mostly concerned with the audit planning aspects and is covered in ISA 315 (Revised),
paragraphs 6(b), A14–17. In module 3, analytical procedures, as part of substantive testing, are considered.
As SMEs may not have interim or monthly financial information that can be used for analytical
procedures, the auditor may only be able to perform limited analytical procedures for audit planning. The
auditor may obtain information using enquiry and then use analytical procedures to identify and assess
the risks of material misstatements when an early draft of the financial statements is available.
Analytical procedures can be either evaluative or predictive. Evaluative techniques use past information
to help the auditor to:
• understand the client and the industry
• identify and assess potential risk
• assess the extent of other audit tests
• corroborate other conclusions and ascertain the overall reasonableness of the financial information.
Predictive analytical procedure techniques are used to estimate activity levels or account balances based
on trends or relationships. Generally, at the planning stage of the audit, evaluative techniques such as simple
comparisons, ratio analysis, common-size statements and trend statements are used. Simple reasonableness
tests can also be useful.
The choice of techniques is a matter of professional judgment. The following discussion considers
simple comparisons, reasonableness tests and ratio analysis.
Simple Comparisons
Simple comparisons generally involve comparison of a current year income statement, and statement of
financial position items, to an appropriate norm or standard — for example, actual results for prior periods,
actual results for similar operating locations within the entity, budgets for the current year and actual results
for the current or previous periods for other companies in the industry.
While these comparisons can be made using the numbers in the comparative income statement and
statement of financial position, another useful technique is to use common size financial statements. This
is done by calculating all statement of financial position figures as percentages of total assets and all
income statement figures as a percentage of total revenue. This procedure assists in comparing companies
of different sizes and in determining trends over time for a single company.
Comparisons to Prior Periods
Percentage or dollar changes from prior periods can be an indicator of changes in circumstances, particular
trends or errors. While unexpected deviations or fluctuations may not necessarily indicate an error, the auditor
should follow up to understand why these fluctuations have occurred. The comparisons with prior periods
normally should extend over a number of years. Where changes in either the economic environment or the
organisation’s business have occurred, there is a need to adjust (even if only an approximation) the historical
information prior to making the comparisons. Based on other work conducted by the auditor (e.g. strategic
analysis), auditors should have expectations about particular balances. For example, new profitable contracts
were signed earlier in the year and have been in operation for six months; therefore, the auditor may expect
that sales figures will be approximately X% greater than the previous year. Alternatively, there has been a
sale of certain equipment with the expectation that depreciation expenses will decrease.
Pdf_Folio:143

MODULE 2 Planning the Audit of Historical Financial Information 143

Comparisons Between Locations
Comparing financial information between similar operating locations can be very effective in the planning
stage of the audit in order to identify potential errors and the areas where audit work should be most
concentrated. However, in making these comparisons (e.g. retail stores) differences between locations
need to be considered. For example, the location of a retail store may allow it to have larger mark-ups than
average.
Comparisons to Budgets
The current year’s figures can be compared to the entity’s budget to determine how the actual figures for
the period compare with earlier expectations of management and to consider the audit implications of
major variances. The auditor needs to determine the nature and past accuracy of the entity’s budgeting
system. For example, little, if any, reliance can be placed on these comparisons if the budgeting system
historically has been inadequate due to such factors as poor preparation or frequent large variances. In
addition, where management places considerable emphasis on the need to achieve budget, there is the
possibility of manipulation of recorded results in order to achieve budget.
Comparisons to Industry Figures
Comparison of financial statement amounts and relationships for an entity or segments of that entity to
industry figures can improve the auditor’s understanding of an entity’s business and industry, indicate
financial strengths or weaknesses and highlight areas requiring audit attention. In particular, the high-
lighting of abnormal trends compared to industry may be informative. For example, if the gross margin
of the entity is increasing, but for the industry as a whole, it is decreasing, follow-up is appropriate.
Comparisons to industry averages can be difficult in many circumstances due to the unique characteristics
of the organisation and/or its diversified nature. However, the understanding of significant variances from
industry averages can be useful for the auditor, particularly in the planning stages.
Reasonableness Tests
Generally, reasonableness tests are simple calculations using relevant financial and operating data in order
to develop an estimate of an amount. They can be used in the planning stage at a more holistic level or
used as a substantive test (see module 3), where they would be broken down into components.
Many revenue and expense items can be reasonably estimated from one or a few other items. Examples
include:
• income for hotels can be estimated from average room charges and occupancy rates
• gross margin can be calculated as a percentage of sales
• professional service fees can be related to number of staff, average charge-out rates and average
chargeable time
• investment income can be related to average amounts invested and average interest rates
• payroll expense can be related to the average number of employees and average pay rates
• commission expense can be estimated from sales and commission rates
• interest expense can be related to the average amount owing and average interest rates
• depreciation expense can be estimated by reference to asset balances, additions and deletions, and
depreciation rates.
Reasonableness relationships such as interest to borrowings, fuel expenses to vehicles used and
kilometres travelled can be useful calculations. However, care should be taken as the relationship becomes
more complex. For example, the relationship between interest expense and borrowings becomes more
complicated when different borrowings have different interest rates and new borrowings are taken out or
repaid during the year. Similarly, a reasonableness test on the revenue for a large city hotel will depend on
the number of rooms, occupancy rate and percentage of clients in various rate categories (e.g. government
rate, range of corporate rates).
Ratio Analysis
For interpretation purposes, ratios need to be compared to some benchmark. This benchmark can be the
same ratio computed in prior periods and/or ratios of other comparable organisations. Ratio analysis can
be an effective method of increasing an auditor’s understanding of an entity’s business operations. By
identifying trends and unusual fluctuations, it is a useful technique for ascertaining areas that require
particular attention.
Auditors should consider changes in a group of related ratios rather than concentrating on single ratios.
For example, an organisation’s ‘quick ratio’ may appear satisfactory until it is viewed in the light of a
declining net profit margin, a negative cash flow or a decrease in debtors’ turnover.
Pdf_Folio:144

144 Advanced Audit and Assurance

 It should be noted that there are often multiple ways to calculate the various ratios. For example, some
calculations can be performed using either profit before tax or profit after tax. When performing such
analysis, the key thing to remember is to be consistent with the calculation chosen (and understand the
inputs used in a given output). This consistency must be maintained from year to year for comparability.
Here we illustrate some commonly used ratios although, based on knowledge of the company, the auditor
may use professional judgment to determine that a different form of the ratio is appropriate for their
purposes.
Ratios can be classified into the following categories:
• profitability
• activity
• liquidity
• financing.

Profitability Ratios
Profitability ratios generally provide an indication of an organisation’s profitability and changes in
profitability. Profitability ratios are shown in figure 2.20.

FIGURE 2.20 Profitability ratios

Net profit after tax

Return on shareholders’ equity =
Ordinary shareholder’s equity

Operating profit before tax

Return on total assets =
Total assets

Operating profit before tax

Net profit =
Sales

Gross profit
Gross profit (Gross margin) =
Sales

Each individual item of expense

Operating expenses =
Sales

Note that many ratios can be calculated in a number of different ways. For example, for return on asset
(ROA), EBITDA, EBIT, profit before tax or net profit after tax could be used. If you are unsure about the
interpretation of any of the ratios, you should consult any introductory financial accounting textbook.
The gross margin ratio is one ratio that is commonly used by auditors. For many firms, this ratio
will have a relatively stable and predictable pattern. Fluctuations may indicate changes in the nature of
the business (such as competition, pricing policies, manufacturing efficiencies, sales mix changes), or
financial statement errors. If the gross margin to sales ratio is increasing, the auditor needs to be aware
of the possibility that sales may be overstated (e.g. fictitious sales without a corresponding cost of goods
sold (COGS) entry). The return on assets ratio and net profit ratios (also called ‘net profit margin’ ratios)
indicate trends in profitability and the effectiveness with which the organisation’s resources are being used.
Many companies use EBIT (earnings before interest and tax) or EBITDA (earnings before interest, tax,
depreciation and amortisation) instead of operating profit before tax when calculating this ratio. Ratios of
expenses to sales may provide reasons for changes in profitability as well as possible financial statement
errors. For example, a large increase in the ratio of repairs and maintenance to sales may indicate that a
capital item has been charged to the repairs and maintenance account.

Activity Ratios
Activity ratios provide an indication of an entity’s efficiency in using available resources. They include
those shown in figure 2.21. Note that days in debtors is also referred to as average collection period in
days, and days in payables is also referred to as average payment period in days.
Pdf_Folio:145

MODULE 2 Planning the Audit of Historical Financial Information 145

 FIGURE 2.21 Activity ratios

Sales
Asset turnover =
Total assets

Cost of goods sold

Inventory turnover =
Average inventory

Average inventory × 365

Days in inventory =
Cost of goods sold

Credit sales
Debtors turnover =
Average debtors

Average debtors × 365

Days in debtors =
Credit sales

Average accounts payable × 365

Days in payables =
Credit purchases

The inventory turnover ratio can be compared over time and with the industry average. If the ratio is
substantially below those of past years or the industry average, it can indicate obsolete and slow-moving
stock. Generally, a high ratio is preferable as it indicates efficient inventory management. However, it can
also indicate problems such as unrecorded inventory. The ratio varies significantly between industries, and
for some industries, it will vary seasonally. Ratios may also vary within industries because of different
methods of accounting for inventory (e.g. first-in first-out (FIFO), weighted average).
The debtors turnover ratio is an indication of an entity’s credit control policy. The higher this ratio is, the
better the performance. A decrease in this ratio compared to prior years or industry average may indicate
deficiencies in the entity’s credit and collection policies, possible uncollectability of some accounts,
possible fictitious sales or incorrect cutoff, or an increase in the credit period granted in order to increase
sales. Fluctuations in these ratios may indicate changes in liquidity or cash management procedures.
These ratios used an average of opening and closing balances for the year (i.e. opening inventory plus
closing inventory divided by two). It is common to use closing figures (i.e. year-end balances) for these
analytical procedures as this version of the ratios has the advantage of increasing the likelihood of detecting
a material misstatement related to year-end adjustments. For example, if there was a financial statement
fraud where cost of goods sold had not been recorded by overstating year-end inventory (i.e. not putting
through the journal entry Dr. COGS, Cr. Inventory), it would be easier for the auditor to detect if the
inventory turnover ratio used the closing balance.
Liquidity Ratios
Liquidity ratios provide an indication of an organisation’s ability to meet current obligations as they fall
due. Unusual or unexpected trends may also indicate over- or understatement of current assets (e.g. trade
debtors, inventory) and current liabilities (e.g. payables, accruals). The ratios need to be reviewed with
regard to the organisation’s current and projected cash flow. Examples of liquidity ratios are shown in
figure 2.22.

FIGURE 2.22 Liquidity ratios

Current assets
Current ratio =
Current liabilities

Cash + Marketable securities + Trade debtors

Quick asset ratio =
Current liabilities

df_Folio:146
P

146 Advanced Audit and Assurance

 An increase in the current ratio is not always a positive signal to the auditor because it may indicate
a build-up of trade debtors possibly due to less effective collection procedures or a build-up in inventory
because of difficulties in selling products. Thus, the auditor would consider both inventory turnover and
debtors turnover in connection with changes in the current ratio.
The quick asset ratio is a more conservative indication of liquidity than the current ratio — that is, it does
not include inventory in the numerator of the ratio. The comparative importance of the level or change in
these ratios depends on such factors as the predictability of future cash flows, the inventory turnover ratio
and the debtors turnover ratio. For example, the less predictable the cash flows, the higher these ratios
need to be acceptable. On the other hand, if cash flows are very predictable, the auditor is likely to be
less concerned about a lower current ratio because the organisation is likely to have sufficient cash flows
coming in on a regular basis to pay any bills.
Financing Ratios
Gearing ratios consider the long-term financial strength of an entity. They may indicate, for example, that
there is an over-reliance on debt finance. Examples of gearing ratios are shown in figure 2.23.

FIGURE 2.23 Financing ratios

Total liabilities
Debt–equity ratio =
Shareholders’ equity

Long-term liabilities
or
Shareholders’ equity

Total liabilities
Debt–assets ratio =
Total assets

EBIT
Number of times interest earned =
Interest expense

The first two ratios indicate the gearing level. The third one considers the ability of the entity to meet its
interest commitments as they fall due. Changes in these ratios may indicate business risk, and the auditor
needs to consider related audit risk.
There are often multiple ways to calculate the various ratios. For example, some calculations can be
performed using either profit before tax or profit after tax. When performing such analysis, the key thing
to remember is to be consistent with the calculation chosen (and understand the inputs used in a given
output). This consistency must be maintained from year to year for comparability.
The debt–equity ratio, for example, can be calculated as long-term liabilities divided by shareholders’
equity or total liabilities divided by shareholders’ equity. The choice of ratio will depend on the outcome
required by the auditor. For example, if the user wishes to know what proportion of total resources was
being provided by the owners as against those from third parties, the likely measure would be total liabilities
divided by shareholders’ equity. If, on the other hand, they were considering the long-term financing
position of the firm, then they would use the ratio of long-term liabilities divided by shareholders’ equity.
If the auditor is looking for unusual trends, they may calculate both versions of the ratio.
In addition, the relationships between different ratios can be used to determine areas that require
particular attention. This is illustrated in example 2.17. Review this example now.

EXAMPLE 2.17

Relationships Between Ratios

Sydney Ltd is a large retailer of hardware equipment that sells its products through a network of suburban
stores. Shown below are the calculation of some of its key ratios for 20X9 and 20X8.

P df_Folio:147

MODULE 2 Planning the Audit of Historical Financial Information 147

 Ratio 20X9 20X8

Return on assets (ROA) 12% 10%

Net profit margin 24% 20%

Asset turnover 0.50 0.50

Gross margin 30% 30%

............................................................................................................................................................................
What do the relationships between these key ratios tell the auditor about areas that require audit attention?
Check your response against the suggested answer at the end of the book.

QUESTION 2.15

While performing the preliminary analytical procedures at the audit planning stage, a substantial
increase in goods returned (as a percentage of total sales) was observed over last few months.
Which assertions could be identified for potential risk of misstatement? Explain why.

DuPont Analysis
In interpreting the set of ratios discussed, it is important to consider the relationships between ratios.
One way of doing this is to consider a DuPont analysis. The name is used because DuPont in the
United States was the first company to formally integrate the linking of these ratios into its organisational
control system. For example, the DuPont analysis shows that ROA can be explained by profit margin
and total assets turnover. The relationship between relevant ratios used with DuPont analysis is shown in
figure 2.24.

FIGURE 2.24 DuPont analysis — relationship between relevant ratios

ROA = Profit margin × Total assets turnover

Operating profit before tax / Operating profit

= × Sales / Total assets
Total assets before tax / Sales

A disadvantage inherent to all financial ratio analysis methods, including DuPont analysis, is that when
used for comparing one entity’s profitability and efficiency with that of another entity, it works best when
the two entities are of similar size and operate within the same industry. As many business entities are now
diversifying, it is not easy to find a suitable entity to use for comparison purposes.

Common-Size Statements
Common-size statements are another common method used to help the auditor in identifying trends that
indicate where additional attention will be needed during the audit.
If you are unsure how to prepare common-size statements, refer to either an auditing or introductory
financial accounting textbook.
Example 2.18 demonstrates the use of common-size statements to identify trends that the auditor would
need to pay additional attention to during the audit. Review this example now.

df_Folio:148
P

148 Advanced Audit and Assurance

 EXAMPLE 2.18

Common-Size Statement Analysis

Review the common-size statements for MNO Ltd prepared in a time series format over four years and a
cross-sectional form with two competitors.
MNO Ltd — 30 June 20X9 20X9 20X8 20X7 20X6
% % % %
Percentage common-size statement of financial position
ASSETS
Cash 8.7 8.4 8.0 8.0
Trade debtors 19.3 19.0 18.8 18.6
Inventories 24.8 21.7 23.5 20.2
Other current assets 4.1 3.9 3.6 3.7
PPE 43.1 47.0 46.1 49.5
100.0 100.0 100.0 100.0
LIABILITIES AND SHAREHOLDERS’ FUNDS
Payables 15.2 13.9 19.7 20.3
Other current liabilities 8.9 9.1 9.5 9.6
Non-current liabilities 33.0 34.5 31.0 30.7
Deferred income tax 4.0 4.0 3.8 3.7
Shareholders’ equity 38.9 38.5 36.0 35.7
100.0 100.0 100.0 100.0
Percentage common-size income statement
REVENUE
Net sales 97.2 98.6 98.1 98.2
Returns 2.8 1.4 1.9 1.8
100.0 100.0 100.0 100.0
EXPENSES
Cost of goods sold 52.9 53.8 54.3 54.6
Operating expenses 11.7 12.3 11.2 11.2
Interest expense 5.5 5.4 4.7 4.4
Depreciation 10.6 10.9 11.0 10.9
Income tax 10.5 10.3 9.9 9.8
Profit after tax 8.8 7.3 8.9 9.1
100.0 100.0 100.0 100.0
MNO Ltd—30 June 20X9 MNO Ltd Competitor 1 Competitor 2
% % %
Percentage common-size statement of financial position
ASSETS
Cash 8.7 6.5 9.8
Trade debtors 19.3 15.7 11.3
Inventories 24.8 23.5 23.1
Other current assets 4.1 4.9 3.5
PPE 43.1 49.4 52.3
100.0 100.0 100.0
LIABILITIES AND SHAREHOLDERS’ FUNDS
Payables 15.2 21.2 13.3
Other current liabilities 8.9 10.9 15.4
Non-current liabilities 33.0 35.4 36.6
Deferred income tax 4.0 7.4 2.2
Shareholders’ equity 38.9 25.1 32.5
100.0 100.0 100.0
MNO Ltd Competitor 1 Competitor 2
% % %
Percentage common-size income statement
REVENUE
Net sales 97.2 98.4 98.1
Returns 2.8 1.6 1.9
100.0 100.0 100.0

P df_Folio:149

MODULE 2 Planning the Audit of Historical Financial Information 149

 EXPENSES
Cost of goods sold 52.9 49.5 48.3
Operating expenses 11.7 11.6 10.6
Interest expense 5.5 3.9 4.1
Depreciation 10.6 11.1 10.9
Income tax 10.5 11.3 12.6
Profit after tax 8.8 12.6 13.5
100.0 100.0 100.0

............................................................................................................................................................................
What trends indicate areas where the auditor will need to pay additional attention during the audit?
Check your response against the suggested answer at the end of the book.

QUESTION 2.16

Your client is Gateshead Pty Ltd, a large family-owned company which imports and sells computer
hardware products. You are planning the 30 June 20X9 audit and, from your enquiries of manage-
ment, have obtained the following information.
1. In January 20X9, Gateshead applied for, and was granted, a new loan. The submission made to
the bank stated:
• the current ratio was 0.90
• gross profit was up by 25% compared with that at the same time last year
• the debt-to-equity ratio was 0.40.
2. The bank agreed to the new loan but did enter into a loan covenant with Gateshead. The covenant
required that the company should not breach certain ratios and placed certain restrictions on
dividends.
Based on your prior experience with the client, you are sceptical about the validity of the ratios
discussed in the submission. Outline the specific audit planning implications of this information.

Following our discussion of the common methods used for risk assessment, we now turn our focus to a
more recent addition to the auditors’ collection of risk assessment tools — i.e. audit data analytics.

Audit Data Analytics (ADA)

As technology evolves, data analytics tools are becoming increasingly accessible and powerful. Some
auditors are using sophisticated analytical procedures to streamline the audit process. The use of data
analytics in a financial statement audit is ‘the science and art of discovering and analyzing patterns,
deviations and inconsistencies, and extracting other useful information in the data underlying or related to
the subject matter of an audit through analysis, modeling and visualization for the purpose of planning or
performing the audit’ (IAASB 2016, p. 7).
There are three distinct types of data analytics. These methods are often used together to obtain a holistic
view of how the entity competes efficiently within the market. The three types of analytics are as follows.
• Descriptive analytics. Uses data aggregation and data mining to provide insights into the past — tells
us what has happened.
• Predictive analytics. Uses statistical models and forecast techniques to understand the future — tells us
what could happen.
• Prescriptive analytics. Uses optimisation and simulation algorithms to advise on possible outcomes —
tells us what we should do.
Auditors are combining big data and analytics to detailed industry information to help them better
understand the entity, identify risks and deliver enhanced audit quality. Insights gleaned from such data
extend beyond risk assessment. One of the key advantages of implementing data analytics is the ability for
auditors to examine the entire population of transactions for an audit client, thus mitigating risks associated
with traditional sampling approaches. The use of ADA leads to higher audit quality as better risk-based
selections can be made from broader and deeper insights of the entity and its environment.
ADA can be used at virtually any phase of the audit, as illustrated in figure 2.25. ADA can be used as a
risk assessment tool, as a test of controls, as a test of details, or to help form a conclusion regarding virtually
any audit assertion. In this module, the discussion on the use of ADA is focused within the context of its
df_Folio:150
P

150 Advanced Audit and Assurance

use as a risk assessment tool at the planning stage of the audit. Recall the risk assessments for specific
matters discussed earlier in this module (e.g. fraud, accounting estimates, related-party, going concern,
climate-related and NOCLAR risks).

FIGURE 2.25 Data analytics — impact on audit quality

Use of data analytics on larger sets of audit-relevant data is much

broader than traditional analytical procedures.

Audit procedures to obtain audit evidence

Risk Analytical Substantive Tests of

assessment procedures procedures controls

Data analytics

Source: IAASB 2016, p. 7.

Being able to analyse the entire population of a dataset contributes to the audit planning process as:
• auditors will be equipped with a better understanding of the scale and operations and the client
which feed into resource allocation decisions for engagements and allows auditors to engage more
meaningfully with the client when undertaking risk assessment procedures
• auditors will be able to perform more focused audits in areas of higher risk identified (e.g. anomalies,
outliers) through the application of data analytics tools (Stansell 2018).
Example 2.19 provides an illustration of how data analytics is used during audit planning. Review the
example now.

EXAMPLE 2.19

Data Analytics in Action

Big World Ltd is a rapidly expanding multi-location retailer of business equipment. Total assets are
$25 000 000, including $10 765 225 in trade debtors. The trade debtors aging report provided by the client
showed more than $245 000 past due by 120 days or more. An electronic version of the detailed report
was obtained and further analysis helped document a decision to examine more current trade debtors
balances separately from those past due by 120 or more days.
With the use of data analytics software, in less than 20 minutes, the auditor was able to perform the
following steps.
1. Gain a better understanding of the monitoring system for trade debtors.
2. Total the file and agree the balance to the client’s monitoring report and general ledger balance.
3. Check the aging report by using the due date field (re-perform calculations).
4. Isolate past-due balances and summarise them by store, then compare and calculate the percentage
of past-due trade debtors to total by store.
5. Decide on an effective audit strategy to respond to the high inherent and control risk assessments.
Source: Adapted from: Caseware Analytics.

The use of ADA is providing opportunities to rethink how an audit is performed. In some ways, the
audit does not change as the auditor must still audit the same assertions, understand the entity and its
environment, and must still understand an entity’s internal controls. However, ADA allows the auditor to
rethink how to assess risk and how to perform substantive procedures to collect audit evidence.
Integrating analytics into audits poses many challenges. For example, access to audit-relevant data can
be limited; qualified and experienced resources to process and analyse the data is scarce; and integrating
analytics into the audit continues to be a challenge for auditors (Ernst & Young 2017). However, progress
is being made on each front.

Pdf_Folio:151

MODULE 2 Planning the Audit of Historical Financial Information 151

 A phased approach may be considered for adopting data analytic techniques in audit engagements,
starting with a few key areas targeted at a time. This allows time for the audit team to develop their
understanding of the technique/s and to get a feel for the results and their implications. Once the team
understands data analytics testing, it can be applied to other areas of the audit. Key areas of the audit
where data analytics should be considered for implementation include:
• trade payables
• trade debtors
• general ledger
• payroll
• inventory (Stansell 2018).
As with all audit procedures, auditors must carefully plan the nature, timing, and extent of ADA to be
used for each client. In its Audit Guide for Audit Data Analytics, the AICPA outlines a five-step process,
shown in figure 2.26 to follow when planning, performing and evaluating results from ADA.

FIGURE 2.26 Five-step process for planning and performing ADAs

Step 1: Plan the ADA

Step 2: Access and prepare the data for

the ADA

Step 3: Consider the relevance and

reliability of data used

Step 4: Perform the ADA

Step 5: Evaluate the results and conclude

whether the purpose and specific objectives
of performing the ADA have been achieved

Source: Johnson & Wiley 2019.

Step 1: Plan the ADA

The auditor will need to customise an ADA application to the entity. This may require significant audit
partner and manager time or may be combined with a brainstorming session that involves all members of
the engagement team.
Key questions for an audit team to consider when planning an ADA application are as follows.
• What financial statement items, accounts, or disclosures and related assertions are being audited?
• What is the overall purpose of the ADA application and how will it contribute to the balance of the
audit? For example, is ADA being used as a risk assessment procedure or as a substantive test?
• What is the audit population being analysed or tested using ADA? The auditor should also consider the
relevance of the data to the audit assertion(s) being tested, and the availability and reliability of the data.
• What ADA tool is best suited for the audit purpose? Here the auditor selects the techniques, tools,
graphics, tables or other analytical techniques to be used.

Pdf_Folio:152

152 Advanced Audit and Assurance

Step 2: Access and Prepare the Data for the ADA
Once the auditor has planned the ADA application, the auditor must access the data, make a copy of the
client’s data and prepare the data for analysis. Auditors should never perform any functions or procedures
that would modify or change the client’s actual data. Key questions the auditor should consider when
preparing data for analysis are as follows.
1. Is the data complete?
• Does the data agree with the general ledger and the financial statements?
• The auditor should check the numerical continuity of the data. Are there missing numbers
(e.g. missing numbers in the sequence of invoices)?
2. Does the data need to be cleaned?
• Are there fields with missing data?
• Is the data appropriately and consistently formatted?
Step 3: Consider the Relevance and Reliability of the Data Used
Relevance and reliability of data should be addressed as part of any audit test. It is important that the data be
relevant to the assertion being tested. The data selected will vary depending on the assertion being tested.
These concepts will be covered in more detail in module 3.

Step 4: Perform the ADAs

This step involves the auditor executing the ADA to identify or assess risks of material misstatement.

Step 5: Evaluate the Results and Draw Conclusions

This step involves evaluating the results provided by the ADA to determine whether notable items result
in any of the following.
• Identification of previously unidentified risk
• Modification or support for the assessment of risks of material misstatement
• Information to better design or tailor audit procedures to address risk of material misstatement (Tysiac
2017).

Using ADA for Risk Assessment

When performing ADA as a risk assessment procedure, the auditor will generally have first obtained an
understanding of the entity and its environment because it takes a significant understanding of the entity
to identify misstatements and anomalies and to assess the implications of these for the audit plan. It is
also likely that the auditor has obtained an understanding of the system of internal control, and perhaps
performed tests of controls, to assess the reliability of data used in performing ADA.
ADA is effective not only for identifying general types of misstatements but also for identifying specific
transactions or accounts that are likely to be misstated. The process of undertaking risk analysis using
ADA as a risk assessment process within an environment of professional scepticism is illustrated in
figure 2.27.
The auditor uses ADA to look for anomalies or balances or transactions that do not meet the auditor’s
expectations based on his or her business acumen, knowledge of the business, and knowledge of the
industry and economy in which the audit client operates. There are a number of ways an auditor might
search an audit population for items of interest. Common data analytics techniques for risk assessment are
shown in figure 2.28.
During the risk assessment phase of the audit, the following techniques may be used.
• Clustering transactions or balances based on a particular characteristic or multiple characteristics.
• Matching the characteristics of two populations to see if there are any overlaps.
• Regression analysis whereby the notable items are identified using statistics.
• Time-series regression to analyse data that occur regularly within the client.
• Visualisation where the auditor plots certain characteristics of a population of account balances or
transactions looking for unusual characteristics.

Pdf_Folio:153

MODULE 2 Planning the Audit of Historical Financial Information 153

 FIGURE 2.27 Risk analysis decision tree

Environment of professional scepticism

Population

Fits the auditor’s Does not fit the

expectation auditor’s expectation

Acceptable variation Unacceptable variation

from the auditor’s from the
expectation auditor’s expectation

Remote probability Reasonable possibility

of aggregating of aggregating
to a material to a material
misstatement misstatement
Source: Johnson & Wiley 2019, p. 7–14.

FIGURE 2.28 Data analytics techniques for risk assessment

Data analytics
techniques for
risk assessment

Matching
Regression Time-series
Cluster analysis information in key Visualisation
analysis regression
data fields
Source: Johnson & Wiley 2019.

Cluster Analysis
Cluster analysis is the process of discovering groups (termed clusters in data science) of similar items
in a set of data; items in the same group are similar, while items in different groups are not as similar.
The characteristics of the groups need not be known beforehand; they are determined by the data. For
this reason, it is a particularly useful technique when the auditor does not know much about the data set.
However, in the audit environment, clustering is often informed by the auditor’s knowledge of the business
and industry, knowledge of the client, and an understanding of the accounts, transactions, and assertions
being audited. Consequently, the creation of groups should be guided by a combination of the data and
the auditor’s expert knowledge. The auditor is generally not advised to outsource clustering work without
active communication with the person performing the clustering.
Cluster analysis involves sorting client data into various dimensions or measures. For example, data
can be sorted based on location, cost centre, or manager. Once sorted, it can be measured across those
dimensions for items such as rent expense, sales revenue, inventory (sold, on hand and purchased).
Following this, data can be analysed to determine whether the relationships between the various data are
consistent with the auditors’ understanding of their client. Summaries can be prepared using a range of
criteria such as by month, division or manager.

Matching Information in Key Data Fields

Matching information in key data fields is a process whereby the auditor uses audit data analytics to search
for key characteristics that may exist in several different databases. Often, the auditor uses this process
with an expectation that there should be no matches. For example, the auditor would not expect an overlap
between addresses in a vendor database and a payroll database, as shown in figure 2.29. However, if
segregation of duties is weak, there may be an opportunity for an employee to create a fictitious vendor,
and the vendor address may match an employee’s address. Using audit data analytics to search for this
type of evidence of fraud may be a useful technique if fraud risk is assessed as high.
Pdf_Folio:154

154 Advanced Audit and Assurance

 FIGURE 2.29 Searching for and finding unexpected matches in two data fields

Vendor Vendor addresses

database
Unexpected
address matches

Payroll Employee addresses

database

Source: Johnson & Wiley 2019.

Regression Analysis
Regression analysis can be used to investigate relationships among different groups of data (variables). This
analysis considers the relationship between a dependent variable, such as sales, and various independent
variables, such as selling costs, purchases, and advertising expense (Johnson & Wiley 2019). Regression
analysis provides a statistical measure of the relationships among data and establishes whether movements
in the independent variables result in a change in the dependent variable. Any significant differences
between the client’s reported balances and what the regression model predicts are investigated by the
auditor as they indicate a potential misstatement (e.g. an overstatement of sales relative to the associated
expenses).
Time-Series Regression
Time-series regression can be used to analyse data that occur regularly within the client, for example, sales
and purchases. This form of analysis uses data from the past to predict the future. For example, sales made
in the past can be used to predict sales in the current period. The audit team can then investigate significant
fluctuations in expected sales trends, taking into consideration changes that occurred during the period
that may explain the observed variations. For example, if the client closed some retail outlets it would
explain a sharp decline in sales. When conducting a time-series analysis, auditors look at the long-term
trend, seasonal variations (for example, sales of frozen yoghurt are likely to be higher in summer), and
unexpected variations.
Visualisation
Visualisation is the representation of a data set, or key information, as a chart or another image.
Visualisations are produced to reveal information to people. Good visualisations have the following
characteristics.
• Facilitate people making visual comparisons between data elements. This can help auditors to identify
patterns, deviations from patterns, and outliers in the analysis stage of ADA.
• Are generally understood by a wider audience. Visualisations reduce the message to its core components
and use minimal, or no, jargon. This is particularly useful to auditors because they have to present
findings to business people with varied backgrounds. This benefit is also applicable to auditors sharing
the results of ADA with the rest of the audit team who will not be as familiar with ADA as the auditor
who performed it.
• Communicate a lot of information efficiently. There is truth to the saying a picture is worth a thousand
words. Managers are extremely busy people and so auditors will benefit from being able to communicate
their findings efficiently. Once again, a similar logic applies to auditors communicating findings within
an audit team.
• Are likely to be better remembered. Having a strong recollection of the findings from ADA is useful to
the auditor when combining the large number of findings to make sense of the audit as a whole. It is
also useful for clients (and any other stakeholders) to better remember what auditors are trying to tell
them.
In the context of ADA, a visualisation can be used to assist with the analysis, to communicate findings
effectively and efficiently, or both. The use of visualisation in the form of a planning dashboard can be
very useful in understanding the client’s processes and data population, assisting in identifying inherent
Pdf_Folio:155

MODULE 2 Planning the Audit of Historical Financial Information 155

risks, and informing walkthroughs and audit focus. A dashboard can also draw on external data such as
market data, interest and foreign exchange rates, changes in GDP and other growth metrics to be used in
analytical procedures (ICAEW 2016).
Just as is the case for the benefits, the risks associated with visualisations are related to their association
with people. There are risks when visualisations are created in isolation. Visualisations are excellent at
summarising results, but they generally do not provide precise figures or tests of statistical significance
that are often needed in ADA. That is, they should be used in combination with other tools, not isolation.
An excellent visualisation of an otherwise poor ADA is not useful. Even a beautiful visual as part of a
good ADA is useless if it has no purpose. On the other hand, an excellent visualisation that is integrated
into a well-defined and well-executed five-step ADA can add tremendous value.
There is also a risk that the pretty visualisation will be remembered rather than the message it was
intended to convey. Auditors need to focus viewers on the substance, not the form, of the visualisation.
Current software makes it very easy to create complex visualisations, but they are not always appropriate.
For example, three-dimensional graphs are rarely needed because they are relatively difficult to interpret.
Usually, all the information can be displayed in a standard two-dimensional graph. The lesson is to use
the graph that is best suited to the need of the ADA. This requires business acumen and equally applies to
simple cases.
Table 2.8 lists several audit data analytics software that is available for use.

TABLE 2.8 Audit data analytics software

Microsoft Microsoft Excel is commonly used by many CPAs as a basic tool for various analyses. The latest
Excel version of Excel includes a variety of tools to improve the ability to import data, as well as some
new functions and workflow tools.

IDEA IDEA is a powerful and user-friendly tool designed to help accounting and finance professionals,
including CPA firms and internal audit groups extend their auditing capabilities, detect fraud, and
meet documentation standards. It easily imports data from almost any source to analyse large
data sets, report findings using visualisation tools, and automate repeatable processes without
programming. See IDEA’s Academic Partnerships at http://www.casewareanalytics.com/idea-
academic-partnership.

ACL ACL is another popular audit software, similar to IDEA, that is used by accounting firms and internal
audit groups.

Tableau The focus of Tableau software is visual analytics to help individuals and organisations see and
understand their data. Tableau Desktop and Tableau Prep are free for students and faculty: see
https://www.tableau.com/academic/students.

R R is one of the most popular software environments for data science. It is open source, which
means it is freely available to all users. R provides a vast array of analytics and visualisation
capabilities that can be used for any purpose, including ADA. One of the reasons for its popularity is
that R has ongoing updates from the analytics community and thus is kept up-to-date with cutting-
edge advances in analytics. RStudio is a popular user interface to access R that many people
find easier to use than R directly. Details and installation instructions for RStudio can be found at
https://www.rstudio.com/. Please note that R should be installed (https://www.r-project.org/) before
installing RStudio.

Python Python is another very popular programming language for data science, with similiar capabilities
as R.

Power BI Power BI is a business analytics service by Microsoft. It provides interactive visualisations and busi-
ness intelligence capabilities with a simple interface enabling end-users to create their own reports
and dashboards. Guided learning of Power BI is available at https://powerbi.microsoft.com/en-
us/learning

Qlik Qlik Sense helps you do more with data by easily combining any data sources, regardless of size or
Sense complexity, into a single view. A free trial is available at www.qlik.com/us

Source: Adapted from Johnson & Wiley 2019.

Example 2.20 demonstrates the use of audit data analytics to items of interest where the auditor will
need to pay additional attention to during the audit. Review this example now.

Pdf_Folio:156

156 Advanced Audit and Assurance

 EXAMPLE 2.20

Audit Data Analytics

You are an auditor at JnJ Auditors. Your firm uses audit data analytics (ADA) to identify items of interest
with a higher risk of material misstatement during the audit planning stage of the audit. You are currently
planning the audit of Sky Robotics Ltd (SRL), a retailer that sells a range of drones. The sales prices for
the two main products are expected to be stable during the audit period, but product A is a higher-priced
product. As such, when graphing the relationship between sales dollars and sales units per invoice, the
pattern should show a straight line. However, when you used ADA to map the relationship, you found
outliers (see graph below).

Product A

Product B
Inventory sales $ per invoice

Items to be
investigated

Inventory units per invoice

............................................................................................................................................................................
What do the outliers indicate?
Check your response against the suggested answer at the end of the book.
Source: Adapted from CPA Canada 2017.

When testing 100% of the population using data analytics, it could potentially create an issue with a large
number of outliers being identified that would require the auditor’s attention. Using prioritisation methods
to filter the outliers would allow auditors to focus on items with a higher risk of material misstatement for
follow-up substantive procedures (No, Lee, Huang & Li 2019).

Other ADA Techniques

Other ADA techniques include the following.
• Peer analysis — compare key performance measures of the entity with others in the same industry.
• Three-way match procedure — quantities, prices and product identifiers in customer purchase orders,
shipping documents and sales invoices.
• Journal entry analytics — examines 100% of journal entries made during the period to reveal patterns
in account codes affected, the person who authorised and posted the entries and the timing and amounts
of posted entries.
• Segregation of duties analysis — accesses user identifier fields for various transactions to check if
incompatible functions have been performed by the same individual.
• Process mining — to identify whether the entity’s system is processing transactions effectively or
unauthorised processes (see figure 2.30).
• General ledger account reconciliation — ensure opening balances agree with the ending audited
balances for the preceding period.
• General ledger account balance analysis — to identify significant changes in account balances from
prior periods, trends in balances and to calculate key performance indicators (CPA Canada 2017).

Pdf_Folio:157

MODULE 2 Planning the Audit of Historical Financial Information 157

 Figure 2.30 shows the invoicing process triggered when an order is shipped to the customer. After the
invoice is initiated, it is reviewed before being issued. However, pricing adjustments are sometimes made.
Process mining has identified pricing adjustments made to some invoices and has isolated the invoices with
price adjustments made without approval. The auditor would investigate those for further investigation as
this could indicate fraud.

FIGURE 2.30 Process mining detects unauthorised sub-process

Order shipped Expected process

Expected sub-process

Invoice initiated Unauthorised sub-process

detected
Pricing
Invoice reviewed adjustments
made

Adjustments by
unapproved staff
Approved
pricing adjustments

Invoice issued

Using Data Analytics and Data Visualisation to Assess the Risk of Fraud
Data analytics and data visualisation can uncover a wealth of evidence and paint a clearer picture than
traditional analytical procedures as it includes the analysis of unstructured data. Accounts that have
been manipulated to conceal fraud usually show unusual relationships with other accounts that were
not manipulated. Data analytics can help to identify fraud and errors when combined with interviews to
gain an understanding of the business operations, accounting processes and information systems (Todd &
Gill 2018).
Financial fraud and errors are more difficult to detect when controls have been circumvented, but most
can be detected much sooner through data analytics and visualisations when designed to drill down into
financial data to identify suspicious transactions. Some examples of where data analytics can be used for
identifying suspicious transactions include finding:
• duplicate supplier invoices
• vendor’s invoices regularly under the threshold where an executive’s signature is required
• invoices with consecutive invoice numbers supplied to one vendor
• multiple invoices with the same issue date from one vendor
• fictitious vendors
• manipulated dollar values (Todd & Gill 2018).
Analysis of unstructured data (e.g. email, text, voicemail etc.) can also provide invaluable insights into
data manipulations by employees or management, especially when patterns of deceit emerge.
The next section discusses how auditors respond to the assessed risks. The key points covered in this
section, and the learning objectives they align to, are shown below.

KEY POINTS

2.2 Evaluate historical financial information by applying professional scepticism and judgment.
• In carrying out these risk assessment procedures, the auditor obtains an understanding of the entity
and its environment, which provides the frame of reference for planning and exercising professional
judgment throughout the audit.
• When the engagement team has a discussion to gain a better understanding of potential fraud or
errors, professional judgment is required in order to decide whom to include in the discussion, how
and when the discussion occurs and its extent.

df_Folio:158
P

158 Advanced Audit and Assurance

 • The discussion among team members should emphasise professional scepticism, which includes
being alert to information that may indicate a material misstatement and the rigorous follow-up of
these indications.
• Auditors use professional judgment to analyse the results of analytical procedures and audit data
analytics performed to gain an understanding of the entity and its environment.
• Example 2.16 demonstrates the use of professional judgment to determine the audit implications of
the breakdown in an entity’s value chain.
• Example 2.17 demonstrates the use of professional judgment to determine areas requiring audit
attention based on ratio analysis.
• Example 2.18 demonstrates the use of professional judgment to determine trends that indicate
areas where further evidence will need to be gathered based on the analysis of common-size
statements.
• Example 2.20 demonstrates the use of audit data analytics and data visualisation to items of interest
where the auditor will need to pay additional attention to during the audit. Professional judgment is
required to assess the results.
2.4 Apply techniques to analyse factors that could impact fraud risk.
• Some auditors use data analytics and data visualisations to assess the risk of fraud.
• Auditors to consider unusual or unexpected relationships and other information derived from
analytical procedures, audit team discussions and other internal/external sources that may be
indicative of material financial statement misstatement due to fraud.
2.5 Design appropriate processes and procedures undertaken by auditors to identify and assess
risks during audit planning.
• The auditor uses a range of techniques to obtain an understanding of the entity and its environment.
These include SWOT analysis, PEST and PESTEL analyses, and value-chain analysis.
• The auditor uses analytical procedures to assess the risk of material misstatement in the financial
statements.
• Analytical procedures to test expected relationships between financial statement items and accounts
may assist the auditor to identify unusual transactions and events.
• Auditors are combining big data and analytics to detailed industry information to help them better
understand the entity, identify risks and deliver enhanced audit quality.
2.6 Apply the appropriate standards that relate to audit planning.
• ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understand-
ing the Entity and Its Environment outlines three methods that must be used for risk assessment
purposes.
• ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understand-
ing the Entity and Its Environment outlines risk assessment procedures the auditor uses to obtain
an understanding of the entity and its environment. This provides the frame of reference for audit
planning and exercising professional judgment throughout the audit.

2.8 RESPONDING TO ASSESSED RISKS

As mentioned in the previous section, some auditors are using sophisticated analytical procedures to
streamline the audit process. Using data analytics in a financial statement audit aids the auditor to discover
and analyse patterns, deviations and inconsistencies, and to extract other useful information in the data
through analysis, modelling and visualisation to help plan and perform the audit in response to the assessed
risks.
ISA 330 outlines in detail the nature, timing and extent of evidence-gathering procedures that the
auditor can undertake to respond to assessed risks. ISA 330, paragraph 5, requires the auditor to ‘design
and implement overall responses to address the assessed risks of material misstatements at the financial
statement level’. ISA 330, paragraph 6, further requires the auditor to ‘design and perform further audit
procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material
misstatement at the assertion level’.
Examples of overall responses to address the assessed risk of material misstatement at the financial
statement level are discussed in ISA 330, paragraph A1. Read this now.
According to ISA 330, paragraph A6, timing ‘refers to when [an audit procedure] is performed, or the
period or date to which the audit evidence applies’.
Pdf_Folio:159

MODULE 2 Planning the Audit of Historical Financial Information 159

 ISA 330, paragraph A7, indicates that the extent of audit procedures refers to the quantity of a specific
audit procedure to be performed — for example, whether the population or a sample of observations is
used. The extent of audit procedures depends on the auditor’s judgment, assessed level of risk and degree
of assurance sought.
Audit procedures will normally increase as the risk of material misstatement increases, but this would be
effective only if the increased procedures are relevant to the specific risk. Therefore, there is a relationship
between the nature and the extent of audit procedures. It is important for the auditor to consider the nature
of the evidence and the potential for manipulation; for example, if internal documentation is subject to
management control, varying the nature of the evidence (by obtaining external reports) may be more
important than collecting more internal evidence.
In addressing the risk of earnings management to deceive the users of financial statements, the auditor
considers the selection and application of significant accounting policies, especially those relating to
measurement and complex transactions. At this stage, the auditor also formulates a response to assessed
risks in the form of tests of controls and substantive procedures in accordance with ISA 330. Given that
this phase of the audit requires the exercise of professional scepticism, it is imperative to assign trained
and experienced audit staff commensurate with the risk assessment.
You should now refer to ISA 240, paragraphs 29–34 and the related explanatory material in order to
gain an understanding of the nature and scope of procedures to be adopted, including the assignment of
audit tasks to appropriately trained personnel. Also read ISA 240, Appendix 2 which provides examples
of possible audit procedures to address the assessed risk of material misstatement due to fraud.

QUESTION 2.17

How could an understanding of the internal and external environment of the audit client facilitate
the identification and evaluation of the risk of material misstatement due to fraudulent activity?

Having gained an understanding of the entity and its environment, including its internal control and any
significant risk factors, the auditor will respond to the assessed risks by determining the appropriate overall
audit strategy prior to performing the audit.

OVERALL AUDIT STRATEGY

As mentioned earlier in this module, the auditor has two main alternative strategies (with combinations
in between) which are based on assessments of materiality, audit risk and what constitutes sufficient
appropriate audit evidence. The audit strategy significantly affects the detailed work performed in the
audit. The two strategies are:
• a lower assessed level of control risk approach
• a predominantly substantive testing approach.
How these two approaches are developed and how they affect the nature, timing and extent of the work
performed are discussed in the following sections.

Developing the Audit Strategy

The process of developing the audit strategy starts with obtaining an understanding of the internal control
structure. If the auditor assesses that appropriate controls do not exist or are likely to be ineffective, then no
reliance can be placed on internal controls. In this situation, control risk is assessed at a relatively high level
and therefore, a predominantly substantive approach is adopted. Substantive procedures are performed to
substantiate the amounts recorded in the financial statements and are usually more expensive to perform
than tests of controls.
A more efficient audit can be performed if controls are assessed to be effective enough to place reliance
on them. In doing so, control risk would be assessed to be relatively low. In this case, the extent of
substantive procedures undertaken will be reduced. See figure 2.31 for an illustration of how the audit
strategy is determined based on the level of control risk and how that impacts on the extent of tests of
controls and substantive procedures to be performed.

df_Folio:160
P

160 Advanced Audit and Assurance

 FIGURE 2.31 Preliminary audit strategies for material financial statement assertions

Predominantly Audit Lower assessed

substantive strategy level of control
approach risk approach

Components of preliminary audit strategies

Preliminary assessment of control risk
High Moderate Low

Extent of understanding of internal control

structure

Tests of
controls

Planned level of
substantive procedures

Cost of combined procedures

Source: Leung et al. 2018, p. 330.

QUESTION 2.18

Princess Island Vineyards is a boutique wine maker based on Princess Island. Over the years, the
business has grown firstly by supplying local retailers, and then through exports. In addition, there
is a cellar door shop and café located next to the main processing plant on Princess Island, serving
tourists who also visit the other specialist food and wine businesses in the region. Quality control
over the wine manufacturing process and storage of casks and bottles at Princess Island Vineyards
is extremely high. All members of the business are committed to high product quality because any
poor practices which could result in a drop in wine quality would ruin the business very quickly.
The export arm has been built up to become the largest revenue earner for the business by
the younger of the two brothers who have run Princess Island Vineyards since it was established.
Jim Bannock has a natural flair for sales and marketing but is not so good at completing the
associated detailed paperwork. Some of the export deals have been poorly documented, and Jim
often agrees to different prices for different clients without consulting his older brother, Bob, or
informing the sales department. Consequently, there are often disputes about invoices and Jim
makes frequent adjustments to debtor accounts using credit notes when clients complain about
their statements. Jim sometimes falls behind in responding to customer complaints because he
is very busy juggling the demands of making export sales and running his other business, Café
Consulting, which provides contract staff for the café business at Princess Island Vineyards.
1. Identify the factors that would affect the preliminary assessment of inherent risk and control risk
at Princess Island Vineyards.
2. Explain how these factors would influence the auditor’s reliance on control testing and substan-
tive testing for sales, inventories and debtors.

Tests of Controls
Once an understanding of the internal control that is sufficient for audit planning is obtained, the auditor
must assess the control risk or the risk of material misstatement occurring. If the auditor assesses that
control risk is less than high, it means they plan to rely to some extent on key controls in the control
system. They need evidence to support reliance on these controls; the tests to gather this evidence are
called tests of controls. If control risk is assessed as high, then no reliance is to be placed on these controls,
there will be no testing of the controls, and more substantive testing will need to be undertaken.
Pdf_Folio:161

MODULE 2 Planning the Audit of Historical Financial Information 161

 Some audits require the auditor to undertake tests of controls. Where the auditor has determined that it
is not possible or practicable to reduce risk of material misstatement at the assertion level to an acceptably
low level with audit evidence obtained only from substantive procedures, the auditor shall perform tests
of controls for operating effectiveness. Thus, for these key controls, it is not possible to evaluate control
risk as high by default, and it would be necessary to undertake tests of controls. Further, where the auditor
plans to rely on controls that have not changed since they were last tested, ISA 330, paragraph A37 requires
that the auditor test the operating effectiveness of such controls at least every third audit. However, if the
auditor plans to rely on controls that have changed since they were last tested the auditor needs to test the
operating effectiveness of such controls in the current audit (ISA 330, para. A36).
Review ISA 330, paragraphs 8–17, and the related explanatory paragraphs (ISA 330, paragraphs
A20–A41), to be aware of the concepts contained in this key standard with regards to tests of controls.

QUESTION 2.19

The initial audit plan for sales transactions placed substantial reliance on the system of internal
control and the use of analytical procedures rather than substantive tests of detail. The testing of
the internal control system for sales has found a significant number of instances where customers’
credit ratings have not been checked. The sales manager states that these changes are the result
of difficulties in maintaining past sales levels.
Your task is as follows.
1. Identify the balance sheet account and the relevant assertion most at risk given the information
provided. Explain why.
2. Discuss how the initial planned strategy would change given the additional information in regard
to the results of testing of controls.

Substantive Procedures
Substantive procedures are aimed at detecting material misstatement (at the assertion level) in the dollar
value of the information contained in the accounting records or in the financial statements. Thus, the risk of
material misstatement is reduced by the auditor undertaking tests of controls and substantive procedures.
If the auditor can gain confidence that the controls in place will help reduce material misstatement, the
auditor is able to reduce the level of substantive testing.
Substantive procedures consist of two categories: substantive analytical procedures and tests of details
(ISA 330, para. 4). A more detailed discussion of actual procedures is included in module 3.
Analytical procedures include the comparisons of the entity’s financial information with prior period
information, budgeted information and similar industry information. They also include a consideration of
the relationship of elements of financial information where one would expect a predictable pattern (e.g.
gross margin to sales) and between financial and non-financial information (e.g. payroll costs and employee
numbers). Analytical procedures are generally more applicable to large volumes of transactions that tend
to be predictable over time.
Tests of details are tests of transactions and balances designed to obtain direct evidence to support the
account balances shown in the financial statements. Commonly, this will involve drawing conclusions from
a sample of the transactions or account balances and projecting these results to the entire population. For
example, tests of details relating to PPE could include inspecting invoices for new acquisitions, checking
the arithmetic on depreciation schedules, and inspecting specific items of PPE for both existence and
valuation (e.g. evidence of deterioration).
‘Irrespective of the assessed risks of material misstatement, the auditor shall design and perform
substantive procedures for each material class of transactions, account balance and disclosure’ (ISA 330,
para. 18). If under ISA 315 (Revised) it has been determined that the ‘assessed risk of material misstatement
at the assertion level is a significant risk [e.g. significant risk of material overstatement of sales], the auditor
shall perform substantive procedures that are specifically responsive to that risk’ (ISA 330, para. 21).
These substantive tests related to significant risks should be tests of details only and/or in combination
with analytical procedures.
It is important to consider the nature, timing and extent of substantive tests. The nature of the tests refers
to the use of substantive analytical procedures or test of details. The former are generally more applicable
to large volumes of transactions that tend to be predictable over time, whereas tests of details are ordinarily
more appropriate in obtaining evidence regarding certain assertions (e.g. existence and valuation) about
account balances.
df_Folio:162
P

162 Advanced Audit and Assurance

 Timing refers to when the evidence is collected. The auditor may perform substantive procedures at year-
end or at an interim date. In the latter situation, the auditor must perform further substantive procedures
or substantive procedures combined with tests of controls to cover the remaining period to year-end
(ISA 330, para. 22). For example, a debtor’s circularisation may be carried a month before year-end and the
additional evidence collected for the last month of the year related to that month. Such factors as the control
environment and the assessed risk of a material misstatement affect whether substantive procedures are
performed at year-end. For example, if control procedures are weak and the risk of material misstatement
is high, it is less likely that audit procedures would be performed at an interim date.
The extent of substantive testing ordinarily increases when the risk of material misstatement is greater.
Based on the audit procedures performed, the auditor is required to evaluate the sufficiency and
appropriateness of audit evidence obtained (ISA 330, para. 25). However:
If the auditor has not obtained sufficient appropriate audit evidence as to a material financial statement
assertion, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain
sufficient appropriate audit evidence, the auditor shall express a qualified opinion or disclaim an opinion
on the financial statements (ISA 330, para. 27).

The auditor’s reporting determination (audit opinion) is discussed further in module 4.

Review ISA 330, paragraphs 18–23 to be aware of the concepts contained in this key standard with
regards to substantive procedures.

QUESTION 2.20

For each audit procedure listed below, state whether it is a test of controls or a substantive test.
For the procedures that are substantive tests, identify the key financial statement assertion being
tested.
1. Examine high-value invoices for the two days prior to year-end to determine if sales are recorded
in the correct period.
2. Compare inventory turnover across products using monthly data for the last two years.
3. Select a sample of trade debtors to be confirmed and follow up on non-replies.
4. Attend the annual inventory stocktake and ensure all procedures are complied with.
5. Review any changes to the staff involved in authorising fixed asset purchases and disposals.
6. For a sample of fixed assets, determine if the depreciation rates used are consistent with the
approved depreciation policy of the client.
7. Check arithmetic on a sample of sales invoices.
8. Check authorisation signatures on a sample of travel reimbursements.

We conclude this module by discussing approaches auditors use to assure SMEs.

APPROACHES TO ASSURING SMEs

Given that the characteristics of SMEs may lead to generally weak internal controls, a substantive approach
is very frequently taken for a small business assurance service. Because the number of transactions and
balances to be assured is often small, the use of sampling techniques may not be cost-effective. Alternative
substantive procedures include the use of substantive analytical procedures, particularly as a substitute for
tests of transactions. The use of stratification to identify significant balances for testing and the examination
of significant and unusual items may provide a cost-effective alternative to audit sampling.
As program controls often cannot be relied upon, this implies that test data techniques will not usually
be used (e.g. a pervasive weakness in the general control environment, such as serious segregation of duties
problems, will mean that application controls cannot be relied upon). Audit software techniques may be
used, for example, to help identify large or unusual transactions or balances contained in the client’s files,
to which the auditor may wish to direct their attention. However, because of the smaller volumes of data
processed, manual auditing methods may be more cost-effective.
Another area of concern to the auditor is the application of the going concern basis of accounting to
a small business. Many small companies have little shareholders’ equity. Where a trading loss occurs or
an investment in an asset must be written down for these small companies, the question of whether the
company will be able to meet its debts as and when they fall due requires special attention.
Pdf_Folio:163

MODULE 2 Planning the Audit of Historical Financial Information 163

 Developments in higher-end technology solutions, such as data analytics, are now more attainable for
SMEs when technological expertise is maintained by a reputable third-party service provider such as in
cloud computing environments. SMEs that use advanced technology to operate their business and record
their financial transactions are likely to expect that their auditor would also use technology. Using data
analytics in the audit of an SME is likely to have advantages over auditors that audit large entities as SMEs
are more likely to use standard off-the-shelf financial reporting applications that make data access easier
and potentially provides higher quality information in relation to the size of the entity (IAASB 2016).
To consolidate your knowledge of audits of small businesses, you should now review example 2.21.

EXAMPLE 2.21

Audit Approach for an SME

You are undertaking the audit of a private company, Dobbie Pty Ltd, which operates a duty-free store
with a turnover of $4 million a year. The company is run by a husband and wife team who are both the
directors and only shareholders. On most days, either the husband or the wife is usually working in the
store. There is also a part-time clerical assistant, Elizabeth, who is responsible for all accounting-related
tasks, including cash, debtors, inventory, payroll and creditors. There are two other part-time employees
working in the store and five casual employees as and when required on late nights and weekends. There
are usually two staff rostered on outside peak times and four staff rostered on during peak times.
The premises, which are located at a local tourist area, are rented and consist of two rooms. The store
is at the front, and this is where all customers are served. There are two cash registers, and employees
log on to a cash register. Approximately 30% of the receipts are in the form of cash and 70% through
credit cards. At the back is a staff room that includes tea-making and restroom facilities. There is also
a temporary partition (screens on wheels) which encloses the area where Elizabeth works (this is known
as the accounting office), and there is further temporary partitioning that encloses the shelving where
additional stock is stored (the area is known as the storeroom). There is a sign that says this area is off-
limits to customers, although when customers request, they are permitted to use the restroom facilities.
All accounting and management information is stored on a desktop computer (kept in the accounting
office). The computer runs the latest version of a widely used accounting package that was purchased
from a reputable software provider. The software also provides the company with sufficient information to
complete its goods and services tax (GST) obligations and other tax returns.
Elizabeth and the two principals of the business are the only ones who are allowed to use the computer,
and this is regulated through a password system. Elizabeth lives by herself, but she talks a lot about her
pet cat, Cuddles. Elizabeth has not undertaken an accounting course at university, but has undertaken
a one-night-a-week 10-week accounting for non-accountants course, and has had one week’s training
on the software. She keeps the software user manual on the shelf beside her desk, and she refers to it
regularly.
The software produces a monthly income statement and balance sheet. Monthly reconciliations of
trade debtors, inventory and accounts payable are also prepared by Elizabeth. However, the principals
concentrate their review on the tax situation and the financial performance of the company.
............................................................................................................................................................................
Appraise issues relevant to the auditor in this small business environment, and outline the audit approach that
would most likely be undertaken.
Check your response against the suggested answer at the end of the book.

The key points covered in this section, and the learning objectives they align to, are shown below.

KEY POINTS

2.1 Explain the responsibilities of management and the auditor in relation to an audit.
• The auditor is responsible for designing and implementing overall responses to address the assessed
risks of material misstatements at the financial statement level.
• The auditor is responsible for designing and performing further audit procedures whose nature, timing
and extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level.
2.2 Evaluate historical financial information by applying professional scepticism and judgment.
• Question 2.19 requires students to apply professional judgment to identify the balance sheet
accounts and relevant assertions most at risk and then determine how the planned audit strategy
would change based on the results of tests of controls.
df_Folio:164
P

164 Advanced Audit and Assurance

 • Question 2.20 requires students to apply professional judgment to distinguish between procedures
as either tests of controls or substantive procedures. Students also need to be able to identify the
relevant assertion for each substantive procedure.
2.3 Apply the processes and procedures undertaken by auditors in planning an audit.
• The auditor develops an overall audit strategy and plans the audit procedures based on the risk
assessment.
• The auditor formulates a response to assessed risks in the form of tests of controls and substantive
procedures.
2.6 Apply the appropriate standards that relate to audit planning.
• Having considered the fraud risk factors, the auditor must assess the risk of material misstatement
due to fraud, and then adequately respond to these assessed risks by designing and performing
further audit procedures whose nature, timing and extent are responsive to the assessed risks
according to ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial
Statements.
• ISA 330 The Auditor’s Responses to Assessed Risks outlines in detail the nature, timing and extent
of evidence-gathering procedures that the auditor can undertake to respond to assessed risks.

REVIEW
The main focus of the module was specifically related to the audit of financial statements and an overview
of the 200 and 300 series of the ISAs. After the general principles governing an audit of financial
statements were outlined, the responsibility of personnel within a firm for the quality control of audits was
discussed. Next, the terms of audit engagements and audit planning procedures were discussed, including
the overall audit strategy, the audit plan and financial statement assertions. Before explaining materiality,
the mandatory requirements for audit documentation were discussed.
After discussing the audit planning procedures, our focus turned to understanding the entity and its
environment. This entailed obtaining an understanding of the entity’s industry, regulatory and other
external factors along with the nature of the entity, including its business model.
Internal control is one way that management can mitigate business risks, and the auditing standards
require the auditor to understand the entity’s internal controls. Controls in an IT environment and SMEs
were also discussed.
Given the increased emphasis by the profession on the detection of fraud, we discussed in some detail
the auditor’s responsibility to consider fraud in an audit of financial statements. Other risk assessments for
specific matters that have the potential to be significant risks were discussed, including audit accounting
estimates, and risks relating to related-parties, going concern, and climate-related risks. The module also
discussed the auditor’s responsibility to consider laws and regulations in an audit of financial statements,
especially in responding to the entity’s NOCLAR, including fraud.
This module considered the importance of business risk for the auditor. The auditor’s role in under-
standing entities and their environments and assessing the risk of material misstatement was considered.
As audit firms have moved to a much greater emphasis on risk analysis, a variety of techniques for
conducting strategic analyses in order to better understand these risks were outlined. Also, analytical
procedures were discussed as they play an important role in understanding business risk and the audit
implications. In recent years, audit data analytics and visualisations have become important tools for
auditors, and as such, these were discussed in detail.
Having assessed the risks of material misstatement, the auditor needs to develop procedures in response
to the assessed risks. These procedures depend on the overall audit strategy determined by the auditor.
To respond to the assessed risks, the auditor will undertake tests of controls and substantive procedures
including analytical procedures to gather sufficient appropriate audit evidence to enable the auditor to form
an opinion on the truth and fairness of the financial statements.
Performing the audit to gather sufficient appropriate audit evidence will be the focus of the next module.

Pdf_Folio:165

MODULE 2 Planning the Audit of Historical Financial Information 165

 WESTERWAYS CASE STUDY ACTIVITY

Planning the Audit of Westerways Pty Ltd

Allocation of Planning Materiality
CLT had learned that some firms of accountants allocate their planning materiality figure across financial
statement items. They appreciated the need to give advice to their audit staff on what the materiality
figure is for the individual financial statement items, but they did not know how this could most effectively
be done. Despite this, the partners have just introduced a modification to their audit approach to require
allocation of planning materiality across components. As with other firms, they call the allocated materiality
the ‘tolerable misstatement (or error)’ for the component. The revised standard audit working paper, PL3-
PMA, leads the auditor through the required process.
Using Tolerable Error in Design of Audit Tests
On the matter of sample sizes for audit testing, the CLT partners realise that the concept of planning
materiality is comparable with required precision in statistical sampling - the smaller the required precision
(i.e. the tighter the tolerable error limits or, in a one-tailed test for deviations, the lower the error rate),
subject to other sampling parameters remaining the same, the larger the required sample size. However,
they are not aware of a clear way to relate this principle to the quantity or quality of evidence required from
audit sampling. At present, the firm’s approach is to base their evidence collection requirements primarily
on their assessments of risk rather than from their judgment on planning materiality. They understand that
some auditors set a lower planning materiality where they consider their audit risk to be high (resulting in
more audit testing) and a higher planning materiality where audit risk is lower. The CLT partners do not
do this. They prefer an approach of making clear to the audit staff in the planning stage of the audit what
the tolerable misstatement figure is to be for each component, and leaving it to their discretion how that
affects their testing and their evaluation of evidence.
The Judgmental Nature of Planning Materiality
Nonetheless, the CLT partners recognise that the figures used for planning materiality calculations are
estimates and that the planning materiality figure is not sacrosanct — it is a provisional figure and can be
adjusted during the audit if this seems to the Audit Manager to be desirable, subject to approval by the
Partner.
Go to the Westerways case study at the end of the Study Guide and complete the following tasks.
............................................................................................................................................................................
CASE STUDY TASKS
1. Develop the preliminary understanding of the client’s business that you will need to plan the audit. Complete
the Campbell Lee Taylor standard audit working paper, PL1-UCB.
2. Examine the financial data of the company provided in Appendix 4 and:
• Perform any analytical review procedures you consider might be useful in helping you to understand
the business for audit planning purposes. A spreadsheet (including the required data) is provided on the
LMS for your use. Alternatively, you may choose data analytics software to complete this task.
• Comment on your findings, highlighting any financial statement items that you think will require special
audit attention because of their susceptibility to misstatement. For this purpose, complete the Campbell
Lee Taylor audit working paper, PL2-ARP, attaching your analytical review workings.
3. Perform preliminary materiality calculations and arrive at a judgment on preliminary (planning) materiality.
Use the CLT audit working paper, PL3-PMA, which applies the firm’s approach to this. Allocate your
materiality figure to the components in accordance with the CLT policy on this (be guided by the information
provided in the working paper).
4. Use the company’s background information to summarise and evaluate the control environment, complet-
ing standard working paper PL4-CEE.
Note: Working papers are available in Appendix 9 at the end of the Case Study information provided in the
Study Guide.

REFERENCES
ACCA n.d., ‘Professional scepticism’, Think Ahead, accessed June 2019, https://www.accaglobal.com/an/en/student/
exam-support-resources/professional-exams-study-resources/p7/technical-articles/scepticism.html
Accounting Professional & Ethical Standards Board (APESB) 2018, Amendments to Long Association of Personnel with an
Audit or Assurance Client requirements in APES 110 Code of Ethics for Professional Accountants, April, accessed May 2019,
https://www.apesb.org.au/page.php?id=12
Andersen, N 2016, ‘Blockchain technology: a game changer in accounting?’ Deloitte, March, accessed June
2019, https://www2.deloitte.com/content/dam/Deloitte/de/Documents /Innovation/Blockchain_A%20game-
changer%20in%20accounting.pdf
df_Folio:166
P

166 Advanced Audit and Assurance

Australian Accounting Standards Board (AASB) & Auditing and Assurance Standards Board (AUASB) 2018, ‘Climate-related
and other emerging risks disclosures: assessing financial statement materiality using AASB Practice Statement 2, December,
accessed June 2019, https://www.aasb.gov.au/admin/file/content102/c3/AASB_AUASB_Joint_Bulletin_13122018_final.pdf
Australian Securities and Investments Commission (ASIC) 2019, Audit Inspection Program Report for 2017–18, Report 607,
accessed May 2019, https://asic.gov.au/media/4990650/rep607-published-24-january-2019.pdf
Australian Securities and Investments Commission (ASIC) 2018, Climate risk disclosure by Australia’s listed companies’, Report
593, accessed June 2019, https://asic.gov.au/regulatory-resources/find-a-document/reports/rep-593-climate-risk-disclosure-by-
australia-s-listed-companies/
Barker, S 2019, ‘New developments impact climate change related risks’, MintonEllison, Lexology, 14 March, accessed June
2019, https://www.lexology.com/library/detail.aspx?g =50626d36-bc64-499a-a649-7c32653891d5
Boobier, T 2018, Advanced Analytics and AI: Impact, Implementation, and the Future of Work, John Wiley & Sons, Milton.
Carlin, T 2018 ‘Blockchain and the journey beyond double entry’, Australian Accounting Review, DOI: 10.1111/auar.12273, CPA
Australia.
Caseware n.d., ‘Data analytics: the key to risk-based auditing’, accessed June 2019,
https://www.iia.nl/SiteFiles/Publicaties/data_analytics_-_the_key_to_risk-based_auditing.pdf
CPA Canada 2017, ‘Audit Data Analytics Alert: Talking to your audit clients about data analytics’, May, accessed June
2019, https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/canadian-auditing-standards-
cas/publications/audit-data-analytics-alert-talking-to-clients
Deloitte LLP 2014a, Audit Committee Brief: A New Era in Audit Committee Reporting, accessed June 2019,
https://deloitte.wsj.com/riskandcompliance/2014/02/14/a-new-era-in-audit-committee-reporting/
Deloitte LLP 2014b, Cloud Computing – what auditors need to know, accessed June 2019, https://www.ucop.edu/ethics-
compliance-audit-services/_files/webinars/10-14-16-cloud-computing/cloudcomputing.pdf
Doblin, 2015, ‘The Ten Types’, Doblin.com, accessed June 2019, http://www.doblin.com/tentypes/
Eilifsen, A & Messier, WF 2015, ‘Materiality Guidance of the Major Public Accounting Firms’, AUDITING: A Journal of
Practice & Theory, May, vol. 34, no. 2, pp. 3-26, accessed June 2019, https://aaapubs.org/doi/10.2308/ajpt-50882
Ernst & Young 2017, ‘Big data and analytics in the audit process’, BoardMatters Quarterly, vol. 9, accessed June 2019,
https://www.ey.com/Publication/vwLUAssets/EY-bmq-vol-9-big-data/$File/EY-bmq-vol-9-big-data.pdf
European Commission 2016, ‘Reform of the EU Statutory Audit Market – Frequently Asked Questions (updated version)’, Fact
Sheet, 17 June, accessed May 2019, http://europa.eu/rapid/press-release_MEMO-16-2244_en.htm
Grayston, C 2019, ‘Climate-related risks are now the auditor’s business’, INTHEBLACK, May, accessed June 2019,
https://www.intheblack.com/articles/2019/05/01/climate-change-risk-auditor-business
ICAEW 2016, Data analytics for external auditors: International auditing perspectives, accessed June 2019,
https://www.icaew.com/-/media/corporate/files/technical/iaa/tecpln14726-iaae-data-analytics—web-version.ashx
International Auditing and Assurance Standards Board (IAASB) 2019a, Professional scepticism lies at the heart of a quality audit,
pS focus, February, accessed June 2019, https://www.ifac.org/publications-resources/focus-professional-skepticism
International Auditing and Assurance Standards Board (IAASB) 2019b, Exposure draft: IAS 220 (Revised) Quality Management
for an Audit of Financial Statements, February, accessed June 2019, https://www.ifac.org/publications-resources/exposure-draft-
international-standard-auditing-220-revised-quality-management
International Auditing and Assurance Standards Board (IAASB) 2019c, Audits of less complex entities: exploring possible options
to address the challenges in applying the ISAs, Discussion Paper, April, accessed June 2019, https://www.ifac.org/publications-
resources/discussion-paper-audits-less-complex-entities
International Auditing and Assurance Standards Board (IAASB) 2018, Exposure draft: Proposed IAS 315 (Revised) Identifying
and assessing the risks of material misstatement and proposed consequential conforming amendments to other ISAs, 2
November, accessed June 2019, https://www.ifac.org/publications-resources/exposure-draft-isa-315-revised-identifying-and-
assessing-risks-material
International Auditing and Assurance Standards Board (IAASB) 2016, Exploring the growing use of technology in the audit, with
a focus on data analytics, September, accessed June 2019, https://www.ifac.org/system/files/publications/files/IAASB-Data-
Analytics-WG-Publication-Aug-25-2016-for-comms-9.1.16.pdf
International Ethics Standards Board for Accountants (IESBA) 2018, International Code of Ethics for Professional Accountants
(Including International Independence Standards), accessed June 2019, https://www.ifac.org/publications-resources/2018-
handbook-international-code-ethics-professional-accountants
International Federation of Accountants (IFAC) 2018a, Handbook of International Quality Control, Auditing, Review, Other
Assurance, and Related Services Pronouncements, IFAC, New York.
International Federation of Accountants (IFAC) 2018b, Guide to Quality Control for Small- and Medium-Sized Practices, 4th edn,
accessed May 2019, https://www.ifac.org/publications-resources/guide-using-international-standards-auditing-audits-small-and-
medium-sized-en
Johnson, R & Wiley, L 2019, Auditing: A practical approach with data analytics, 1st edn, Wiley, Hoboken, NJ.
Joint Accounting Bodies 2013, Independence Guide, Fourth Edition, accessed June 2019,
cpaaustralia.com.au/~/media/corporate/allfiles/document/professional-resources/auditing-assurance/independence-guide.pdf
Knechel, WR & Salterio, S 2017, Auditing: Assurance and Risk, 4th edn, Routledge, New York and Oxon.
KPMG 2014, ‘EU audit reform – what you need to know’, July, Fact Sheet, accessed June 2019,
https://home.kpmg.com/content/dam/kpmg/bg/pdf/EU-Audit-Reform-Fact-Sheet-MFR.pdf
Lajoux, AR & Martel, CS 2013, ‘Honing scepticism’, NACD Directorship, January/February, pp. 29–37, accessed June 2019,
http://www.directorship.com
Leung, P, Coram, P, Cooper, BJ & Richardson, P 2018, Audit and assurance, 1st edn, John Wiley & Sons Australia, Milton.
Moroney, J, Campbell, F & Hamilton, J 2017, Auditing: a practical approach, 3rd edn, Wiley, Milton.

Pdf_Folio:167

MODULE 2 Planning the Audit of Historical Financial Information 167

No, WG, Lee, K, Huang, F & Li, Q 2019, ‘Multidimensional Audit Data Selection (MADS): A Framework for
Using Data Analytics in Audit Data Selection Process’, Accounting Horizons, In-Press, accessed June 2019,
https://aaajournals.org/doi/abs/10.2308/acch-52453
O’Leary, DE 2017, ‘Configuring blockchain architectures for transaction information in blockchain consortiums: The case of
accounting and supply chain systems’, Intelligent Systems for Accounting, Finance and Management, 24: 138–147,
doi: 10.1002/isaf.1417
Pinsker, B 2019, ‘Employers using robots to catch fraud in expense reports’, Insurance Journal, 26 March, accessed June 2019,
https://www.insurancejournal.com/news/national/ 2019/03/26/521573.htm
Price, J 2018, ‘Disclosing climate risk’, November, Listed@ASX, accessed June 2019, https://www.asx.com.au/listings/
issuer-services/listed-at-asx.htm
PwC 2018, Pulling fraud out of the shadows: Global Economic Crime and Fraud Survey 2018, accessed May 2019,
https://www.pwc.com/gx/en/forensics/global-economic-crime-and-fraud-survey-2018.pdf
Stansell, D. 2018, ‘Is better planning the key to an efficient audit?’, CaseWare, 28 September, accessed June 2019,
https://www.caseware.com.au/2018/09/integrating-data-analytics-into-your-audit-plan-for-a-more-efficient-audit
Task Force on Climate-related Financial Disclosures (TCFD) 2017, ‘Final Report: Recommendations of the Task Force on
Climate-related Financial Disclosures’, June, accessed June 2019, https://www.fsb-tcfd.org/publications/
Todd, KJ & Gill, LH 2018, ‘Voices using data analytics in forensic investigations’, Accounting Today, 9 March, accessed June
2019, https://www.accountingtoday.com/opinion/using-data-analytics-in-forensic-investigations
Tysiac, K 2017, ‘Using audit data analytics in performing a risk assessment procedure’, Journal of Accountancy, 13 December,
accessed June 2019, https://www.journalofaccountancy.com/ news/2017/dec/using-audit-data-analytics-for-risk-assessment-
201717981.html
Zaher, R 2018, Auditing in the cloud, Chartered Accountants Australia New Zealand, News, 15 November, accessed June 2019,
https://www.charteredaccountantsanz.com/news-and-analysis/news/auditing-in-the-cloud

OPTIONAL READING
International Federation of Accountants (IFAC) 2018, Guide to Using International Standards on Auditing
in the Audits of Small and Medium-sized Entities, 4th edn, accessed June 2019, https://www.ifac.org/
publications-resources/guide-using-international-standards-auditing-audits-small-and-medium-sized-en

Pdf_Folio:168

168 Advanced Audit and Assurance

MODULE 3

PERFORMING THE
AUDIT OF HISTORICAL
FINANCIAL
INFORMATION
Module 1
Auditing and Assurance Framework

Audits of historical financial Module 5

information Other assurance engagements

Module 4
Module 2 Module 3
Conclusions and
Planning the audit Performing the audit
reporting responsibilities

• Performing tests of controls

• Performing substantive procedures
• Audit sampling
• Computer-aided techniques
• Evidence gathering in an e-commerce environment
• Advanced evidence gathering procedures
• Using the work of other auditors and experts
• Audit documentation
• Evaluation of audit evidence

P df_Folio:169
LEARNING OBJECTIVES

After completing this module, you should be able to:

3.1 evaluate the appropriateness of processes and procedures undertaken by auditors, as applicable to the
audit strategy and the audit plan
3.2 apply processes and procedures to gather sufficient and appropriate audit evidence
3.3 evaluate the sufficiency and appropriateness of the audit evidence gathered
3.4 apply the appropriate standards that relate to the auditor’s response to assessed risks.

RELEVANT STANDARDS AND GUIDANCE MATERIALS

International standards Australian standards

ISA 230 Audit Documentation ASA 230 Audit Documentation (Compiled)

ISA 240 The Auditor’s Responsibilities Relating to Fraud ASA 240 The Auditor’s Responsibilities Relating to
in an Audit of Financial Statements Fraud in an Audit of a Financial Report (Compiled)

ISA 250 (Revised) Consideration of Laws and ASA 250 Consideration of Laws and Regulations in an
Regulations in an Audit of Financial Statements Audit of a Financial Report

ISA 315 (Revised) Identifying and Assessing the Risks ASA 315 Identifying and Assessing the Risks of
of Material Misstatement through Understanding the Material Misstatement through Understanding the
Entity and Its Environment Entity and Its Environment (Compiled)

ISA 320 Materiality in Planning and Performing an Audit ASA 320 Materiality in Planning and Performing an
Audit (Compiled)

ISA 330 The Auditor’s Responses to Assessed Risks ASA 330 The Auditor’s Responses to Assessed Risks
(Compiled)

ISA 450 Evaluation of Misstatements Identified during ASA 450 Evaluation of Misstatements Identified during
the Audit the Audit (Compiled)

ISA 500 Audit Evidence ASA 500 Audit Evidence (Compiled)

ISA 501 Audit Evidence — Specific Considerations for ASA 501 Audit Evidence — Specific Considerations for
Selected Items Inventory and Segment Information (Compiled)

ISA 505 External Confirmations ASA 505 External Confirmations (Compiled)

ISA 520 Analytical Procedures ASA 520 Analytical Procedures (Compiled)

ISA 530 Audit Sampling ASA 530 Audit Sampling

ISA 540 (Revised) Auditing Accounting Estimates ASA 540 Auditing Accounting Estimates and Related
and Related Disclosures Disclosures

ISA 550 Related Parties ASA 550 Related Parties (Compiled)

ISA 560 Subsequent Events SA 560 Subsequent Events (Compiled)

ISA 570 (Revised) Going Concern ASA 570 Going Concern

ISA 580 Written Representations ASA 580 Written Representations ( Compiled)

ISA 600 Special Considerations — Audits of Group ASA 600 Special Considerations — Audits of a Group
Financial Statements (Including the Work of Component Financial Report (Compiled)
Auditors)

ISA 610 (Revised) Using the Work of Internal Auditors ASA 610 Using the Work of Internal Auditors

ISA 620 Using the Work of an Auditor’s Expert ASA 620 Using the Work of an Auditor’s Expert

No equivalent GS 016 Bank Confirmation Requests

IAS 10 Events after the Reporting Period AASB 110 Events after the Reporting Period

df_Folio:170
P

170 Advanced Audit and Assurance

PREVIEW
Module 2 discussed the initial risk assessment phase of the audit process, including the preparation of an
audit plan to guide the later stages of the process. This module focuses on how the audit team responds to
the assessed risks. This is commonly referred to as the evidence-gathering stage of an audit because the
auditor responds to risks by gathering evidence.
As outlined in module 2, the auditor has up to this stage gained an understanding of the entity and
its environment, planned the audit and undertaken an initial risk assessment of material misstatement,
including an initial evaluation (but not testing) of internal controls. The auditor has also prepared an audit
program that outlines the audit tests that are to be undertaken. While we have described these earlier steps
as part of planning the audit, it should be emphasised that auditors are collecting evidence and knowledge
at all stages of the audit, and this evidence and knowledge helps the auditor progress towards a position
from which they can render an opinion on the financial statements. The knowledge gained early in the
audit allows auditors to better interpret the subsequent evidence obtained.
The audit partner is responsible for supervising and reviewing the conduct of the whole audit.
Throughout the audit, working papers are used to document the audit procedures and conclusions. The
audit partner must ensure that assistants, experts and other auditors working on the audit are sufficiently
competent and experienced, that the work performed has been undertaken in accordance with the audit
program and that the evidence gathered supports the conclusions reached.
With advances in IT, the efficiency and effectiveness of audits have increased significantly as auditors
have developed new ways of using more powerful IT techniques as audit tools. This module also examines
the general principles underlying evidence-gathering for tests of controls and substantive procedures, and
evidence-gathering techniques used in a contemporary IT environment.

3.1 KEY PRINCIPLES

This section describes the key principles that auditors rely on to progress towards forming an opinion on
the truth and fairness of the audit client’s financial statements. In particular, this section discusses gathering
sufficient appropriate audit evidence to evaluate management’s financial statement assertions.

SUFFICIENT APPROPRIATE AUDIT EVIDENCE

Auditors perform fieldwork to collect sufficient appropriate evidence to enable them to draw reasonable
conclusions on which to base their opinion. Fieldwork entails gathering, analysing and evaluating evidence
in accordance with the audit plan (see module 2). Auditors, therefore, must:
• identify the assertions of management reflected in the financial statements
• consider the evidence available to support or contradict those assertions
• select the method of obtaining the necessary evidence
• collect and evaluate that evidence required to form an opinion on the validity of the assertions.
The concepts of sufficiency and appropriateness of audit evidence are interrelated (ISA 500, para. A4)
and apply to evidence obtained from both tests of controls and substantive audit procedures.
Sufficiency relates to the quantity of audit evidence obtained (ISA 500, para. A4). The auditor needs
enough evidence to provide reasonable assurance as to whether the financial statements are free from
material misstatements. Gathering evidence beyond that necessary to provide such reasonable assurance
is not required. The quantity of evidence needed is influenced by the assessed risk of misstatement and the
quality (appropriateness) of the audit evidence.
Appropriateness relates to the relevance and reliability of audit evidence (ISA 500, para. A5). To be
relevant, audit evidence must assist in achieving the audit objectives; to be reliable, it must have credibility.
The reliability of audit evidence is influenced by both its source and its nature (ISA 500, para. A31).
Although this reliability is dependent on the circumstances under which the audit evidence is obtained, the
following generalisations may be made.
• Evidence is more reliable when it is obtained from independent sources outside the entity. For example,
a confirmation from an independent third party is more reliable than evidence available within an entity.
• Internal evidence is more reliable when the related internal controls are effective. For example, relevant
internal controls include a review of a document by other employees after it has been prepared, as well
Pdf_Folio:171

MODULE 3 Performing the Audit of Historical Financial Information 171

 as segregation of duties so that the person preparing the document has no operating responsibility and
therefore no reason for preparing a false or misleading document.
• Evidence obtained directly by the auditor is more reliable than that obtained indirectly or by inference.
For example, confirmations to and from third parties should be sent directly by and returned directly to
the auditor. If such confirmations pass through the client’s organisation, they lose part of their reliability,
as there is then a possibility that they have been altered or may be fictitious.
• Evidence in the form of documents and written representations is more reliable than oral representations.
• Audit evidence provided by original documents is more reliable than audit evidence provided by
photocopies or facsimiles (ISA 500, para. A31).
Recent revisions to ISA 250 (Revised) Consideration of Laws and Regulations in an Audit of a Financial
Report have implications for the information to be used as audit evidence. Audit evidence is primarily
obtained from audit procedures performed during the audit. However, it also may include information
from other sources, for example, evidence of an entity’s non-compliance with laws and regulations
(ISA 500, para. A26).
The underlying concepts of audit evidence are contained in ISA 500, paragraphs 6–11. You should
review the requirements, the application and other explanatory material contained in this key standard
before proceeding further.

FINANCIAL STATEMENT ASSERTIONS

When preparing financial statements, management makes assertions about the entity’s financial position
and operations. Sufficient appropriate audit evidence needs to be obtained to establish each of these
assertions. The financial statement assertions, which were outlined in module 2, are as follows:
(a) Assertions about classes of transactions and events, and related disclosures, for the period under audit:
(i) Occurrence …
(ii) Completeness …
(iii) Accuracy …
(iv) Cutoff …
(v) Classification …
(vi) Presentation …
(b) Assertions about account balances and related disclosures, at the period end:
(i) Existence …
(ii) Rights and obligations …
(iii) Completeness …
(iv) Accuracy, valuation and allocation …
(v) Classification …
(vi) Presentation (ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and Its Environment, para. A129).

In planning the audit, as described in module 2, these assertions are used to help the auditor identify those
classes of transactions, account balances and related disclosures in the financial statements that contain a risk
of material misstatement. The advantage of taking this risk assessment to the assertion level is that, once the
auditor has identified the assertions at risk, the appropriate response to assessed risks becomes apparent. This
module focuses on the audit procedures undertaken by the auditor, in response to the assessed risks, to gather
evidence about management’s assertions. Before reading the following overview of audit procedures, study
example 3.1, which links risk assessment and response at the assertion level.

EXAMPLE 3.1

Risk Assessment at the Assertion Level

The auditor establishes that there is a risk of overstatement of the trade debtors account balance at period
end (which is normally associated with an incentive to overstate revenue and profit).
............................................................................................................................................................................
1. What assertions are most at risk of material misstatement?
2. What are the likely causes for the overstatement?
3. What audit procedures should the auditor perform?
Check your response against the suggested answer at the end of the book.

df_Folio:172
P

172 Advanced Audit and Assurance

AUDIT PROCEDURES
Having identified assertions containing a risk of material misstatement, the auditor undertakes audit
procedures to reduce this risk to an acceptable level. These procedures can either be (ISA 500, para. A10):
• tests of controls
• substantive procedures.
The purpose of tests of controls and substantive tests is different. Tests of controls establish the reliance
to be placed on the internal control system and, therefore, support an assessed level of control risk.
In contrast, substantive tests are performed to detect material misstatements in the financial-report
assertions and, therefore, to reduce the auditor’s detection risk to an acceptable level. This is illustrated in
figure 3.1.
A good way to tell if an audit procedure is a test of controls or a substantive test is to look at the purpose
of the test. If the test’s purpose is to evaluate the operating effectiveness of a control, it is a test of control.
If the test’s purpose is to detect material misstatements, it is a substantive test.
The auditor’s objective is to design and perform the most efficient and effective combination of tests of
controls and substantive tests. This enables the auditor to obtain sufficient and appropriate audit evidence
to be able to draw reasonable conclusions on which to base an opinion. Figure 3.1 depicts this relationship.

FIGURE 3.1 Auditor’s response to assessed risks of material misstatement

Risk

Assessed risks at Assessed risks at

financial statement level assertion level

Audit procedures
Response

Substantive audit
Tests of controls
procedures

Substantive
Tests of
analytical
details
procedures

Sufficient appropriate
Result

Assessment of evidence to reduce

control risk audit risk to an
acceptably low level

Tests of controls and substantive audit procedures are the focus of the next sections of this module.
Before reading more about tests of controls, consider example 3.2.
Pdf_Folio:173

MODULE 3 Performing the Audit of Historical Financial Information 173

 EXAMPLE 3.2

Undertaking Tests of Controls

The sales transactions at Colorado Park, a new audit client, are handled by a software application that is
not supported by very detailed documentation. The audit partner requests the team to re-perform some
controls to ensure that the software application controls are working as described by Colorado Park’s
management. The audit software used by the audit team can access the data on the client’s files, allowing
the use of standard audit procedures.
............................................................................................................................................................................
1. What controls over sales transactions should be part of the software application?
2. How could the audit team test the controls in the client’s sales software application?
Check your response against the suggested answer at the end of the book.
Source: Moroney et al. 2017.

QUESTION 3.1

Differentiate between the evidence obtained from tests of controls and substantive tests of details.

The key points covered in this section, and the learning objectives they align to, are below.

KEY POINTS

3.3 Evaluate the sufficiency and appropriateness of the audit evidence gathered.
• The concepts of sufficiency and appropriateness of audit evidence obtained from both tests of
controls and substantive audit procedures were defined to enable evaluation of evidence gathered.
• Sufficiency relates to the quantity of audit evidence. The quantity of audit evidence required relates
to the level of risk of misstatement and the appropriateness of the evidence.
• Appropriateness relates to the quality of audit evidence, which is determined by its relevance and
reliability.
3.4 Apply the appropriate standards that relate to the auditor’s response to assessed risks.
• Auditors are required to design and perform audit procedures in order to obtain sufficient appro-
priate audit evidence to be able to draw reasonable conclusions on which to base their opinion in
accordance with ISA 500 Audit Evidence.
• Audit evidence, while primarily obtained from audit procedures performed during the audit, may
include information from other sources, for example, an entity’s non-compliance with laws and
regulations (ISA 500 Audit Evidence and ISA 250 (Revised) Consideration of Laws and Regulations
in an Audit of a Financial Report).

3.2 TESTS OF CONTROLS

As discussed in module 2, the auditor gains an understanding of the control environment and identifies
controls that they may be able to rely on. Assertion-level controls directly relate to the prevention or
detection and correction of misstatements (referred to as control activities). Financial statement–level
controls (such as the control environment) provide the foundation for the assertion level controls and
influence how they operate — and are often referred to as pervasive controls. Figure 3.2 lists examples of
each type of control and illustrates how tests of controls contribute to overall audit procedures.
The link between financial statement–level and assertion-level controls may be direct, such as when
monitoring controls identify control breakdowns in specific business process–controls. Testing the effec-
tiveness of these monitoring controls might reduce the need for testing more specific controls. However,
testing financial statement–level controls are often subjective, for example, when evaluating management’s
integrity or commitment to competence.
In the case of small-to-medium enterprises (SMEs), some financial statement–level controls may also
serve to address assertion-level risks of misstatement; for example, where senior management is directly
df_Folio:174
P

174 Advanced Audit and Assurance

involved in supervising and approving day-to-day transactions. In this situation, if the pervasive controls
were tested and found to be operating effectively, it would not be necessary to test other controls (such
as control activities) related to the particular risks involved. A competent owner–manager could be an
important control environment strength. However, in these situations, managers have the opportunity to
override internal controls. Auditors should check to see if anti-fraud controls have been implemented.

FIGURE 3.2 Assertion-level controls and financial statement–level controls

Controls

Tests of controls
Prevention, detection or correction
Control activities

of misstatements

Assertion level controls

• Physical controls
• Evidence that controls operated in
• Business process controls
accordance with the auditor’s
• Segregation of duties understanding
• IT application controls • Evidence that controls functioned
effectively throughout the entire
period
Control environment

Provides foundation for assertion level controls

Influences operation of assertion level

Financial statement level controls

• IT general controls • Reduce risk of material misstatement
• Controls to prevent management override • Contribute to sufficient appropriate
• Management supervision audit evidence alongside substantive
• Monitoring procedures

SMEs often use off-the-shelf packaged accounting software without any modification. Many of these
software packages contain proven application controls that the entity could use to reduce the extent of
errors and possibly deter fraud. Auditors might want to ask their clients whether these controls are being
used and, if not, whether there would be value in using them (IFAC 2018a).
However, it is often not practical to perform tests of control activities in SMEs due to the limited
segregation of duties. Additionally, reliable control activities may be very limited, or non-existent, in some
small entities, and a primarily substantive approach may be the only option. However, before auditors
decide to rely on substantive procedures, they should consider:
• other internal control elements and the strength of the control environment
• the existence of control activities over assertions where obtaining evidence through tests of controls
would be more efficient
• assertions where substantive procedures alone will not provide the level of evidence required to reduce
the risks of material misstatement to an acceptably low level.
The auditor tests controls when they expect to rely on the effectiveness of controls to help to reduce the
risk of material misstatement to an acceptable level. Tests of controls are also considered when substantive
procedures alone will not provide the auditor with sufficient appropriate audit evidence at the assertion
level. For example, where online sales provide no documentation of transactions other than through the
IT system, the auditor will need to consider tests of controls to obtain the level of evidence required. This
relationship is illustrated in figure 3.3.
The next section of the module describes the objectives of tests of controls in more detail before we
move on to describing the techniques that can be used.

OBJECTIVES OF TESTS OF CONTROLS

Testing the operating effectiveness of controls is different from obtaining an understanding of the design
and implementation of controls (see module 2). Only controls that the auditor has determined are suitably
designed to prevent, or detect and correct, a material misstatement in an assertion are tested.
Pdf_Folio:175

MODULE 3 Performing the Audit of Historical Financial Information 175

 FIGURE 3.3 Developing an appropriate audit approach for an account balance or class of transactions

Developing an appropriate audit approach

Would
substantive
audit procedures
No Yes
alone provide sufficient
appropriate audit
evidence at the
assertion
level?

Audit procedures
Would
Yes tests of controls
Tests of controls be a more efficient
way to obtain
evidence?

Substantive procedures No

Tests of controls have two important objectives.

1. To obtain evidence on whether the controls operated in accordance with the auditor’s understanding
and as documented during the risk assessment process.
2. To confirm whether the controls functioned effectively throughout the period of intended reliance.
When a control fails to function effectively (i.e. it fails to prevent or detect and correct a misstatement
on a timely basis) it is referred to as a control deviation.
In addition to the audit procedures to evaluate the design and implementation of controls, the testing
may include reperformance of the application of the control by the auditor. The combination of enquiry,
inspection and reperformance ordinarily provides more assurance than just enquiry and observation
(ISA 330, para. A26). In fact, the auditor is required to perform other audit procedures in combination with
enquiry to obtain audit evidence about the operating effectiveness of controls (ISA 330, para. 10(a)). An
example would be examining documentation to sight authorisation of a transaction or observing employees
signing in or ‘clocking in’ at the start of a shift. Having established the objectives of tests of controls, the
rest of this part of the module will examine the procedures and techniques used by the auditor.

QUESTION 3.2

Emphasis is placed on identifying material misstatements in a financial statement audit. Is this

relevant to tests of controls?

TESTS OF CONTROLS PROCEDURES

In module 2, you acquired an understanding of the control environment and how to identify key controls
that the auditor can rely upon to reduce a risk of material misstatement. As outlined in the previous section
of this module, to rely on these controls, the auditor will have to test them to obtain evidence that they
operated as documented and functioned effectively throughout the period of intended reliance. This section
examines the procedures involved in carrying out these tests.
df_Folio:176
P

176 Advanced Audit and Assurance

 The tests of controls used will depend on the accounting environment and the type of control being
tested. The major evidence-gathering techniques used for collecting evidence about control systems are:
• inspection
• observation
• enquiry
• reperformance
• computer-assisted audit techniques (CAATs).
Inspection of physical evidence relies on the auditor testing the physical evidence to verify that a
control has been performed properly. For example, the auditor may inspect initials and dates on a bank
reconciliation, or trace certain amounts on the bank reconciliation to the accounting records or to other
documents (for example, a bank statement) to gain evidence that the procedures were properly performed.
Also, auditors may read some or all of the reconciliations for other periods and examine the reconciling
items to determine whether the reconciliation routinely detected errors and whether those errors were
appropriately dealt with. IT general controls (ITGCs) often result in documented evidence of authorisation
of program changes or testing, and other reports of system access that provide important evidence
associated with these controls (Johnson & Wiley 2019).
Observation involves the auditor observing the actual control being performed or identifying appropriate
segregation of duties. For example, the auditor may observe the preparation of the bank reconciliation.
However, employees often perform procedures more diligently when they know they are being observed.
Enquiry involves the auditor using questioning skills to determine how the control is completed and
whether it appears to have been carried out properly and on a timely basis. For example, the auditor may
ask the employee who prepares the bank reconciliation how reconciling items are identified, the reasons for
them, and the procedures in place to ensure that the accounting records are corrected on a timely basis. The
auditor may also ask management how it ensures the reconciliation is prepared correctly and on a timely
basis. In addition, the auditor might ask questions of employees who follow up on exception reports about
the types of misstatements that employees find and how exceptions are cleared (Johnson & Wiley 2019).
Due to the nature of enquiry, it lacks quality; therefore, it should be corroborated with other evidence.
Reperformance involves the auditor reperforming the control to test its effectiveness. For example, the
auditor may test the effectiveness of manual follow-up by reperforming the follow-up procedures to see
that items put on an exception report were appropriately cleared. In some smaller organisations, the auditor
might find manual controls where an independent person checks the accuracy of the software program’s
output to its input (Johnson & Wiley 2019).
Computer-assisted audit techniques (CAATs) use software packages to import an entity’s data file
so it can be tested. These programs can analyse client data providing more extensive testing of electronic
transactions and account files to provide the audit evidence needed.
Example 3.3 applies the tests of controls evidence-gathering techniques to an audit scenario.

EXAMPLE 3.3

Evidence for Relevant Assertion

Elena Hauge (an audit senior) is talking with Tonya Tran (a seasoned audit staff member) about testing
controls on the audit of Midwest Wholesale Foods. The client produces a daily report listing each sales
invoice and gross margins for each sale. Each morning, the sales manager reviews the report and
investigates invoices with unusually high or low gross margins.
Elena asks Tonya, ‘How do you want to test this control?’ Tonya responds, ‘Enquiry of the sales manager
about what he finds and how he resolves discrepancies might be an option, but it does not, by itself,
provide sufficient evidence to conclude that the control is operating effectively. I am also concerned
about reviewing the reports and looking for the initials of the sales manager. Based on the initials of the
sales manager, we cannot conclude that a thorough review and appropriate follow-up was performed. In
addition to the initials, we would also need to reperform the control on a sample basis. If we identify
transactions with high- and low-gross margins and determine they were handled appropriately, this
provides additional corroboration that the control operated effectively.’ Elena responds, ‘It sounds like
you have done this before. I like your logic.’
Source: Johnson & Wiley 2019.

P df_Folio:177

MODULE 3 Performing the Audit of Historical Financial Information 177

 There are many different types of controls. In some cases there will be a visible record of the operation of
the control. For example, if a control in the purchasing system requires that all purchase orders over $1000
be authorised by the purchasing manager, a test of control might involve sampling purchase orders over
$1000 and inspecting them for a signature or other indication that the purchasing manager has reviewed
and approved the purchase order.
Some internal controls may not provide a visible record of their existence. For example, gate security
at a warehouse, which requires an inspection of all goods leaving the warehouse, is unlikely to create a
visible audit trail. In this situation, although the auditor may be able to obtain evidence that the control
operates as documented by observing the operation of the control, this evidence relates only to a particular
point in time. Because of the impracticality of obtaining evidence of the continued operation of the control,
it is often difficult for the auditor to place substantial reliance on controls that leave no visible trail. When
management fails to emphasise the need for integrity and ethical values in the workplace, the auditor may
address this risk by obtaining evidence related to this component of the control environment. An example
of how an auditor may obtain such evidence is provided in example 3.4.

EXAMPLE 3.4

Testing Financial Statement–Level Controls

Control component Control environment

Risk addressed No emphasis is placed on the need for integrity and ethical values.

Identified controls All new employees are required to sign a form stating they agree with the
firm’s fundamental ethical values and understand the consequences for
non-compliance.

Control design Read the form that employees are required to sign and ensure it addresses
integrity and ethical values.

Control implementation Review one employee file, checking for the signed form and consider any
evidence that employees practise the values (e.g. look for any notes on
disciplinary actions taken). Could also interview the employee.

Test of controls Select a sample of employee files and check for signed forms. Also, ask a
sample of employees questions about the stated entity policies.

Documentation Prepare a memo providing details of the employee files selected, notes
based on the interviews and conclusions reached; include the name of the
employees and the date the testing was conducted.

Source: Adapted from IFAC 2018a.

QUESTION 3.3

JayJay Ltd installs solar power systems to buildings. Most of its staff are employed as installers of
the solar power systems. There is only one employee who is responsible for all the record keeping
and spare parts inventory control. You have been engaged to conduct an audit of JayJay’s financial
statements for the current year.
Justify why a predominantly substantive approach may be more suitable to this audit
engagement.

USING CAATs FOR TESTS OF CONTROLS

Computer-assisted audit techniques (CAATs) has become a critical field within the IT audit profession. As
mentioned previously, CAATs includes the use of technology to improve the audit process when evaluating
controls by extracting and examining relevant data. CAATs can be developed for the data extraction and
analysis software of your choice, such as spreadsheets (e.g. Excel), databases (e.g. Access), statistical
df_Folio:178
P

178 Advanced Audit and Assurance

analysis (e.g. SAS), generalised audit software (e.g. ACL, IDEA), and business intelligence resources
(e.g. Cognos and Business Objects) (Shabbir 2019). Sophisticated use of CAATs is known as ‘data
analytics’ and is increasingly being used by the audit and assurance profession (CIIA 2019). CAATs can
also be used effectively by small audit teams.
Auditors using traditional methods of auditing base their conclusions upon sample data. Nowadays,
auditors commonly use CAATs to analyse large volumes of data looking for anomalies, often testing all
transactions rather than selecting a sample for testing. As such, CAATs may enhance audit effectiveness
and efficiency.
Example 3.5 shows how superior findings are obtained when using CAATs rather than traditional audit
techniques.

EXAMPLE 3.5

Traditional Audit Versus CAATs

An insurance company wants to ensure that it doesn’t pay any claims after a policy is terminated. Using
traditional audit techniques, this risk would be very difficult to test. The auditor would ‘randomly select’ a
‘statistically valid’ sample of claims (usually 30-50) to check if any of those claims were processed after a
policy was terminated. Since the insurance company might process millions of claims, the odds that any
of those 30–50 ‘randomly selected’ claims occurred after the policy was terminated are extremely unlikely.
Using CAATs, the auditor can select every claim that had a date of service after the policy termination
date. The auditor then can determine if any claims were inappropriately paid. If they were, the auditor
could then figure out why the controls to prevent this from occurring failed. In a real-life audit, the CAATs
auditor noted that a number of claims had been paid after policies were terminated. Using CAATs, the
auditor was able to identify every claim that was paid and the exact dollar amount incorrectly paid by the
insurance company. Furthermore, the auditor was able to identify the reason why these claims were paid.
The reason why they were paid was because the participant paid their premium. The insurance company,
having received a payment, paid the claims. Then after paying the claim, the participant’s check bounced.
When the check bounced, the participant’s policy was retrospectively terminated, but the claim was still
paid, costing the company hundreds of thousands of dollars per year.
............................................................................................................................................................................
Which looks better in an audit report?
• ‘Audit reviewed 50 transactions and noted one transaction that was processed incorrectly’.
• ‘Audit used CAATs and tested every transaction over the past year. We noted XXX exceptions wherein the
company paid YYY dollars on terminated policies’.
Check your response against the suggested answer at the end of the book.
Source: Adapted from Shabbir, M 2019, ‘Computer Assisted Audit Techniques (CAATs) – Modern Audit Tool’, Mayur
Batra Group, News, 11 March, accessed August 2019, http://www.mayurbatragroup.ae/insights/computer-assisted-audit-
techniques-caats-modern-audit-tool

As you can see from this example, a major benefit of using CAATs is that you can now test the total
population, allowing you to claim this in your report. This can add more weight to your observations and
make it easier for you to communicate to the business how you reached your conclusion.
The use of CAATs is currently limited to data saved on files using a systematic pattern. Unfortunately,
much data is not documented this way, such as with big data. Data often contains deficiencies and is poorly
classified or difficult to obtain; thereby lacking integrity. Due to these shortcomings, CAATs may be used
to complement an auditor’s tools and techniques. Sometimes CAATs aren’t suitable to use for a particular
audit, but there are also audits which couldn’t be efficiently performed with due care without the use of
CAATs. However, take care when handling larger volumes of data as more errors are likely to be observed.
The auditor may use a variety of software-based techniques to test controls. A common technique
involves submitting test data to the client’s software application while the application is under the auditor’s
control. Submitting auditor test data to the client’s application will allow the auditor to verify that the
application is functioning as designed (Johnson & Wiley 2019). Test data will be discussed further in the
next section.
Table 3.1 highlights the key information related to IT application controls. Note that the evidence was
obtained using software-based audit techniques.
In addition, in various circumstances the auditor may use a form of audit data analytics to test controls.
For example, let’s assume that transactions are both authorised and approved electronically, and the
software electronically tracks the individuals authorising or approving transactions. Subsequently, the
Pdf_Folio:179

MODULE 3 Performing the Audit of Historical Financial Information 179

auditor might use audit software to identify any transactions for which the individual authorising
the initiation of a transaction and the approval of the transaction for payment were the same. Alternatively,
let’s say that the policy in a private company is that all purchases over $500 000 must be approved by the
CEO. The audit software can identify all transactions over $500 000 and extract any that do not have the
CEO’s approval (Johnson & Wiley 2019).
The two major CAATs for testing controls used in practice are:
• test data
• integrated test facilities.

TABLE 3.1 IT application controls

Transaction level controls IT Application Control

What can go wrong Unauthorised sales may be made to customers that are significant credit
risks.

Example control Authorisation of sales. The software application checks to see that the
customer is on the master customer file and compares account balance to
credit limit on the customer master file.

Frequency of operation of the Each transaction.

control

Example test of controls Test IT general controls to determine that the program is operating
effectively. Submit two transactions to test the program itself: one
transaction to ensure the program appropriately accepts a transaction,
and one to ensure that the program appropriately rejects a transaction.

Evidence obtained Software-based audit techniques. Document the results of submitting test
data to test the sales program.

Exception to effective Evidence that the software application authorised sales that should not
operation of the control have been authorised, or evidence that the program rejected transactions
that should have been authorised based on authorisation criteria.

Source: Johnson & Wiley 2019.

Test Data
The test data technique involves the auditor creating simulated dummy transactions to test specific
controls in computer software as well as the logic and procedural operations of the client’s computerised
application. This technique is used to assess independently the existence, effectiveness and continuity of
software controls. It provides the auditor with evidence of the integrity of the system and the information
contained within.
The transactions that are designed by the auditor to test the software controls identified should include
both valid and invalid (illogical, incorrect and incomplete) transactions. The auditor must predetermine
how the application software will process the test data and design the test data to test the program controls.
This step is indicated by ‘audit test data simulated transactions’ in figure 3.4.
This technique provides the auditor with evidence that the software controls exist and are working
effectively. Note that this provides the auditor with direct evidence about the existence and effectiveness
of software controls. The evidence-gathering techniques outlined in ISA 500 that are most commonly used
for testing manual controls — inspection, observation and enquiry — do not provide direct evidence of
software controls.
Review example 3.6 and consider your response to the posed question about simulated transactions prior
to checking the suggested solution.

EXAMPLE 3.6

Simulated Transactions
If a software control is devised so that the number of payroll hours per week cannot exceed 50, the auditor
usually designs transactions to test these controls, by including dummy transactions such as:
• employee A having payroll hours per week equalling 50
• employee B having payroll hours equalling 51.
df_Folio:180
P

180 Advanced Audit and Assurance

 The auditor tends to work around the parameters set in the software program.
............................................................................................................................................................................
Assuming the software controls are working as designed, what should happen in each instance?
Check your response against the suggested answer at the end of the book.

Example 3.7 looks at how an auditor can use test data to test controls. Review the example now and
consider your response to the posed question before comparing your answer with the suggested solution.

EXAMPLE 3.7

Using Test Data

Sally Smith is the auditor of Gamma Pty Ltd, a manufacturing company with a number of divisions across
Australia. The company uses a centralised processor, maintained at its head office, to process all of its
accounting information.
In prior years, Gamma Pty Ltd never recorded accrued annual leave in its accounts but instead
recognised the expense when the leave was taken. However, for the current year ended 30 June,
the company decided to set up the liability at that date for accrued annual leave.
The company employs approximately 2400 people, each of whom belongs to one of four unions.
Entitlement to annual leave is based on length of service (calculated from the month of employment)
and varies according to the terms of each union contract.
Complete personnel information for all employees is maintained on a payroll master file that is updated
daily. An ‘employee status report’, containing all master file details for specified employees, is produced
daily on a request basis.
A specially written computer program was used to determine the amount of accrued annual leave. This
program extracted the relevant data from the payroll master file as at 30 June, calculated the amount of
accrued annual leave for each employee, recorded the details on an output file and printed a summarised
report showing only the grand total of the accrued annual leave. The computer program had a number
of program checks to ensure that only valid employees were included. For example, a check digit was
included in the employee number. There were other controls to ensure that authorised pay rates were
used, the number of days of unused annual leave was reasonable (more than 40 days of leave could not
be accrued) and the calculation complied with the terms of the union contract.
............................................................................................................................................................................
How could Sally use test data to evaluate the controls designed within the computer program?
Check your response against the suggested answer at the end of the book.

Integrated Test Facility

The integrated test facility (ITF) approach is very similar to the test data approach but takes it one step
further. To use this approach, the auditor establishes a ‘dummy entity’ (a record only for the auditor’s
purpose) on the live master file — for example, a fictitious employee, customer, vendor or inventory item.
This, of course, must be done with management’s permission. Once the dummy entity has been established,
the auditor will enter transactions for processing by the entity.
The Difference Between Test Data and Integrated Test Facility Techniques
Figure 3.4 highlights the main distinction between the test data and integrated test facility techniques. For
test data, the auditor’s simulated transactions only are run through the client’s application processing to
test program controls. There is no attempt to evaluate the client’s processing environment, just the controls
in the program.
In contrast, with an integrated test facility, the auditor introduces a complete dummy file to the client’s
computer records. Transactions are then processed by the program using both real (live) transactions and
auditor-created (ITF) transactions, during the period of audit interest (thus testing continuity of controls).
The client’s personnel cannot distinguish between them, meaning that the client’s processing environment
is also being evaluated.
Example 3.8 outlines how an auditor can appropriately rely on newly introduced controls. Review the
example now and consider your response to the posed questions before comparing your answers with the
suggested solution.
Pdf_Folio:181

MODULE 3 Performing the Audit of Historical Financial Information 181

 FIGURE 3.4 Illustration of test data approach and integrated test facility technique

Test data approach

Exception
Master reports
file

Client application Results Comparison

program audit run from run manually

Audit
test data Predetermined
simulated results
transactions of run

Integrated test facility technique

Live
master Client
Live file summary
transactions
reports etc.

Client
application ITF test data
ITF processing processing
transactions results

ITF
files

Predetermined Compare
results results

Source: CPA Australia 2019.

EXAMPLE 3.8

Devising and Applying Test Data

You are a member of the assurance team that is auditing Boomerang, a retail clothing chain with stores in
major shopping malls throughout Australia and New Zealand. You have been assigned the task of testing
the supplier invoice data entry and approval process for non-inventory items. Details of the system are as
follows.
• All accounting is done at the group head office, and suppliers are instructed to send their invoices there
directly.
• Orders for non-inventory items are issued by store staff. The person ordering enters the first three letters
of the vendor name. The system displays a list of all vendors starting with those letters, together with
their corresponding short codes, and the person ordering selects the required vendor.
• Required order details are entered, as shown in the tables following.
• The system carries out the following edit checks.
– Vendor short code corresponds to existing vendor (existence check)
– Quantity and unit price numeric (format check)
df_Folio:182
P

182 Advanced Audit and Assurance

 – Total purchase order value < $500 (limit check)
– There are uncommitted funds in budget for selected expense code (authorisation check)
• Orders are automatically added to the open order file at group head office.
• When the items are received, the store updates the order file to set the received status to Yes.
• The system also provides for standing orders for regular transactions. These are automatically generated
each month, and the received status is not checked for these.
• When entering a vendor invoice, the accounts payable clerk selects the vendor as previously described.
• The system displays all outstanding orders for that vendor. The clerk selects the required order. The
system displays all order details on file as shown in the provided tables, except for Unit Price and
Received fields.
• The clerk enters the following data from the invoice: invoice date, invoice number, due date and unit
price (for each item). The system checks the price entered against the file price. If the price entered is
less than the file price, or exceeds the file price by 5% or less, the system updates the file price. If it
exceeds the file price by more than 5%, the system routes the transaction to the purchasing manager
who must enter an override code before the transaction can be accepted into the system.
• For normal invoices, if the received status is not Yes, the transaction will be rejected. The clerk will have
to contact the store, and if necessary, the store will update the order file.
• The system calculates and displays the invoice price, including GST and any other applicable taxes.
The clerk checks the invoice total against the calculated total. If these differ, the clerk has to investigate
the difference; otherwise, the clerk accepts the transaction, which authorises the system to pay the
vendor on the due date.
Vendor table

Vendor code Vendor name

COF305 Coffee Supplies

CON249 Consolidated Plastics

CON077 Control Systems

CON021 Convergent Technology

Store table

Code Store

1038 Cairns

2013 Canberra

3067 Carnegie

5790 Chatswood

6702 Christchurch

4690 Coolangatta

General ledger codes table

GL code Expense

7893 Plastic carrier bags

7832 Tape

7822 Tissue paper

5034 Staff refreshments

5697 Telephone rental

5618 Local call charges

5847 Security alarm monitoring

P df_Folio:183

MODULE 3 Performing the Audit of Historical Financial Information 183

 Purchase order file structure

Field Comments

Order Number System generated

Order Type Values N(ormal) or

S(tanding)

Order Date System supplied

Store System supplied

Quantity Repeating group

Unit of e.g. dozen, 100, 1000

Measure

Description

Unit Price

Received Values Yes/No/NA (for

standing orders)

Vendor Code

GL Code

............................................................................................................................................................................
Select the information from Boomerang’s system as described, to create test data to verify effectiveness of
controls on ten simulated orders that a branch may make and ten simulated vendor invoices.
Check your response against the suggested answer at the end of the book.
Source: Parkes et al 2015.

QUESTION 3.4

Jasmine Motor Factors Ltd sells car parts to vehicle repair centres. Customers have a login into
Jasmine’s parts system, which allows them to place orders for parts online. If orders are made on
the system before 8 am, Jasmine guarantees same-day delivery.
You are planning the financial report audit for Jasmine and are considering the use of CAATs to
audit the company’s purchase system. You know from the previous year’s audit that there have
been problems with the system accepting invalid inputs from suppliers. You have decided to use
test data to check the validity of inputs into the purchase system. You have discussed this approach
with Jasmine’s staff, and they have agreed for you to enter dummy transactions onto the live
system.
Design test data transactions that you could use to gain confidence that Jasmine’s purchase
system does not accept invalid inputs.

SAMPLING TECHNIQUES FOR TESTING CONTROLS

Audit sampling is the application of testing procedures to less than 100% of the items within an account
balance or class of transactions (i.e. the population). This enables the auditor to obtain and evaluate
evidence of some particular characteristic and to form a conclusion concerning that characteristic. The
appropriateness of using sampling techniques, as compared with complete and detailed checking, is based
on the underlying assumption that the sample selected is representative of the items in the population
(i.e. the sample items will have similar characteristics as those in the whole population). This is vital
because the purpose of sampling is to infer the characteristics of the population from the items selected in
the sample.
df_Folio:184
P

184 Advanced Audit and Assurance

 As outlined in ISA 500, paragraphs A53–A57, the various means available to the auditor to gather audit
evidence concerning a particular account balance or class of transactions include:
• 100% examination
• selective examination of items (e.g. high-value or key items; all items over a certain amount)
• audit sampling.
The standard that provides guidance on the use of audit sampling in performing audit procedures is
ISA 530 Audit Sampling.
Audit sampling is commonly used when testing controls that relate to the processing of a large number
of transactions, where testing 100% of the items in a population is not an option. Selective examination
of items (e.g. high-value or key items or items over a certain amount) is aimed at monetary value and is
related to substantive testing; whilst with tests of controls, the auditor is interested in whether the controls
are working, not monetary amounts.
Samples related to tests of controls should be random so that any transaction affected by the control may
be selected. If all transactions are supposed to be subject to a control, the monetary value of the transaction
is not an issue. One of the aims of tests of controls is to ensure that the control existed and was effective
for the period of intended reliance, so all transactions flowing through the system for this period should
create the population from which the sample is selected.
Relevant definitions and issues influencing sample design and sample size are contained in ISA 530,
paragraphs A1–11. Read ISA 530, paragraphs A1–11, before proceeding.
Note that many of the large accounting firms are investing in new audit data analytic (ADA) techniques
that are capable of analysing complete sets of data and, therefore, no longer rely on sampling. ADA
techniques are discussed later in this module.
Selection of the Sample
The most common methods that will allow a representative sample of the population to be selected are as
follows:
• random selection
• systematic selection
• haphazard selection.
Random selection is where each sampling unit making up the account balance or class of transactions
has a chance (often an equal chance) of selection. The concept of random selection requires that the person
selecting the sample does not influence or bias the selection either consciously or subconsciously. This
requires the use of some form of impartial selection process to obtain a truly random sample. To do this,
auditors often use random number tables or random number generators on computer software to obtain an
appropriate sample selection.
Systematic selection involves selecting every nth item in the population, the interval being determined
by dividing the number of items in the population by the sample size and then selecting a random starting
point. Technically, it is not a random sampling process but a practical approach that closely approximates
random sampling.
Haphazard selection involves the auditor selecting sampling units without any conscious bias and in
a manner that the drawn sample can be expected to be representative of the population. Caution must be
used when using this technique, as it does involve more auditor judgment than the other two sampling
techniques. This sampling technique may prove appropriate when selecting a sample from a population
that is physically stored in an unsystematic manner (the unsystematic nature creating the randomness).
However, the auditor has to be careful not just to select items that are easy to access physically.
Further details of other sample selection methods are in ISA 530, Appendix 4.

QUESTION 3.5

Jackie opened the file of purchase invoices and selected 20 orders as part of tests of controls over
occurrence assertion. Is this an example of an audit sampling technique? Discuss.

Evaluation of Tests of Control Sample Results

For tests of control, the sample deviation rate is also the projected deviation rate for the population as a
whole. For example, if the auditor found that there were two deviations from a control in a sample of 50,
the projected population deviation rate would be 4%. The auditor then compares this projected population
Pdf_Folio:185

MODULE 3 Performing the Audit of Historical Financial Information 185

deviation rate to the deviation rate that they will accept and still rely on the control. The auditor needs to
evaluate the effect that the results of tests of controls will have on the nature, timing and extent of planned
audit procedures. A sample deviation rate higher than the auditor would accept for placing reliance on the
control may lead the auditor either:
• to look for other controls that could be relied on to reduce the risk of material misstatement to an
acceptable level, or
• to place less reliance on the control and increase the level of substantive testing undertaken.

QUESTION 3.6

You have just completed testing controls in the payroll expense area for a large company. The
results of your testing showed that there was one instance of a part-time employee being paid an
incorrect hourly rate. You recorded this exception as a control deviation in your working paper.
Justify why you recorded this one exception as a control deviation by referring to any potential
control weaknesses related to the system’s failure to detect, prevent and correct this type of error.

The key points covered in this section, and the learning objectives they align to, are below.

KEY POINTS

3.2 Apply processes and procedures to gather sufficient and appropriate audit evidence.
• Tests of controls obtain evidence on whether the controls operated in accordance with the auditor’s
understanding and as documented during the risk assessment process.
• Tests of controls confirm whether the controls functioned effectively throughout the period of
intended reliance.
• The auditor tests controls when they expect to rely on the effectiveness of controls to help to reduce
the risk of material misstatement to an acceptable level.
• Tests of controls are also considered when substantive procedures alone will not provide the auditor
with sufficient appropriate audit evidence at the assertion level.
• Audit sampling is appropriate for gathering audit evidence when the sample selected is represen-
tative of the items in the population.
• Computer-assisted audit techniques can enable the entire population of items to be tested.
3.4 Apply the appropriate standards that relate to the auditor’s response to assessed risks.
• ISA 500 Audit Evidence outlines the various methods the auditor can use to gather audit evidence
about particular account balances and class of transactions.
• ISA 530 Audit Sampling provides guidance to auditors on the use of audit sampling in performing
audit procedures in response to assessed risks.

3.3 SUBSTANTIVE AUDIT PROCEDURES

As introduced in module 2, substantive audit procedures comprise both substantive analytical procedures
and tests of details. These two categories of evidence-gathering procedures, which are used by the auditor
to respond to assessed risks, are discussed in more detail in this part of the module. The use of audit
software and sampling techniques for these procedures is also discussed.

SUBSTANTIVE ANALYTICAL PROCEDURES

Analytical procedures were discussed in module 2. If necessary, refer to module 2 now to refresh your
memory as to the types of analytical procedures available to an auditor.

Nature of Analytical Procedures

There are two types of analytical procedures, which are identified by the way they are used in the audit.
1. The first type is where analytical procedures are performed as risk assessment procedures. As you
will recall from your study of the audit planning process in module 2, analytical procedures must be
used at the planning stage to identify areas of high risk and to assist in determining the extent of planned
audit procedures.
df_Folio:186
P

186 Advanced Audit and Assurance

2. The second type, discussed in the next section, is substantive analytical procedures.
During an audit, the auditor may apply analytical procedures to gather evidence concerning individual
items of financial information. Thus, analytical procedures may be used during the audit as a substantive
procedure either to replace or to corroborate a test of details. At or near the completion of the audit,
analytical procedures may be used as a substantive test of balances, in particular with regard to subjective
areas such as certain provisions. Also, the auditor should design and perform substantive analytical
procedures near the completion of the audit to evaluate the reasonableness of the audited account balances.
Designing and Performing Substantive Analytical Procedures
Substantive analytical procedures are designed to substantiate financial statement balances by using
predictable relationships among financial and non-financial data. These procedures are most suited to
large volumes of transactions that tend to be predictable over time.
As outlined in ISA 520 Analytical Procedures, paragraph 5, when designing and performing substantive
analytical procedures, the auditor will need to consider:
• the suitability of substantive analytical procedures for testing assertions identified as containing a risk
of material misstatement
• the reliability of the data
• whether a sufficiently precise expectation can be developed
• whether the amount of difference from an expectation is acceptable.
Suitability of Substantive Analytical Procedures for Given Assertions
The application of substantive analytical procedures is premised on the expectation that relationships
among data exist. Their suitability as a substantive procedure will depend on the auditor’s assessment
of how effective they will be in detecting material misstatements. In some cases, these procedures may be
very effective. For example, if an entity has 50 employees and a known average annual wage of $50 000,
then the total annual payroll costs should be $2.5 million. Because this substantive analytical procedure
can be calculated with a high degree of accuracy, if there is little difference between the amount estimated
and the amount recorded by the client, this will reduce the need to perform tests of detail on the total
payroll costs.
Substantive analytical procedures alone may provide sufficient appropriate audit evidence when risk of
material misstatements is low for a class of transactions. However, if assessed as low due to related internal
controls, the auditor would also need to perform tests of controls.
When addressing significant risks, analytical procedures would need to be supported by evidence from
substantive tests of details or tests of controls as analytical procedures alone would not provide sufficient
appropriate audit evidence.
When using substantive analytical procedures, the auditor should design procedures to reduce the risk of
failing to detect material misstatements to an acceptably low level. To enable auditors to identify possible
material misstatements (either individual or in the aggregate) they would need to develop a sufficiently
precise expectation of what the value should be.
Substantive analytical procedures may be grouped into three levels based on the level of assurance
obtained. Procedures that result in a high level of assurance have a low level of risk of material misstatement
(i.e. they are highly effective at reducing audit risk), as demonstrated in table 3.2.

TABLE 3.2 Level of assurance obtained — substantive analytical procedures

Level of assurance obtained Description

Limited Basic procedures, e.g. comparing current period amounts to previous

period amounts.

Moderate Procedures to corroborate evidence obtained from other procedures.

High Procedures used as the primary source of evidence about financial

statement assertions. However, if there is high level of risk about a specific
assertion, other relevant procedures would also be performed.

As mentioned previously, substantive analytical procedures may be effective in detecting material

misstatements when the procedure can be calculated with a high degree of accuracy. Table 3.3 outlines
examples of substantive analytical procedures that are likely to be effective.
Pdf_Folio:187

MODULE 3 Performing the Audit of Historical Financial Information 187

 TABLE 3.3 Examples of effective substantive analytical procedures

Financial statement balance Substantive analytical procedure

Sales Quantities shipped × selling price per unit

Commission expense Commission rate × sales

Payroll expense Number of employees × pay rates

Amortisation expense Amortisation rate × capital asset balances (taking into account additions
and disposals)

Payroll accruals Daily payroll × number of days accrued

The Australian Securities and Investments Commission (ASIC)’s Audit Inspection Program Report for
2017–2018 (ASIC 2019) suggests that improvements are required in relation to the audit of revenue,
including substantive analytical procedures. With respect to ‘revenue and receivables’, about a third of
ASIC’s findings relate to substantive analytical procedures which were used without:
(i) evidence of a ‘plausible relationship’
(ii) evaluating ‘the reliability of data used to develop the auditor’s expectation’
(iii) determining acceptable thresholds for investigation, or failing to ‘disaggregate revenue by product
type or geographical location’; and
(iv) investigating results of ‘differences from expectations’ (ASIC 2019, p. 32).

The Use of Non-Financial Data in Substantive Analytical Procedures

Using non-financial data in substantive analytical procedures can often enhance the results. Suitable non-
financial data could include, the number of specific products shipped, square footage for a retail store, or
head counts.
As mentioned previously, when performing analytical procedures, it is important to set expectations
(e.g. changes from prior period, etc.) and then compare those expectations to the financial statement
information. Avoid starting with the financial information and then trying to explain variances using
knowledge of the client and its environment. Analytical procedures are stronger when they are designed
based on an understanding of the entity and its environment. However, the reliability of any non-financial
data used needs to be established before its use in a substantive analytical procedure.

QUESTION 3.7

Identified risk: Analytical procedures for a retailer show significant decreases in both profit margins
and inventory turnover days.
(a) This risk indicates that the retailer may be experiencing problems with inventory shrinkage.
What type of fraud could this entail?
(b) Which assertion is relevant to this potential misstatement?

The Reliability of the Data

Table 3.4 shows the relevant considerations when determining whether data is reliable when deciding to
undertake substantive analytical procedures.

TABLE 3.4 Determining whether data is reliable

The source of the For example, information obtained from independent sources outside the entity
information may be more reliable than information obtained from within an entity.

The comparability of For example, if expectations of areas of misstatement are developed based
the information on comparisons with industry data, consideration needs to be given to how
representative the client entity is of the industry.

df_Folio:188
P

188 Advanced Audit and Assurance

 Whether a sufficiently Factors affecting this will include the following.
precise expectation can be
developed
Accuracy with which For example, gross profit margins over time will be more
expected results can consistent than the level of discretionary expenses-
be predicted to-sales ratio. (An example of an expense would be
advertising costs.)

Level of aggregation Sometimes it may be more appropriate to perform

of the data analytical procedures at the division or subsidiary level
rather than at the corporate level. This is particularly
true when the organisation being audited is made up of
a number of diverse units. For example, retail food sales
are characterised by high volume and low margins,
whereas in fashion clothing, the situation is reversed. In
the process of consolidation, one set of characteristics
would cancel out the other. Therefore, the application
of analytical procedures combining both these areas
would not highlight any inconsistency in those two
areas.

Availability of For example, is financial information, such as forecast

the data sales price, and non-financial information, such as
number of units sold, available to design an expectation
of sales revenue?

Whether the amount The deviation from the expectation that can be accepted without further
of difference from an investigation needs to take into account the possibility that a misstatement,
expectation is acceptable either individually or when aggregated with other misstatements, may cause the
financial statements to be misstated.

Source: CPA Australia 2019.

When the amount of difference from an expectation is less than performance materiality, the amount
is likely to be acceptable. Procedures used by auditors to investigate the differences from expectations
include:
• reconsidering the methods and factors used to form their expectation
• enquiring to management about the causes of differences from expectations and assess management’s
responses (need to consider the auditor’s understanding of the business obtained during the audit)
• corroborating management’s explanations by performing other audit procedures.
Following this investigation, the auditor may conclude that:
• the differences from expectations and recorded amounts do not represent missstatements
• differences may represent misstatements — in this case, further audit procedures need to be performed
to obtain sufficient appropriate audit evidence as to whether a material misstatement exists.
More complex techniques such as regression analysis (e.g. of sales data) and modelling (e.g. of infor-
mation systems) could be extremely powerful in their predictive ability and often provide a numeric
measure of their accuracy. The disadvantage of some of these techniques is that they can be time-
consuming, be difficult to use and require trained personnel. This often restricts their use in practice.

The Use of Reasonableness Tests as Substantive Analytical Procedures

Reasonableness tests are computations that calculate an expected amount by using financial or non-
financial data as independent variables. For example, if sales (subject to sales commission) were
$100 million and the sales commission rate was 8%, the auditor would expect reported sales commission
expense of $8 million for the period. This form of test can also be used if the commission rates vary with the
type of sales, but it does become a more detailed calculation. In many instances, the auditor is using non-
financial information as general measures of the client’s expected volume of operations. As an example,
staff movements (a non-financial variable) should help to explain variations in payroll expense.
To perform a reasonableness test, it is necessary to develop a model that explains the level of (or change
in) a dependent variable (e.g. payroll expense) by analysing changes in related financial or non-financial
independent variables (e.g. number of employees). This can be a useful source of audit evidence if the
auditor has confidence in the system that is producing the non-financial independent variables (e.g. for the
number of employees, this could be the personnel file).
Pdf_Folio:189

MODULE 3 Performing the Audit of Historical Financial Information 189

 Example 3.9 demonstrates the use of reasonableness tests in two situations. Review this example now
and consider your responses to the posed questions before checking the suggested solution at the back of
the book.

EXAMPLE 3.9

Reasonableness Tests
Company That Rents Storage Space
Consider a company that rents storage space and charges by the square metre.
............................................................................................................................................................................
1. What would be a suitable reasonableness test if the storage space is fully occupied (e.g. there is a waiting
list for space)?
2. What would be a suitable reasonableness test if the storage space is not fully occupied?
Hotel in a Tourist Destination
Consider a hotel in a tourist destination, where occupancy rates vary across time (e.g. days of the week,
seasons) and room rates vary considerably depending on the outlook (e.g. ocean views, mountain views)
and the size of the room.
............................................................................................................................................................................
1. Would this variability impact on the reasonableness test?
Check your responses against the suggested answer at the end of the book.

QUESTION 3.8

Answer the following questions in relation to reasonableness tests.

(a) Outline a reasonableness test for auditing the revenue of a property lessor who leases out space
in a 15-storey building and charges by the square metre with a higher rate for the top five floors.
(b) Explain why this procedure may be preferred to substantive testing of details.
(c) Could a reasonableness test be developed for the revenue of an airline?
(d) What would need to be considered?

RELATIONSHIP BETWEEN SUBSTANTIVE ANALYTICAL

PROCEDURES AND OTHER AUDIT PROCEDURES
Whenever a substantive analytical procedure on financial information is proposed, its effect on the other
audit procedures proposed to be undertaken should be considered, because it may allow other tests of details
to be reduced. The extent to which the other procedures can be reduced depends upon the assurance that can
be acquired from the substantive analytical procedures — or in other words, the risk that the conclusions
drawn are incorrect.
For example, the current year’s figures should always be compared with last year’s, but this simple
comparison rarely allows detailed work to be reduced. On the other hand, a comparison of interest income
or expense with a calculation using average monthly balances and interest rates may well avoid the need for
extensive detailed testing. It is this latter type of test that could provide the significant assurance required
to allow other substantive procedures to be reduced.
No matter how fully the details of the transactions and account balances in the financial statements have
been verified, it is still necessary to verify that the financial statements produced are reasonable. Therefore,
analytical procedures are undertaken at the completion stage of all audits to provide an overall review of
the financial statements (ISA 520, para. 6). This process should ‘corroborate conclusions formed during
the audit of individual components or elements of the financial statements. This assists the auditor to draw
reasonable conclusions on which to base the auditor’s opinion’ (ISA 520, para. A17).
Example 3.10 provides financial information on a client. Work through the example now to test your
ability to analyse the results of analytical procedures and identify any items that may require further
investigation.
df_Folio:190
P

190 Advanced Audit and Assurance

 EXAMPLE 3.10

Analysing the Results of Analytical Procedures

The auditor of Huggins Ltd, an assembler and wholesaler of desktop computers, has performed analytical
procedures on the 20X9 unaudited financial statements of Huggins Ltd and tabulated the results along
with prior years’ results in the first table below. The auditor also calculated similar ratios for Huggins Ltd’s
two main competitors for 20X8 and tabulated these in the second table below.

Huggins Ltd results for 20X6–20X9

20X9 20X8 20X7 20X6

Debtors turnover 9.11 6.53 10.13 3.49
Inventory turnover 3.38 3.15 3.26 1.58
Net profit as a % of sales 5.63 4.84 3.94 4.95
Inventory as a % of sales 31.50 33.08 33.08 34.43
Sales commission as a % of sales 8.00 8.00 6.00 6.00
Repairs expenses as a % of sales 1.38 3.22 1.04 2.78
Property, plant and equipment (PP&E) as a % of sales 42.75 42.64 49.84 27.11
Inventory as a % of current assets 75.71 70.09 110.14 49.16
PP&E as a % of total assets 53.66 50.06 66.26 28.13
Working capital 34 650.00 22 050.00 8350.88 4441.50
Current ratio 4.08 2.76 2.69 1.35
Quick ratio 1.34 1.02 1.05 0.75

Competitor analysis for 20X8

Huggins Ltd Competitor 1 Competitor 2

Debtors turnover 6.53 9.52 10.78
Inventory turnover 3.15 4.73 6.91
Inventory as a % of sales 33.08 26.21 15.30
PP&E as a % of sales 42.64 14.74 11.48
Current ratio 2.76 3.76 1.94
Quick ratio 1.02 1.46 1.15
Inventory as a % of current assets 70.09 68.51 45.90
PP&E as a % of total assets 50.06 27.45 26.44

............................................................................................................................................................................
1. Analyse the results of the analytical procedures, and identify which account balances of the Huggins Ltd
financial statements would warrant increased audit attention?
2. To what extent can substantive analytical procedures be used to eliminate the need for tests of details in
the audit of the following material account balances? Justify your answer.
(a) Trade debtors
(b) Sales commission expense
(c) Repairs expense
Check your response against the suggested answer at the end of the book.

TESTS OF DETAILS
Tests of details include tests of transactions and account balances and are designed to obtain direct evidence
aimed at reducing the risk of material misstatement for a particular account. The assertions provide the
link between the risks of misstatement (identified in module 2) and the audit procedures that provide the
response to these assessed risks.

Nature of Tests
The nature of the audit procedures carried out will depend on the type of account being audited and the
assertions identified as being at risk. For example, to confirm the existence of an asset, an auditor may
physically verify its existence and title. To confirm the existence of a bank balance, a commonly used
audit procedure is to obtain a letter from the bank confirming the account balance.
Pdf_Folio:191

MODULE 3 Performing the Audit of Historical Financial Information 191

 For each individual area of the financial statements, the auditor will perform and document tests of
transactions and balances that verify the components of account balances and confirm that these account
balances agree with the totals shown in the financial statements of the organisation.
The general principles concerning audit evidence and the methods of collecting audit evidence apply to
all audit procedures, including tests of transactions and account balances. The specific audit procedures
for each class of account will depend on the audit objective and the audit environment.

Designing and Performing Tests of Details

The auditor needs to consider a number of matters when designing and performing tests of details. For
example, each material account balance, class of transactions and disclosure is required to be audited
regardless of the assessed risk of material misstatement. Required audit procedures include those necessary
to comply with ISAs and any local requirements. These include:
• agreeing information in the financial statements to the underlying accounting records
• reconciling information in disclosures with information within general and subsidiary ledgers (or outside
information if relevant)
• addressing management override
• examining material journal entries (and other adjustments) made during the preparation of the financial
statements.
Auditors also need to consider the need to obtain external confirmations of account balances and their
elements; for example, confirmation of bank balances, investments, trade debtors, terms of contracts, or
transactions with other parties. These issues are discussed later in this module.
Tests of detail need to be designed and performed to provide a high level of audit assurance to any
identified significant risks. When procedures are performed during the interim period, further substantive
procedures, combined with tests of controls, will need to be performed at the period end to provide a
reasonable basis for extending the audit conclusions from the interim date to the period-end date. If
unexpected misstatements were identified at the interim date, the planned remaining audit procedures
would need to be modified.

Tests of Transactions and Account Balances

The auditor can directly test the individual transactions that cause an account balance to increase or
decrease. Using this approach, the auditor makes an analysis of the account and lists the transactions that
change the balance. These transactions are then verified by examining supporting documentation or other
related evidence for assertions about transactions and events. This approach is commonly used for accounts
with a relatively low volume of transactions that do not involve a significant risk of misappropriation of
assets, such as manufacturing equipment and related accounts. Transactions may include additions to, or
sale of, manufacturing equipment during the period.
Another approach is to test directly the account balances. Tests of account balances provide some of the
most reliable evidence available to the auditor. End-of-period account balances in a statement of financial
position are in many situations easier to test than the transactions that gave rise to these balances. Therefore,
more reliance is placed on such tests.
Direct testing of the items making up the closing balances can be undertaken for accounts supported
by lists of individual items, such as a subsidiary ledger. For example, a trade debtors’ balance is usually
supported by a subsidiary ledger that lists the balance due from each customer, and the auditor can confirm
these amounts with individual customers. Other accounts that allow this approach include:
• notes receivable
• trades payable
• notes payable
• inventory
• PP&E.
For most of these accounts, the auditor is able either to physically observe or to confirm the individual
items making up the balance.
During tests of details for a particular class of transaction or account balance, the auditor’s objectives are
to obtain sufficient appropriate evidence concerning management assertions that are considered material.
The link between the audit objectives and the audit procedures are outlined in an audit program. Sometimes,
an audit procedure may fulfil more than one objective. For example, examining the documents supporting
the acquisition of equipment provides some evidence of existence, rights and obligations, and accuracy,
valuation and allocation.
Pdf_Folio:192

192 Advanced Audit and Assurance

 However, more than one procedure is often necessary to satisfy a particular objective. The procedure
of observing the asset acquired may also be necessary to satisfy the existence assertion. To substantiate
an amount presented in the financial statements, several different procedures are usually necessary.
For example, confirming a receivable provides reliable evidence of existence, but it does not provide
satisfactory evidence for accuracy, valuation and allocation. For the accuracy, valuation and allocation
assertion, the collectability of account balances and related procedures, such as testing of subsequent
receipts, must also be considered.

Types of Tests of Account Balances

Tests of account balances are audit tests that substantiate the closing balance of a general ledger account.
Thus, they are substantive tests that either provide reasonable assurance of the validity and appropriateness
of the balance or identify monetary misstatements in it. The two types of tests of balances discussed are:
• external confirmations, including bank confirmations
• attendance at physical inventory counts.

External Confirmations
The use of external confirmations in an audit is quite common. There are many items in a financial
statement for which external confirmations may be an appropriate method of obtaining sufficient and
appropriate audit evidence. This is recognised in ISA 505 External Confirmations. External confirmations
provide evidence about the completeness of a liability and the existence of an asset. They also provide
evidence on whether the amount has been accurately recorded in the accounting records (accuracy
assertion) and in the appropriate accounting period (cutoff assertion). However, they are less relevant to
the valuation and allocation assertion because it does not provide evidence of the recoverability of trade
debtors or the obsolescence of inventory held in stock.
Examples of when external confirmations are suitable include when obtaining evidence of:
• the terms and conditions of transactions that an entity made with third parties
• the trade debtors’ balances and terms
• the trade payables’ balances and terms
• bank balances and other relevant banking information
• the amounts due to lenders, any restrictive covenants and relevant repayment terms
• investments held for safekeeping by third parties
• investments purchased from stockbrokers but not yet delivered
• property title deeds held by lawyers or financiers as security or for safe keeping
• inventories held by third parties (including those on consignment).
The use of external confirmations is not mandated by ISA 505. Rather, it recognises that confirmation
of account balances should be determined based on an assessment of their effectiveness in providing
audit evidence to support financial statement assertions. For this purpose, the standard sets out the
matters that should be considered when determining whether and to what extent external confirmations
are the most appropriate form of audit evidence. The reliability of the evidence obtained by external
confirmations depends on the auditor applying appropriate procedures when designing the external
confirmation requests, performing the external confirmation procedures, and evaluating the results of these
procedures. Factors affecting the reliability of external confirmations include:
• the control the auditor exercises over confirmation requests and responses
• the characteristics of the respondents
• any restrictions included in the response or imposed by management.
The role of both positive and negative confirmation requests is detailed in ISA 505. It also indicates that
the choice between the two depends on the prevailing circumstances, including the assessment of inherent
and control risks.

Positive Confirmation Requests

A positive confirmation request provides a very reliable form of evidence. Therefore, it is preferred
where individual account balances are relatively large or where inherent or control risks are assessed
as high, thus making the risk of material misstatement high. Where the positive confirmation request is
used and the auditor receives no response, the auditor should apply alternative procedures. Items that
cannot be confirmed, and for which alternative procedures have not been performed, should be treated as
misstatements.

Pdf_Folio:193

MODULE 3 Performing the Audit of Historical Financial Information 193

Negative Confirmation Requests
Negative confirmation requests are less reliable but may be used where a large number of individual
account balances are relatively small or where inherent or control risks are assessed at a reduced level.
Nevertheless, the auditor should be aware that, even under these circumstances, this form of confirmation
request may not necessarily provide sufficient appropriate audit evidence. Hence, the auditor will have
to increase the extent of other audit procedures in order to obtain sufficient appropriate audit evidence to
make conclusions about the assertions being tested.
The auditor may use a combination of both positive and negative confirmation requests if the nature
of the population and the prevailing circumstances warrant it. The importance of the auditor maintaining
control over the confirmation process to minimise the possibility that the results will be biased because of
the possible interception or alteration of responses is also recognised in ISA 505.
Some responses from debtors may indicate disagreements or discrepancies with the statement or copies
of invoices sent out for confirmation. In this case, the first step for the auditor is to determine if these
differences are caused by timing (e.g. payment made on 30 June but received by the client on 1 July) or by
actual clerical errors and/or disputed amounts. If the latter, the auditor is likely first to examine the sales
and shipping documentation and then carry out follow-up procedures to determine if the discrepancy is
actually an error. Once the amounts of the errors have been established, the auditor projects the monetary
misstatement.

QUESTION 3.9

Explain why external confirmation of accounts receivable provides relevant and reliable audit
evidence regarding assertions. Outline the limitations.

Bank Confirmations
Bank confirmation requests are used to obtain audit evidence concerning a client’s dealings with its
bank(s). Guidance Statement GS 016 Bank Confirmation Requests states that information obtained from
such requests may assist the auditor in obtaining sufficient appropriate evidence regarding bank-related
transactions and account balances, and their related presentation and disclosure in the financial statements.
While such bank confirmation requests are not required, the auditor would normally send such requests
when the entity’s banking activities are significant, complex or unusual (GS 016, para. 13). The Guidance
Statement identifies that there may be instances (e.g. when an entity’s banking activities are straightforward
and there is other appropriate evidence available) where the auditor may decide not to send a bank
confirmation. However, it is usual in practice for an auditor to confirm an entity’s banking activities for
nearly all audit clients.
Some of the major features of GS 016 include:
• a discussion of the relevance and reliability of the evidence obtained from a bank confirmation
• a discussion of the necessity for the auditor to remain alert to the possibility of fraud occurring in the
entity’s banking activities
• the procedures to be undertaken, including determining the bank information to be confirmed, designing
the bank confirmation request, and submitting and following up on the request
• the inclusion of a ‘Bank Confirmation — Audit Request (General)’ form, on which the information to
be confirmed relates to ‘normal banking activities’
• the inclusion of a ‘Bank Confirmation — Audit Request (Treasury and Other Operations)’ form, on
which the information to be confirmed relates to the client’s treasury operations and use of treasury
management instruments, such as forward rate agreements, foreign exchange contracts and interest rate
swaps.
Many bank confirmation processes are now completed electronically (ISA 505, para A12; GS 016,
para. 59). Electronic confirmations are addressed in ISA 505, paragraph A12 and GS 016. While electronic
confirmations may speed up the process and potentially increase the reliability of responses, this type
of confirmation process may introduce some new risks. These new risks would include the difficulty
of proving the origin of the response, whether the respondent was authorised to respond, and whether
there were any unauthorised alterations to the information transmitted. However, ISA 505, paragraph
A12, highlights that if the auditor and the respondent use a secure environment for the responses received
electronically, it may mitigate these risks and may actually enhance the reliability of the related responses.
df_Folio:194
P

194 Advanced Audit and Assurance

The auditor may incorporate techniques for validating the identity of the sender through the use of
encryption or digital signatures.

QUESTION 3.10

Outline the steps that an auditor can undertake in order to place greater reliance on an electronic
response to a bank confirmation request.

Attendance at Physical Inventory Counts

When inventory is assessed as material, the auditor is required to obtain sufficient appropriate audit
evidence regarding its existence and condition by attendance at a physical inventory count, unless it is
impractical (ISA 501 Audit Evidence — Specific Considerations for Selected Items, para. 4(a)). Where
attendance is impractical, the auditor is required to consider whether alternative procedures provide
sufficient appropriate audit evidence of the existence and condition of the inventory in order to conclude
that the auditor need not make reference to a scope limitation (ISA 501, para. 7).
In planning attendance at the physical inventory count, the auditor would be expected to consider the
following matters:
• The risks of material misstatement related to inventory.
• The nature of the internal control related to inventory.
• Whether adequate procedures are expected to be established and proper instructions issued for physical
inventory counting.
• The timing of physical inventory counting.
• Whether the entity maintains a perpetual inventory system.
• The locations at which inventory is held.
• Whether the assistance of an auditor’s expert is needed. (ISA 501, para. A3).

At these counts, the auditor’s procedures usually consist of:

• reviewing the instructions to ensure that they are adequate
• observing that the client follows the instructions
• inspecting the inventory
• undertaking test counts as a checking mechanism to ensure that the client’s counts are accurate (ISA
501, paras A4–A7).

At stocktake, the auditor carries out test counts. Any differences between the auditor’s counts and the
client’s counts need to be reconciled. These differences may be due to errors in counting by either party
or may be due to other issues, such as certain inventory items being in more than one location.
Direction of Testing
The assertion being tested determines whether vouching or tracing should be used for testing.
• Vouching involves testing from the accounting record to the source document or underlying assets. The
auditor tests for existence by vouching items from the ledger to the physical stock or stocktake records.
• Tracing involves testing from the source documents or underlying assets to the accounting records. The
auditor tests for completeness by comparing the physical count to the ledger.
The auditor needs to follow up any differences. For example, if the physical count is less than the ledger
account, it is possibly due to items in transit or on consignment, and follow-up procedures would need to
be carried out to confirm this.
Table 3.5 identifies the relationships between assertions, specific audit objectives and substantive
procedures for inventories.
Example 3.11 deals with the audit procedures to be adopted for testing transactions and balances and
the related disclosures. Read the scenario presented and consider your responses to the posed questions
before checking the suggested solution at the back of the book.

Pdf_Folio:195

MODULE 3 Performing the Audit of Historical Financial Information 195

 Relationships between assertions, specific audit objectives and substantive
TABLE 3.5 procedures for inventories
Specific audit objective
For the existence assertion
Inventories included in the balance sheet or statement
of financial position physically exist.
Inventories represent items held for sale or use in the
normal course of business.
For the rights and obligations assertion
The entity has legal title or similar rights or ownership
to the inventories.
Inventories exclude items billed to customers or owned
by others.
For the completeness assertion
Inventory quantities include all prod-
ucts, materials and supplies on hand.
Inventory quantities include all products, materials
and supplies owned by the company stored at outside
locations.
For the valuation and allocation assertion
Inventory listings are accurately compiled and the totals
are properly included in the inventory accounts.
Inventories are properly stated at cost (except when net
realisable value is lower).
Slow-moving, excess, defective and obsolete items
included in inventories are properly identified.
Inventories are reduced, when appropriate, to net
realisable value.
For the presentation and disclosure assertions
Inventories are properly classified in the balance
sheet/statement of financial position as current
assets.
The basis of valuation is adequately disclosed in the
financial statement.
The pledge or assignment of any inventories is
appropriately disclosed.
df_Folio:196
P
196 Advanced Audit and Assurance
Examples of substantive procedures
Observe and test inventory counts (stocktakes).
Obtain confirmation of inventories at locations outside
the entity.
Review perpetual inventory records and purchasing
records for indications of current activity.
Compare inventories with a current sales catalogue and
subsequent sales and delivery reports.
Examine paid suppliers’ invoices, consignment
agreements and contracts.
Examine paid suppliers’ invoices, consignment
agreements and contracts.
Test shipping and receiving cutoff procedures.
Compare inventories with a current sales catalog and
subsequent sales and delivery reports.
Observe and test inventory counts.
Account for all inventory tags and count sheets used in
making the inventory counts.
Analytically review the relationship of inventory
balances to recent purchasing and sales activities.
Test shipping and receiving cutoff procedures.
Obtain confirmation of inventories at locations outside
the entity.
Trace test counts recorded during the inventory count
observation to the inventory listing.
Test the clerical accuracy of inventory listings.
Reconcile physical counts to perpetual records and
general ledger balances, and investigate significant
fluctuations.
Examine suppliers, invoices.
Enquire of sales personnel concerning possible excess
or obsolete inventory items. Examine an analysis of
inventory turnover.
Review industry experience and trends.
Analytically review the relationship of inventory
balances to expected sales volume.
Review estimates of realisable values.
Review drafts of the financial statements.
Compare the disclosures made in the financial
statements with the requirements of the Corporations
Act 2001 (Cwlth) (Corporations Act) and applicable
accounting standards.
Obtain confirmation of inventories pledged under loan
agreements.
 EXAMPLE 3.11

Tests of Transactions and Balances

Amna Ltd was facing its first loss since listing five years ago, but the chairperson of the board of directors/CEO
was not about to let that happen. His bonus was tied to reported earnings. He owned shares in the company
and knew the psychological impact of a first-time loss would hit his company’s share price. He asked staff
who were also affected by the bonus rules to turn the loss into a small profit by:
1. creating fictitious inventory by adding false count sheets to the inventory count
2. bringing forward sales for the first ten days of the subsequent year
3. postponing the recognition of the expenses associated with suppliers’ invoices until the subsequent
period
4. creating false claims for credit on goods returned and volume discounts that had been supposedly
agreed to by suppliers.
............................................................................................................................................................................
1. Bonus plans and employee share ownership are generally considered to be features that align the incentives
of managers with those of shareholders. Is this the case for Amna Ltd?
2. What is the financial statement impact of each of the four methods listed?
3. Identify two audit procedures that could detect frauds that employ the four methods listed.
Check your response against the suggested answer at the end of the book.

QUESTION 3.11

Listed in this question are four audit procedures performed during the 20X9 audit of JayJays
Ltd. For each procedure, indicate the relevant assertion(s) and indicate what type of substantive
procedure was performed (i.e. analytical procedure, test of details of balances or test of details of
transactions).
(a) Calculate the trade debtors’ turnover and compare with prior year’s turnover.
(b) Review all invoices received for one month after the 30 June 20X9, to ensure that the transac-
tions are recorded in the appropriate accounting period
(c) Attend the year-end stocktake and perform test counts on a sample of inventory items.
(d) Review the adequacy of the company’s allowance for doubtful debts.

USING CAATs FOR SUBSTANTIVE TESTING

Audit software can also be used for substantive testing. It consists of computer programs used by the
auditor to identify and process data of audit significance from the IT system. Audit software techniques
are designed to read the client’s files and data, in particular, the transactions and master files. This enables
routine audit tasks to be undertaken and directs the auditor’s attention to areas of risk and materiality that
require further audit consideration. Thus, they are substantive procedures orientated, with a limited ability
to determine whether controls are, in fact functioning, even though they do not directly test these controls.
Substantive procedures that can be performed by the use of CAATs include:
• analytical procedures e.g. identifying significant fluctuations or inconsistencies
• sampling programs to extract data for audit testing
• tests of details of transactions and balances e.g. recalculating interest
• reperforming calculations performed by the client’s accounting systems.
Audit software may consist of:
• generalised audit software (applicable to a wide variety of audit situations)
• purpose-written programs (customised to suit a particular audit situation)
• utility programs and system-management programs.
We will discuss each of these in turn.

Generalised Audit Software

Generalised audit software (GAS) consists of a set of computer programs designed to perform audit
functions that would traditionally have been performed manually. The computer programs are essentially
data manipulation and output programs that are adaptable to various data formats and computer systems.
Pdf_Folio:197

MODULE 3 Performing the Audit of Historical Financial Information 197

These are ‘generalised’ because the software can be used on a number of different accounting systems and
clients. ACL and IDEA are examples of GAS. Table 3.6 describes the functions of GAS.

TABLE 3.6 The functions of generalised audit software

Extract data from client files based
on criteria specified by the auditor
(exception reporting)
The auditor specifies what data should be extracted from client files
for audit purposes. The criteria or specifications for data extraction
will depend on the audit objectives and subsequent audit procedures
to be conducted.
Once extracted, the data are edited and reformatted for audit
purposes and transferred to an audit work file, which is available for
use by other routines (programs) in the package. This is a very useful
technique and is widely used to direct the auditor’s attention to risky
or material items.
For example, in the audit of accounts receivable, the auditor can
identify all accounts that are overdue by more than 30 days. This is
useful in directing the auditor’s attention to accounts that have a risk
of misstatement with regard to the accuracy, valuation and allocation
assertion.

Test calculations The auditor can use the software to verify the accuracy of extensions
or footings of journals or listings.

Compare data Comparisons may be performed using logical operators, such

as ‘less than’, ‘equal to’, and ‘greater than’, to determine the
consistency between items, for data selection purposes, or to verify
compliance with certain conditions.

Select and print audit samples The software can use various sampling methods (e.g. random or
systematic selection) to select samples and can stratify and analyse
data statistically (e.g. providing mean and/or median values).

Summarise data for audit analysis and
format and print outputs
Audit software is capable of formatting and printing data in a
variety of ways to produce desired reports, analyses and/or forms
(e.g. confirmation request forms).
The software can also simulate client program processing functions,
compare the output with the actual output of the client and analyse
data for trends (e.g. ageing or turnover).

Source: CPA Australia 2019.

Purpose-Written Programs
Purpose-written programs are computer programs designed to perform audit tasks in specific circum-
stances. These programs may be prepared by the auditor, the entity or an outside programmer. They may
contain the same functions as GAS or any reduced set of functions considered appropriate for the purpose
for which it was written. Purpose-written programs are often used when a client’s computer system is not
compatible with the GAS or where the auditor wants to perform functions that the GAS is unable to do.
These programs need to be updated regularly to remain compatible with updates to the client’s system and
generally cost more than GAS.

Utility Programs and Systems Management Programs

Utility programs are used by the entity to perform common data-processing functions such as sorting,
creating and printing computer files. They may be used by the auditor in their original state or in a modified
state. However, these computer programs are not designed for audit purposes and, therefore, may not
contain some features that the auditor would like, such as automatic record counts or control totals.
Systems management programs are enhanced productivity tools that are typically part of a sophisticated
operating systems environment — for example, data retrieval software or code comparison software. By
using these programs, the auditor does not need to start from scratch to obtain the benefit of their processing
capabilities that are of audit interest. Table 3.7 outlines the advantages and disadvantages of using utility
and systems management programs.
Example 3.12 deals with the use of generalised audit software programs to substantiate the client’s
inventory valuation. Read the scenario presented and complete the task.
Pdf_Folio:198

198 Advanced Audit and Assurance

 Advantages and disadvantages of auditors using utility programs and systems management
TABLE 3.7 programs

Advantages Disadvantages

They can be easy to use as they are well-documented Utility and systems management programs have only
and (usually) user-friendly. limited applications. They do not have all the functions
normally included in audit software.

They provide a higher level of reliability. Because They could corrupt files if incorrectly used.
they are generally supplied by hardware/software
manufacturers, they are extensively tested and widely
used.

They are readily available and efficient. All computer

hardware has associated systems software with a
wide range of utilities that can perform numerous data-
processing functions in an efficient and economical
manner.

Source: CPA Australia 2019.

EXAMPLE 3.12

Generalised Audit Software

You are a manager in the team of an audit firm that is auditing Boomerang, a retail clothing chain with stores
in major shopping malls throughout Australia and New Zealand. You have been assigned responsibility
for confirmation of the client’s valuation of the inventory held at its distribution centre. The structure of the
client’s inventory master file is:

Item number

Description

Size

Colour

Quantity on hand

Weighted average cost

Last cost

Vendor code

Economic order quantity

Reorder point

Quantity issued for year

Quantity purchased for year

The client has had stock count sheets prepared in duplicate with the first four of the preceding fields
filled in and a blank space for quantity on hand to be written in. Client staff are about to count the inventory
and complete the stock sheets. The second copies were given to you.
............................................................................................................................................................................
Describe substantive procedures that could verify Boomerang’s inventory valuation. Assume that you have a
comprehensive generalised accounting software package available.
Check your response against the suggested answer at the end of the book.
Source: Parkes et al. 2015.

P df_Folio:199

MODULE 3 Performing the Audit of Historical Financial Information 199

 QUESTION 3.12

Fitzroy Homewares Ltd is a wholesaler of household goods including furniture, kitchen appliances,
soft furnishings and electronic equipment. Fitzroy purchases products directly from the manufac-
turers and sells to a wide range of retailers, both large and small. Fitzroy has around 480 customers.
The terms of agreements between Fitzroy and its customers vary widely in relation to discounts,
credit limits and payment terms. The larger customers have balances of hundreds of thousands of
dollars with amounts up to 60 days old, whereas smaller customers have balances in the thousands
of dollars and generally have payment terms of 30 days.
You are designing your audit testing for the trade debtors’ balance at the year-end and, due to
the large number of customers, you would like to use CAATs to improve the efficiency of the audit.
Design five specific audit procedures that could be carried out using generalised audit software
to test Fitzroy’s trade debtors’ balances.

ADVANCED AUDIT DATA ANALYTIC TECHNIQUES

Rapid changes in technology, including the ability to capture and communicate large volumes of data
digitally, almost instantaneously, has led to companies changing their business models and enquiring about
auditors’ capabilities to handle the changes in data analytics, including data analytics as part of the audit
(IAASB 2016a).
IAASB (2016a) defines ‘data analytics’ when used to obtain audit evidence as:
the science and art of discovering and analyzing patterns, deviations and inconsistencies, and extracting
other useful information in the data underlying or related to the subject matter of an audit through analysis,
modelling and visualization for the purpose of planning or performing the audit (IAASB 2016a, para. 6).

Advanced audit data analytic techniques, which can analyse complete data sets (also commonly referred
to as ‘big data’), can be used at the audit planning stage and as part of the evidence-gathering procedures
to identify and assess risk. These techniques have the ability to analyse complete populations of data and
can identify patterns, correlations, and deviations from expected results. These methods can provide the
auditor with new or additional insights about the entity and its risk environment. They can also improve the
auditor’s knowledge about the transactions that comprise the balances contained in the financial statements.
Audit data analytic techniques can allow external auditors to improve financial statement audits by:
• testing complete sets of data rather than testing samples
• aiding risk assessment through identification of anomalies and trends that the auditors need to investigate
further
• providing audit evidence by analysing all transactions that comprise an account balance (Murphy &
Tysiac 2015).
IAASB (2016a) suggests that the use of data analytics provides the auditor with the opportunity to
gain a more robust understanding of the entity and its environment, which improves the application
of professional scepticism and professional judgment together with the quality of the auditor’s risk
assessments and responses to risks. However, IAASB (2016a) also notes certain limitations of using data
analytics.
• Analysis of data that is not relevant to the audit or unreliable data can negatively impact audit quality.
• Testing 100% of the population does not change the meaning of reasonable assurance or provide more
than reasonable assurance.
• It will not replace professional scepticism and professional judgment.
• It can lead to overconfidence of the auditor.
ASIC (2017) suggests that while the use of data analytics may lead to a more effective audit, there
are risks and limitations in its use. In particular, ASIC warns that auditors need to consider whether the
applications have been properly implemented (e.g. data must be accurate, controls across the data should be
reviewed and tested, exceptions should be investigated, and sufficient documentation should be obtained);
auditors also need to consider whether the results can be relied on. Note that the present International
Standards on Auditing (ISAs) neither prohibit nor stipulate the use of data analytics. However, the title of
IAASB (2016a), Exploring the Growing Use of Technology in the Audit, with a Focus on Data Analytics,
and the related request for comments indicate that the profession is seriously considering the need to
address these issues in future ISAs.
df_Folio:200
P

200 Advanced Audit and Assurance

SAMPLING TECHNIQUES IN SUBSTANTIVE PROCEDURES
As for tests of controls, sampling techniques can also be applied to substantive procedures. When designing
the sample, the auditor may wish to consider using stratification (ISA 530, para. A8), which involves
dividing the population into discrete subpopulations that have an identifying characteristic such as
dollar value (ISA 530, Appendix 1). This enables the sample size to be decreased without increasing
sampling risk.
During sampling for substantive procedures, the sampling unit (i.e. the way the population is broken up)
needs to be determined. It may be:
• a customer account balance (for trade debtors)
• an inventory item
• an individual monetary unit (sale or purchase)
• each individual dollar comprising an account balance.
The definition of the sampling unit depends on the nature of the audit procedures to be applied. For
example, if the objective of the sampling procedure is to test the amount of trade debtors, the sampling
unit may be:
• each individual customer (e.g. assume 2000 customers)
• the transactions for these customers (e.g. the sales and cash receipts transactions that the 2000 customers
undertook during the period covered by the audit)
• each monetary unit comprising the accounts receivable closing balance (e.g. assume the 2000 customers
owe $2 million).
The auditor should choose the sampling unit that will result in the most efficient and effective sampling
application to achieve the particular audit objective.
The approach of using the individual monetary units of an account balance as a sampling unit is known
as monetary unit sampling (MUS), and a description of this approach follows.
Monetary Unit Sampling
Monetary unit sampling (MUS) uses the individual monetary units of an account balance as a sampling
unit. So for a transaction of $100, rather than the transaction being the sampling unit, there will be 100
sampling units, one for each of the individual dollars. The main benefit of the MUS method is that it gives
each item in the population a chance of being selected proportional to its monetary size. Essentially, this
means that larger items are more likely to be selected. Thus, a balance containing $10 000 will be ten times
more likely to be selected than an account containing $1000.
Example 3.13 demonstrates the use of MUS to determine the sampling units to be audited for trade
debtors. Review this example now but consider your response to the posed question before reviewing the
suggested solution at the end of the book.

EXAMPLE 3.13

Monetary Unit Sampling

Assume that the balance of trade debtors is $3 150 000, and that the auditor requires a sample of 30
debtors. The sampling interval is $3 150 000 / 30 = 105 000 monetary units.
Using systematic selection (discussed earlier in this module), every 105 000th monetary unit will be
sampled. The auditor randomly selected a starting point between 1 and the sampling interval – which
resulted in a starting point of 40 000. The debtors examined will be the debtors containing:
• the 40 000th dollar (where individual debtor balances are accumulated on the debtors’ master file)
• the 145 000th dollar (40 000 + (1 × 105 000))
• the 250 000th dollar (40 000 + (2 × 105 000)) and so on up to
• the 3 085 000th dollar (40 000 + (29 × 105 000)).
............................................................................................................................................................................
Assume the auditor has used monetary unit sampling (as already shown) to select the individual monetary
units from within the population for testing. What audit procedure is the auditor likely to use to test the specific
debtors’ balances that contain these selected monetary units?
Check your response against the suggested answer at the end of the book.

MUS selection is usually undertaken using audit software. This technique is relatively easy to use and
results in an evaluation in terms that facilitate audit decisions. MUS is a statistical technique that provides
an estimate of the maximum amount of overstatement of a recorded amount with measurable levels of
Pdf_Folio:201

MODULE 3 Performing the Audit of Historical Financial Information 201

risk (confidence) of making a decision error. Thus, for example, the auditor can estimate the level of
overstatement associated with a 5% risk of misstatement (95% level of confidence). MUS is generally
seen as an efficient sampling procedure. It will usually result in smaller sample sizes where the auditor
expects no errors. It also directs the auditor’s attention to larger account balances, in that it effectively
produces a stratified sample because items are selected in proportion to their monetary unit amounts. If
MUS is combined with systematic selection (discussed earlier), it will automatically include any item that
is individually more significant than the sampling interval.
However, care has to be taken when using MUS. A MUS sample is inappropriate when the auditor is
testing for an understatement because an understatement results in less chance of selection than if it were
correctly stated (the technique will direct the auditor’s attention away from understatements).
Example 3.14 considers the use of MUS when understatements are expected. Review this example now
but consider your response to the posed question before reviewing the suggested solution at the end of
the book.

EXAMPLE 3.14

Monetary Unit Sampling and Understatements

Consider an error that recorded a debtor as owing $10 instead of $1000. If the sampling unit was the
individual debtor, then they would have equal chance of selection irrespective of whether they owed $10
or $1000.
............................................................................................................................................................................
What impact would MUS selection have on the likelihood of this debtor being selected?
Check your response against the suggested answer at the end of the book.

Evaluation of Substantive Procedures Sample Results

The auditor is required to evaluate the sample results and whether the use of sampling has provided a
reasonable basis to conclude on the population (ISA 530, para. 15).
The following steps should be carried out when evaluating the results:
• analyse the deviations detected
• project the errors found in the sample to the population
• assess the risks of an incorrect conclusion.
In analysing deviations, the auditor first considers the qualitative aspects of discovered deviations — that
is, the nature and cause of the deviation. Differences identified could be either issues of timing or errors. An
example of an issue of timing is where a debtor — responding to a positive confirmation request regarding
an outstanding balance — believes they have paid the outstanding balance by 30 June because they sent
the cheque just before year-end. However, the audit client did not receive the cheque by year-end and,
therefore, recorded an outstanding balance as owing at that date. Such timing differences can be checked
against supporting documentation such as cash receipts soon after year-end.
Once assured that the differences are errors rather than timing differences, the errors found in the sample
are projected to the population.
The most common method of projecting the errors found in the sample to the population is illustrated
by example 3.15.

EXAMPLE 3.15

Monetary Unit Sampling and Projecting Errors

Assume that the auditor finds errors totalling $2000 in a randomly drawn sample, which comprises
10% of the population. In this case, the auditor’s best estimate of error in the population is $20 000
(= $2000 / 10%).
The auditor then compares this projected error to some level of error that they are willing to tolerate
(commonly called tolerable misstatement) before they would conclude that this account is materially
misstated.
This tolerable misstatement for the individual class of transactions or account balance being audited
will be an amount less than or equal to the auditor’s performance materiality (ISA 530, para. A3).

df_Folio:202
P

202 Advanced Audit and Assurance

 The auditor needs to then compare the projected misstatement to tolerable error to determine if the sam-
ple provides a reasonable basis for conclusions. The auditor needs to consider if there is an unacceptable
sampling risk that the actual misstatement in the population exceeds the tolerable misstatement (ISA 530,
paras A21–A23).
The third step in the evaluation of substantive sample results is to assess the risks of an incorrect
conclusion based on the sample. This may occur because the sample results may provide information
that leads the auditor to reassess earlier judgments of risk or provide information that risks are higher at
particular times during the year. Under these circumstances, the auditor may ask management to investigate
the identified misstatements or the auditor may tailor the nature, timing and extent of further procedures
(e.g. extend the sample size or modify the audit procedures) (ISA 530, para. A23).

QUESTION 3.13

(a) The total value for the trade debtors account is $1 600 000, consisting of 850 items. The auditor
randomly selected 64 items for testing. The dollar value of the sample of trade debtors selected
for testing is $295 000. Assume the auditor discovered errors totalling $18 408 when conducting
the substantive testing of the sample. Extrapolate the errors to the population and calculate the
total projected error.
(b) If materiality is set at $100 000, evaluate whether the trade debtors’ balance is materially mis-
stated. Justify your decision.

The key points covered in this section, and the learning objectives they align to, are below.

KEY POINTS

3.1 Evaluate the appropriateness of processes and procedures undertaken by auditors, as

applicable to the audit strategy and the audit plan.
• Analytical procedures undertaken at the completion stage of an audit provide an overall review of
the financial statements to corroborate conclusions formed during the audit of individual elements
of the financial statements.
• When an auditor has assessed the entity for risks of material misstatement and identified significant
risks, the auditor should design and perform tests of detail to provide a high level of audit assurance
to the identified significant risks.
• Audit software techniques enable routine audit tasks to be undertaken to enable the auditor to
analyse balances and transactions to identify where there is a higher risk of material misstatement.
The results of the analysis will provide evidence to support the auditor’s decision as to which
account balances and transaction require further audit consideration.
• MUS is a statistical technique used by auditors to evaluate the maximum amount of overstatement
of an account balance with measurable levels of risk (confidence) of making an incorrect decision
as to whether the account is materially misstated.
3.2 Apply processes and procedures to gather sufficient and appropriate audit evidence.
• Analytical procedures assist the auditor in drawing reasonable conclusions on which to form their
opinion.
• Tests of detail are designed and performed to provide a high level of audit assurance to any
identified significant risks.
• During tests of details for a particular class of transaction or account balance, the auditor’s
objectives are to obtain sufficient appropriate evidence concerning management assertions that are
considered material.
• When inventory is assessed as material, the auditor is required to obtain sufficient appropriate audit
evidence regarding its existence and condition by attendance at a physical inventory count, unless
it is impractical.
3.3 Evaluate the sufficiency and appropriateness of the audit evidence gathered.
• In analysing deviations, the auditor considers the qualitative aspects of discovered deviations within
the sample to determine if they are errors rather than timing differences before projecting to the
population. The auditor then compares the projected misstatement to tolerable error to determine
if the sample provides a reasonable basis for conclusions.

P df_Folio:203

MODULE 3 Performing the Audit of Historical Financial Information 203

 3.4 Apply the appropriate standards that relate to the auditor’s response to assessed risks.
• ISA 520 Analytical Procedures identifies auditor considerations when designing and performing
substantive analytical procedures.
• ISA 505 External Confirmations. External confirmations provide evidence about the completeness
of a liability and the existence of an asset. They also provide evidence on whether the amount has
been accurately recorded in the accounting records (accuracy assertion) and in the appropriate
accounting period (cutoff assertion).
• Electronic bank confirmations are addressed in ISA 505 and GS 016 Bank Confirmation Requests.
• ISA 501 Audit Evidence — Specific Considerations for Selected Items outlines the requirement for
the auditor to attend a physical inventory count unless it is impractical.

3.4 EVIDENCE-GATHERING IN AN
E-COMMERCE ENVIRONMENT
This section considers the evidence-gathering steps used by the auditor in the e-commerce environment,
which has become the norm. What must clearly be remembered is that the audit objective — reducing the
risk of material misstatement in the financial statements to an acceptably low level — does not change in
an e-commerce environment.

TESTS OF CONTROLS IN AN E-COMMERCE ENVIRONMENT

There are two major types of e-commerce environments:
1. business-to-business
2. business-to-consumer.
Business-to-business e-commerce involves companies buying from and selling to each other online. A
common example of this is where many large businesses transact with their suppliers online so that they
can more immediately order from and pay these trade creditors.
The business-to-consumer environment applies to any business that sells its products or services over
the internet, such as online booksellers.
There are some controls that will be common across all e-commerce environments, including security
infrastructure, firewalls and encryption controls, although they will differ in significance and extent.
There are also differences in controls and risks of material misstatement between these two e-commerce
environments. One of the main differences is in the area of authorisation.
In a business-to-business e-commerce environment, there are a limited number of known parties with
whom the business is transacting. There is usually an authorisation system that permits e-commerce
transactions between the two business partners. Testing of the authorisation system will usually be
conducted as part of the review of the general controls. If the authorisation involves entering unique
identifier codes (e.g. approved customer/supplier numbers), the auditor may use test data techniques to
check that only valid identifier codes have been entered.
Authorisation of business-to-consumer transactions is different, and the authorisation of transactions is
on many occasions established through the payment system. It usually involves the use of a credit card and
verification of the credit card details. The auditor will check the controls set up in the entity to ensure that
proper control checks are undertaken.
Appropriate authorisation controls will help to ensure the authenticity of transactions. Other controls
that the auditor will consider are the use of acknowledgements to verify e-commerce transactions between
trading partners and the use of audit trails. Acknowledgements can verify all details of the transactions as
well as include specific information, such as the time, message size and status of transactions. Audit trails
may include activity logs of accepted and rejected messages, acknowledgments and times of processing.
These controls are evaluated as part of the auditor’s general controls review. This process also provides
audit evidence as to the occurrence, accuracy and completeness of transactions. Other audit evidence that
the auditor may seek for completeness includes evidence of the sequential control of transactions with
exception reporting for missing or duplicated transaction numbers or for out-of-sequence messages.
As with other audit engagements, it is necessary for the auditor to undertake an evaluation of controls
within an e-commerce environment. In engagements involving e-commerce, the auditor cannot gain an
df_Folio:204
P

204 Advanced Audit and Assurance

understanding of the business and assess the risk of material misstatement without evaluating the control
environment.
In an e-commerce environment, electronic records may be more easily destroyed or altered than paper
records without leaving evidence of such destruction or alteration. The auditor should, therefore, consider
whether the client’s security controls are adequate to prevent unauthorised changes to the accounting
system or records. Related controls testing when evaluating the integrity of the electronic evidence may
include:
• record integrity checks
• electronic date stamps
• digital signatures
• version controls.

SUBSTANTIVE TESTING IN AN E-COMMERCE ENVIRONMENT

Testing of controls in an e-commerce environment is important because systems are more open to external
transactions (through direct access and direct recording). As in any audit, the extent of substantive testing
will depend upon the extent to which tests of controls are undertaken.
Regardless of the information environment, there should always be evidence to support the account
balances contained in the financial statements. Therefore, the auditor should be able to verify these amounts
using substantive audit procedures discussed earlier in this module. Consider trade payables for example.
There should be a list of payables that supports the payables amount contained in the financial statements.
Audit procedures, such as the review of subsequent payments, can then be undertaken on these figures.
There are assertions to which the auditor may have to pay closer attention.
• Under rights and obligations, does the inventory meet the tests for classification as an asset?
• Does the entity own the inventory or does it just act as an intermediary between two parties to facilitate
a transaction?
• If the entity only acts as an intermediary, what is the appropriate measurement of revenue, and at what
stage should it be recognised?

USING CAATs IN AN E-COMMERCE ENVIRONMENT

Both audit software techniques and test data techniques are often used by auditors to gather evidence in
an e-commerce environment. The need for such techniques has increased as a consequence of the level
of integration of e-commerce systems with other operating systems — as well as the complexities of the
systems in use (and the consequential higher assessment of risk) and the availability of audit trails. In
particular, the auditor should ensure that there is access to all data in the database.

ADVANCED AUDIT DATA ANALYTIC TECHNIQUES AND

CONTINUOUS AUDIT IN AN E-COMMERCE ENVIRONMENT
Advanced audit data analytic techniques that were discussed earlier in this module are particularly
applicable to e-commerce environments. As discussed earlier, these techniques have the ability to analyse
complete populations of data in order to identify patterns, correlations and deviations from expected results.
As such, in systems containing highly automated controls, such as e-commerce systems, they have the
potential to provide efficient and reliable audit techniques.
At the same time, the use of these advanced audit technologies and methodologies will allow auditors to
provide more continuous auditing, which is described in more detail in module 5. The recent advances
in technology to analyse the large amounts of data captured allows for more frequent or continuous
monitoring of transactions by external auditors. This can also benefit auditors by:
• making it possible for them to spread audit work throughout the year
• identifying potential risks of misstatement earlier
• having the ability to modify audit plans to better address risks of material misstatement.
Example 3.16 looks at the audit implications of auditing an e-commerce system. Review the example
now and consider your response to the posed questions before reviewing the suggested solution at the end
of the book.

Pdf_Folio:205

MODULE 3 Performing the Audit of Historical Financial Information 205

 EXAMPLE 3.16

Auditing an E-Commerce System

An auditor has been asked to provide an assurance service on the purchasing system for Pet Ltd,
a large pet store. This store transacts all purchases through a business-to-business e-commerce hub. All
suppliers that participate in this hub were included on the suppliers’ list only after an extensive approval
procedure undertaken by the manager of the business-to-business e-commerce hub.
A standard inventory list contains each inventory item with a unique bar code which comprises its
inventory number. The inventory master file contains the following fields:
• inventory number
• description
• agreed cost price
• number of inventory items on hand
• total cost
• reorder point
• amount to be reordered
• date of last purchase
• total purchases year-to-date
• date of last sale
• total sales year-to-date
• last date of inventory count
• number of inventory counts for year-to-date.
Inventory is identified as needing to be purchased if the ‘number of inventory items on hand’ field falls
below the ‘reorder point’ field in the inventory master file. The comparison of these two fields is undertaken
after the close of business each day, which results in the generation of a daily purchase requisition list.
The system automatically produces a purchase order for each inventory item that is reordered for a
specified reorder amount. Each purchase order generated is checked by the purchasing manager and, if
approved, electronically submitted to the e-commerce hub. The suppliers tender for the order by the end
of the business day, and the lowest price is accepted. The accepted supplier is expected to deliver the
goods on the next day. If the accepted supplier cannot deliver on the next day, their status as an approved
supplier on the e-commerce hub is reviewed.
For internal purposes, the system at Pet Ltd also generates a pro forma, pre-numbered goods received
note (GRN), a copy of which is electronically sent to a terminal at the loading dock. When goods arrive,
they are checked against the GRN by a storeperson. If there are no changes, the storeperson can approve
the GRN, and the system will automatically update the inventory master file and creditors file. Any changes
to the GRN, of which there are few in practice, must be checked a second time before being submitted.
A sequence check of GRNs for which goods are not received is automatically generated each day.
Inventory stocktakes are held each month, with items being counted on a rotation basis. Every inventory
item should be counted at least six times a year.
............................................................................................................................................................................
1. (a) What general controls are in place to reduce the specific audit risks associated with the use of a
business-to-business e-commerce hub.
(b) Would the risks be greater or less if this was a business-to-consumer e-commerce system? Why?
2. (a) How could the auditor use test data in ensuring the completeness and accuracy of the inventory
master file?
(b) Provide two examples related to program controls that are or would be expected to be seen in the
purchases/inventory system of Pet Ltd.
3. What three exception reports could the auditor generate using audit software in testing the accuracy,
valuation and allocation assertion associated with inventory? How would the auditor use these reports?
Check your response against the suggested answer at the end of the book.

The key points covered in this section, and the learning objectives they align to, are below.

KEY POINTS

3.1 Evaluate the appropriateness of processes and procedures undertaken by auditors, as

applicable to the audit strategy and the audit plan.
• Audit objectives remain the same in an e-commerce environment compared to any other
environment — the application of tests of controls and substantive procedures to reduce audit
risk to an acceptably low level.

df_Folio:206
P

206 Advanced Audit and Assurance

 • Advanced audit data analytic techniques have the ability to analyse complete populations of data in
order to identify patterns, correlations and deviations from expected results; as such, they have the
potential to provide efficient and reliable audit techniques especially in systems containing highly
automated controls, such as e-commerce systems.
3.2 Apply processes and procedures to gather sufficient and appropriate audit evidence.
• It is necessary for the auditor to undertake an evaluation of controls within an e-commerce envi-
ronment, including controls related to authorisation of transactions, and security of the accounting
system and records.
• The extent of substantive testing depends upon the extent to which tests of controls are undertaken.
The auditor should be able to verify account balances contained in the financial statements using
substantive audit procedures.
• Advanced audit data analytic techniques are suitable methods for gathering sufficient and appro-
priate audit evidence.

3.5 ADVANCED EVIDENCE-GATHERING ISSUES

Auditors face many advanced evidence-gathering issues relating to an audit of historical financial state-
ments. These issues cover areas such as related parties and group financial statements. Audit procedures
regarding related party transactions and relationships are covered in this section. Further advanced issues
that are considered at the completion stage of the audit will be discussed in module 4, such as consideration
of laws and regulations, presentation and disclosure of segment information, litigation and claims and
subsequent events.

AUDIT PROCEDURES FOR RELATED PARTIES

Many related party transactions occur in the normal course of business and may carry no higher risk of
material misstatement. Because of the nature of related party relationships and transactions, the auditor
usually has a higher level of professional scepticism towards any transactions or relationships with related
parties. This is because:
• related parties may occur through complex business structures, with a corresponding increase in the
complexity of related party transactions
• systems and processes in an entity may be ineffective at identifying transactions or outstanding balances
with a related party, and many accounting frameworks require specific disclosures of such transactions
and account balances
• related party transactions may not be conducted under normal market terms and conditions.
As part of their fraud risk assessment (discussed in module 2), the auditor is required by ISA 550 Related
Parties to obtain a sufficient understanding of related party relationships and transactions to be able to
recognise fraud risk factors arising from any related party events. This is to enable the auditor to conclude
that the financial statements, insofar as they are affected by these events, still achieve fair presentation
(discussed in module 4). The auditor should also be able to conclude that related party events have been
appropriately identified, accounted for and disclosed in accordance with the applicable financial reporting
framework (ISA 550, para. 9).
The risk assessment procedures undertaken by the auditor include enquiries of management regarding
the identity of related parties, the nature of their relationships with the entity and the details of any transac-
tions entered into with related parties. The auditor should also gain an understanding, principally through
enquiries of management, of the control framework that management has established to identify, account
for and disclose related party transactions, and to authorise and approve any significant transactions,
especially outside the normal course of business terms. At all times, the auditor should remain alert for any
evidence of the existence of related party information and events. In particular, the auditor should inspect
the following documents and records for related parties not previously disclosed or identified:
• minutes of meetings of shareholders and of those charged with governance
• bank and legal confirmations
• any other records as considered necessary.
In SMEs, identifying related party transactions can often be difficult. If the SME uses a standard software
package, the auditor should obtain an electronic copy of the transactions and import them into a spreadsheet
Pdf_Folio:207

MODULE 3 Performing the Audit of Historical Financial Information 207

for testing. This will allow sorting and configuring the selection criteria to obtain information about
customers and suppliers with only a few large transactions or those with significant transactions of an
unusual size and nature.
If risks of material misstatement are identified, the auditor is required to respond to these assessed risks
appropriately. The risks will mainly be associated with management not identifying or disclosing related
party relationships to the auditor. Where such relationships are identified over the course of the audit,
the auditor will need to perform appropriate substantive procedures on these transactions or events and
consider the risk that other unidentified relationships may exist. The auditor should also ask management to
identify all related party transactions with the newly identified related parties and enquire why the entity’s
controls over related party transactions appear to have failed. If the non-disclosure by management appears
to be intentional, the auditor should evaluate the implications for the audit of risk of material misstatement
due to fraud.
If significant related party transactions outside the normal course of business are identified, the auditor
should inspect all documentary evidence, including contracts and any other agreements, and attempt to
evaluate the business rationale for the transactions. A lack of a business rationale may suggest that there
is a higher risk of fraud associated with these transactions. A further risk of material misstatement exists
around the disclosure of such events, and the auditor should examine the draft disclosures to see whether
they are in accordance with the reporting framework and whether they prevent the financial statements
from being fairly presented.
Auditors should consider possible fraud when there are indications that a dominant influence may exist,
including when the related party has:
• played a leading role in founding the entity and maintains a leading role in managing the entity
• vetoed significant business decisions
• final approval for significant transactions
• initiated business proposals with little or no debate among management or those charged with gover-
nance
• made transactions with the entity which are not independently reviewed or approved.
In SMEs, these procedures are likely to be less complex and more informal. Management may not
readily have information about related parties as it is unlikely that the accounting systems would have
been designed to identify related parties. Therefore, the auditor may need to make enquiries and review
accounts with specific parties, etc. beyond the accounting records and disclosures in the accounts (IFAC
2018a).
The following audit procedures should be performed by the auditor in responding to the identified risks
of material misstatement associated with related parties.
• Ask management to identify all related party transactions.
• Confirm the existence of related parties.
• When related parties were not previously identified, consider:
– fraud
– the failure of any related party identification controls
– the risk that other undisclosed related parties or their transaction may exist.
• Perform additional audit procedures to identify unidentified related parties.
• Perform appropriate substantive audit procedures.
• Inspect underlying contracts and agreements and evaluate whether:
– rationale suggests possible fraudulent financial reporting
– rationale suggests possible misappropriation of assets
– transactions are accounted for and disclosed appropriately
– terms agree with management’s explanations.
• Ensure transactions have been appropriately approved and authorised.
• Obtain sufficient appropriate audit evidence about management’s assertions about the nature and extent
of related party transactions.
• Consider the collectability and valuation of any period-end balances.
• Consider whether external confirmation of the balances would provide reliable evidence.
Further details of the risk assessment procedures and the auditor’s responses to assessed risk for related
parties are contained in ISA 550, paragraphs 11–25. Read these sections and the associated application
and other explanatory material now.

Pdf_Folio:208

208 Advanced Audit and Assurance

 Example 3.17 provides background information on a client. Work through the example now and consider
your responses to the posed questions about identifying risks that may require further investigation before
checking the suggested solution at the back of the book.

EXAMPLE 3.17

Related Party Transaction Risk

Clark Ltd, a company listed on the securities exchange in Australia, imports swimming pools and pool
chemicals from Malaysia. Clark Ltd has been listed for a number of years and has over 200 shareholders,
with the Clark family holding 51% of the voting shares. There are three directors, all from the Clark family:
Jim Clark, the chairman and non-executive director; his daughter, June Clark, the CEO; and his other
daughter, Susan Chan. (Susan has recently married a wealthy businessman from Malaysia, Wing Chan,
well known to have a number of mining interests in Australia.)
During discussions with management, the auditor enquired as to whether there had been any related
party transactions. The people attending these discussions were the CEO, June Clark, and the CFO,
Yang Xu. Both informed the auditor that there had been no related party transactions and that this was
consistent with prior years. This was consistent with the auditor’s knowledge of the previous year’s audit.
The auditor meets with the audit team at the planning stage of the audit and assesses the risk of material
misstatement due to related party transactions as low. In accordance with the auditing standards, the
auditor asks the audit team to remain alert for any evidence of the existence of related party information
and events.
During the course of the audit, the auditor becomes aware of the following events.
• The Clark family has been approached with an offer by China Overseas Company, a leading Chinese
company, to buy their 51% shareholding. The Chinese company is considering making a full takeover
offer (acquiring 100%) for the voting shares of Clark Ltd.
• Clark Ltd has sold a lucrative segment of its business, the pool chlorine line, to a private Malaysian
entity. This appears to be at a price that is significantly lower than the expected market price, although
management states that this was because there is a threat of an additional competitor from China
looking to import pool chlorine into Australia. A follow-up on the details of the contract shows that the
Malaysian entity is a joint venture between Wing Chan and the Clark family.
• With the proceeds from the sale of the pool chlorine segment of the business, Clark Ltd has purchased
some mining tenements that are undertaking exploration work for uranium. There are some indications
that the tenements may contain a significant uranium deposit. Discussions with the company suggest
that the business rationale for this transaction is an attempt to diversify the activities of the company
and get future access to the potentially lucrative uranium market.
............................................................................................................................................................................
1. On the basis of these facts, should the auditor reassess the risk of material misstatement for Clark Ltd?
State reasons to justify your decision.
2. Use these facts to determine the appropriate response to assessed risk in accordance with the require-
ments of the auditing standards.
Check your response against the suggested answer at the end of the book.

QUESTION 3.14

In response to your assessed level of risk regarding related parties, you have selected the following
audit procedures in accordance with ISA 550 Related Parties, paragraph A32.
• Confirm specific aspects of transactions with intermediaries, such as banks.
• Confirm the purpose of related party transaction with the related parties.
• Read financial statements of the related party to verify substance of transactions.
Which of the following scenarios is most likely in this situation?
(a) The auditor has identified related parties not previously disclosed by management.
(b) The auditor has assessed a high risk of undisclosed related parties.
(c) The auditor has assessed a high risk of material misstatement due to a dominant related party.

The key points covered in this section, and the learning objectives they align to, are below.

Pdf_Folio:209

MODULE 3 Performing the Audit of Historical Financial Information 209

 KEY POINTS

3.2 Apply processes and procedures to gather sufficient and appropriate audit evidence.
• Auditors obtain a sufficient understanding of related party relationships and transactions to be able
to recognise fraud risk factors arising from any related party events.
3.4 Apply the appropriate standards that relate to the auditor’s response to assessed risks.
• ISA 550 Related Parties provides guidance on how auditors obtain a sufficient understanding of
related party relationships and transactions to be able to recognise fraud risk factors arising from
any related party events.

3.6 USING THE WORK OF OTHER AUDITORS

AND EXPERTS
When auditors make use of work that has been performed by other auditors or experts, they remain
responsible for forming and expressing an opinion on the financial information. Therefore, auditors need
to obtain reasonable assurance that the work performed by these other auditors or experts is adequate for
their purposes. The ISA 600 series covers using the services of other auditors and experts.
There are three standards in the ISA 600 series:
• ISA 600 Special Considerations — Audits of Group Financial Statements (Including the Work of
Component Auditors)
• ISA 610 (Revised) Using the Work of Internal Auditors
• ISA 620 Using the Work of an Auditor’s Expert.
Using the work of each of these auditors and experts is now considered. The use of the work of
management’s experts, for which there is no separate standard, is also covered.

COMPONENT AUDITORS
ISA 600 Special Considerations — Audits of Group Financial Statements (Including the Work of
Component Auditors) provides guidance when undertaking group audits, especially with regard to the work
of other auditors — called component auditors — who perform work on financial information related to
a component for a group audit (e.g. a subsidiary). When relying on the work of a component auditor, the
group auditor should:
• assess whether the component auditor understands and complies with the relevant ethical requirements,
in particular, the independence requirements
• obtain information regarding the professional competence of the component auditor
• be involved in the work of the component auditor to an extent that ensures that sufficient appropriate
audit evidence is obtained
• understand the regulatory requirements that actively oversee the component auditor (ISA 600, para. 19).
If a component of the group, such as a subsidiary, is significant because of its financial significance
to the group, an audit that employs a materiality level for that component or group must be performed
on that component’s financial information. In practice, financial significance is commonly assessed as a
component that contributes more than 15% of the chosen benchmark, commonly net profit before tax, for
the group (ISA 600, para A5). A component of the group may also be assessed as individually significant
because it is likely to include significant risks of material misstatement for the group. In these situations,
an audit of either the component’s financial information as a whole or those specific areas containing the
risks needs to be undertaken (ISA 600, paras 26–7). For components that are not significant, analytical
procedures performed at the group level may provide sufficient appropriate evidence (ISA 600, para. 28).
It is required that the planned scope of the group audit be such that sufficient appropriate evidence on
which to base the group audit opinion is obtained (ISA 600, para. 29).
For significant components, the group auditor becomes involved in the component auditor’s risk
assessment to identify significant risks of material misstatement of the group’s financial statements. The
group auditor also requests the component auditor to communicate to them any matters relevant to their
conclusion regarding the group audit. A list of these matters is contained in ISA 600, paragraph 41, and
includes the uncorrected misstatements of the component’s financial information, indicators of possible
df_Folio:210
P

210 Advanced Audit and Assurance

management bias and a description of any identified significant deficiencies in the component’s internal
controls. The group auditor reviews this communication to make sure that it is sufficient and appropriate
for their purposes and discusses significant matters arising from the review with the component auditor,
component management or group management as appropriate.
Further details of the risk assessment procedures and the auditor’s responses to assessed risk for
component auditors are contained in ISA 600, paragraphs 17–31. Read these sections and the associated
application and other explanatory material now.
ASIC (2019) describes instances where auditors did not perform sufficient work on the work of other
auditors of group companies. They include that the auditor did not:
• ascertain the work performed by the component auditor, even though significant risks were identified
• adequately review and evaluate reports from component auditors
• evaluate the competence and independence of component auditors.

INTERNAL AUDITORS
As described in ISA 610 (Revised), paragraph 8, if the external auditor determines that the work performed
by an internal audit function is likely to be relevant to the external audit, they need to determine whether,
and to what extent, they can use the specific work of the internal auditor. If using this work, the external
auditor needs to assess whether it is adequate for the purposes of the audit (see figure 3.5).
In determining whether, and to what extent, the internal auditor’s work can be used, the external auditor
needs to determine the extent to which this work is adequate for the purposes of the audit (ISA 610
(Revised), para. 13). This requires an evaluation of the internal audit function’s:
• organisational status and relevant policies and procedures
• level of competence
• application of a systematic and disciplined approach (ISA 610 (Revised), para. 15).
To prevent undue reliance on the work of the internal audit function, the external auditor should plan to
use less of the internal audit function’s work and perform more of the work directly when:
(a) more audit judgment is involved
(b) the assessed risk of material misstatement at the assertion level is higher
(c) there are concerns about organizational status and relevant policies and procedures of the internal audit
function
(d) there is a lower level of internal audit competence (ISA 610 (Revised), para. 18).

Note that the Australian standard ASA 610 differs from ISA 610 (Revised) in that the Australian standard
does not allow internal auditors to provide direct assistance to the external auditor. Direct assistance is
the use of an internal audit to perform audit procedures under the direction, supervision and review of an
external audit. For example, in a group audit, this means that internal auditors cannot be the ones conducting
an audit or review of an overseas subsidiary of that group. This is to strengthen the external auditor’s
independence and to ensure that the external auditor takes responsibility for the audit work undertaken.
The work of internal auditors should not be relied upon to the same extent as work performed by the
external audit team. This is because internal auditors are not completely independent as they are hired by
the entity and are part of its internal control.
If the external auditor is going to use specific work of the internal auditors, the external auditor will
need to evaluate and perform audit procedures on this work to determine its adequacy for external audit
purposes. This will include:
• discussing with the internal audit function the planned use of their work as a basis for coordinating their
respective activities to obtain an understanding of the procedures performed and the major findings
(ISA 610 (Revised), para. 21)
• reading the reports of the internal audit function relating to the work of the function that the external
auditor plans to use (ISA 610 (Revised), para. 22)
• undertaking audit procedures on the work of the internal audit function to determine its adequacy for
reliance by the external auditor (ISA 610 (Revised), para. 23).
Further details of the risk assessment procedures and the auditor’s responses to assessed risk for
internal auditors are contained in ISA 610 (Revised), paragraphs 15–25. Read these sections and the
associated application and other explanatory material before proceeding.

Pdf_Folio:211

MODULE 3 Performing the Audit of Historical Financial Information 211

 FIGURE 3.5 Use of internal auditors’ work

Internal auditors

Internal auditors’ work Direct assistance

ISA 610
ASA 610
(Revised)
Is it relevant to the
Don’t use
external audit?

Don’t use

Is it adequate for the

purposes of the Don’t use
external audit?

• Organisational status of internal

audit team?
• Policies and procedures used?
• Level of competence?
• Systematic and disciplined approach?

External auditors

External auditor may use internal External auditor may use direct
auditor’s work in combination with: assistance of internal auditor with:
• discussion with internal audit team • appropriate direction
• reading the internal audit reports • appropriate supervision
• undertaking audit procedures • appropriate review.
on the internal audit function.

QUESTION 3.15

During the audit of JLJ Ltd, you have been assigned the task of evaluating the work performed by
the entity’s internal auditor on certain specific areas.
Differentiate between the internal and external audit functions with respect to:
• independence
• objectives
• reporting.

df_Folio:212
P

212 Advanced Audit and Assurance

USING THE WORK OF AN AUDITOR’S EXPERT
Auditors are required to have expertise in accounting and auditing, but there are many times when expertise
in fields other than accounting or auditing is necessary to obtain sufficient appropriate evidence. The
specialists who provide this expertise are engaged either by the audit firm (auditor’s expert) or by the
client (management’s expert). These areas of expertise include such matters as the:
• valuation of complex financial instruments or works of art
• identification and valuation of assets that may have become impaired
• actuarial calculation of liabilities associated with insurance contracts
• estimation of oil and gas reserves.
The auditor’s determination of whether to use the work of an auditor’s expert and, if so, whether the
work undertaken is adequate for their purposes is covered by ISA 620. An auditor’s expert is defined as
someone who possesses expertise in a field other than accounting or auditing but whose work is used by
the auditor to assist in obtaining sufficient appropriate evidence (ISA 620, para. 6(a)).
In assessing the need for an auditor’s expert and in deciding who would be appropriate, the auditor
should consider:
• the nature and risk of material misstatement of the matter to which the expert’s work relates
• the significance of the expert’s work for the audit
• the auditor’s previous knowledge of and experiences with that expert
• whether the expert is subject to the audit firm’s quality control policies and procedures (ISA 620,
para. 8).
The auditor needs to have a sufficient understanding of the expert’s field of expertise to allow them to:
• determine that the nature, scope and objectives of the expert’s work are sufficient for their purpose
• evaluate the adequacy of the work undertaken by the expert (ISA 620, para. 10).
This includes evaluating the relevance and reasonableness of the expert’s findings and their consistency
with other audit evidence, the relevance and reasonableness of any assumptions, the evidence-collection
methods, and the relevance, completeness and accuracy of any source data used.
The auditor should not refer to the work of an auditor’s expert in an auditor’s report containing an
unmodified opinion unless required by law or regulation (ISA 620, para. 14). This is to ensure that the
auditor’s sole responsibility for the audit opinion is not confused or diminished.
Further details of the risk assessment procedures and the auditor’s responses to assessed risk when
using the work of an auditor’s expert are contained in ISA 620, paragraphs 7–13. Read these sections
and the associated application and other explanatory material now.

QUESTION 3.16

You are an audit senior, and your firm audits Big Mine Ltd, a large mining company that operates
all over Australia. Big Mine Ltd owns some highly specialised mining tools and equipment held at
various remote regions across the country. Your firm has engaged an expert to carry out a physical
audit check of the equipment and tools at each location, and to perform an independent valuation
of each material asset.
(a) Identify two key assertion(s) at risk in relation to the asset balances in the financial statements.
(b) Describe the audit procedures you would perform to gather sufficient appropriate audit
evidence on each of these assertions.

USING THE WORK OF MANAGEMENT’S EXPERTS

A management’s expert is defined in ISA 500, paragraph 5, as ‘an individual or organisation possessing
expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist
the entity in preparing the financial statements’, for example, an actuary, valuer or engineer.
There is no separate standard covering the use of the work of management’s experts. If relying on the
work of management’s expert, the auditor must do the following (ISA 500, para. 8).
1. Evaluate the capabilities, competencies and objectivity of the expert. This can be assessed by:
• examining and understanding the expert’s qualifications and confirming membership in professional
bodies or associations
• gaining knowledge of some of their prior work, as well as their reputation
• ascertaining whether the work has been undertaken in accordance with technical or industry standards
Pdf_Folio:213

MODULE 3 Performing the Audit of Historical Financial Information 213

 • being cognisant of any threats to objectivity that may affect the results of the work of management’s
expert, including threats such as self-interest, advocacy, familiarity and self-review, that were
discussed in relation to the independent auditor in module 2.
2. Obtain an understanding of the work of management’s expert. This can be gained by:
• identifying the professional standards and regulatory requirements that apply
• understanding the assumptions made and the methods used by the expert and whether they are
generally accepted.
3. Evaluate the expert’s work, including the reasonableness of the expert’s findings and their consistency
with other audit evidence.
If the auditor determines that it is appropriate to rely on the work of the management’s expert in the area
in which they have assisted the entity in preparing the financial statements, the auditor then ensures that
the expert’s findings or conclusions are accurately reflected in the financial statements.
The auditor does not refer to the work of the expert in an auditor’s report containing an unmodified
opinion, because doing so may be construed by the reader as an attempt by the auditor to reduce their
responsibility for the auditor’s opinion. If the auditor does make reference to the expert’s work in the
auditor’s report, it must be because the reference is relevant to understanding a modification to the
auditor’s opinion. It must be clear in the auditor’s report that such a reference does not reduce the auditor’s
responsibility for their opinion.
ASIC’s audit inspection program (ASIC 2019) identified commonly deficient practices when the
auditor relied on the work of management’s experts. It was recognised that where financial reports
involve complex or subjective matters requiring specialist skills or knowledge (e.g. valuation of assets,
impairment assessments), audited entities often obtain advice from their own external or internal experts
(management’s experts), and sometimes the auditor also needs to seek their own expert advice. In a number
of cases, auditors were identified as relying on management’s experts without evaluating or testing the work
of management’s experts or obtaining sufficient evidence to support the reasonableness of the assumptions
that were used by management’s experts.
Additional detail on how the auditor assesses the reliability of the information produced by a
management’s expert is contained in ISA 500, paragraphs A35–A49. Read this application and other
explanatory material now.
The key points covered in this section, and the learning objectives they align to, are below.

KEY POINTS

3.1 Evaluate the appropriateness of processes and procedures undertaken by auditors, as

applicable to the audit strategy and the audit plan.
• For significant components, the group auditor becomes involved in the component auditor’s risk
assessment to identify significant risks of material misstatement of the group’s financial statements.
• In determining whether, and to what extent, the internal auditor’s work can be used, the external
auditor needs to determine the extent to which this work is adequate for the purposes of the audit.
• The auditor determines whether to use the work of an auditor’s expert and, if so, whether the work
undertaken is adequate for their purposes.
• If the auditor determines that it is appropriate to rely on the work of the management’s expert in the
area in which they have assisted the entity in preparing the financial statements, the auditor then
ensures that the expert’s findings or conclusions are accurately reflected in the financial statements.
3.2 Apply processes and procedures to gather sufficient and appropriate audit evidence.
• The auditor may use the work of others as outlined in the ISAs to gather sufficient and appropriate
audit evidence on which to base their conclusions.
3.4 Apply the appropriate standards that relate to the auditor’s response to assessed risks.
• ISA 600 Special Considerations — Audits of Group Financial Statements (Including the Work of
Component Auditors) provides guidance to auditors when auditing a group’s financial statements
and includes guidance on using the work of component auditors.
• ISA 610 (Revised) Using the Work of Internal Auditors outlines the extent to which the work of an
internal auditor can be used.
• ISA 620 Using the Work of an Auditor’s Expert covers the use of work completed by an auditor’s
expert.

df_Folio:214
P

214 Advanced Audit and Assurance

3.7 AUDIT DOCUMENTATION
There are mandatory requirements in ISA 230 relating to documentation. Documentation should be
prepared on a timely basis to allow an experienced auditor to understand the:
1. nature, timing and extent of audit procedures performed
2. results of audit procedures and audit evidence obtained
3. significant matters identified and conclusions reached thereon (ISA 230, para. 8).

Audit documentation needs to provide evidence of the auditor’s basis for a conclusion and that the
audit was planned in accordance with applicable auditing standards and legal and regulatory requirements
(ISA 230, para. 2).
Preparing sufficient and appropriate audit documentation on a timely basis helps to enhance the quality
of the audit and facilitate the effective review and evaluation of the audit evidence obtained and conclusions
reached before the auditor’s report is finalised. The auditor can only rely on documented evidence. One
way to view this is to say, ‘If it is not documented, it is not done’.
ISA 230 considers significant matters, and the related significant judgments are discussed in
ISA 230, paragraphs A8–A11. You should refer to those paragraphs now.
The form, content and extent of audit documentation will vary between audits and will depend on such
factors as the nature of the audit procedures to be performed and the extent of judgment required. Little
guidance is given to the auditor regarding exactly how much documentation is required. The problem the
auditor faces is that, if an issue has been considered but not documented, it may be difficult to convince
others in later inspections that the issue actually has received consideration.
ISA 230, paragraph 10, states that ‘the auditor shall document discussions of significant matters with
management, those charged with governance, and others, including the nature of the significant matters
discussed and when and with whom the discussions took place’. ‘Others’ includes personnel within the
entity and external parties providing professional advice to the entity.
ISA 230 puts considerable emphasis on the importance of the assembly and maintenance of an audit file.
Auditors are required to complete the assembly of an audit file usually within 60 days from the date of the
auditor’s report. Internationally, following ISQC 1, the audit file retention period for audit engagements
is ordinarily not less than five years from the date of the auditor’s report. In Australia, the auditor cannot
discard or delete audit documentation during the retention period (under s. 307B of the Corporations Act,
it is seven years or an earlier date to be determined by ASIC). We will discuss audit file requirements
further after briefly examining the need to maintain security and confidentiality of client data.

SECURITY AND CONFIDENTIALITY OF CLIENT DATA

Accounting firms need to maintain sufficient controls to protect client data and information contained in
their client audit files. This includes where client data is stored with third parties, such as the cloud. Many
jurisdictions now have legal requirements addressing data security and confidentiality. It is important that
auditors understand these requirements and take the necessary actions to ensure compliance. However,
ownership of the files remains with the audit firm.

AUDIT FILE ORGANISATION

Many ISAs contain documentation requirements that clarify the requirements set out in ISA 230. Audit
firms usually have a firm-wide policy on how the audit files should be organised and indexed. A consistent
approach using a standard indexing system has advantages as it:
• provides consistency between audit files in the firm
• facilitates file review by the various reviewers such as the audit manager, engagement partner,
engagement quality control reviewer and quality control monitors
• enables specific working papers to be located and shared among audit team members easily and quickly
• assists with quality control.
Audit documentation is usually organised into logical sections of work and may be recorded electron-
ically using folders and sub-folders. Each document is given a unique reference number that identifies
where it fits in the overall file. Figure 3.6 illustrates alternative approaches to indexing audit working
papers and documents. Variations are possible combining the two approaches.
Pdf_Folio:215

MODULE 3 Performing the Audit of Historical Financial Information 215

 FIGURE 3.6 Example indexing system for audit documentation (extracts)

Index by Audit phase (extracts from an index)

100–200 Financial Statements and auditor’s report

201–300 Tax returns, etc.

301–400 File completion, such as memos on significant decisions, checklists and management
representation letters
401–500 Audit planning, including audit strategy and materiality

501–600 Risk assessment, including understanding the entity and internal control

601–700 Risk response, including detailed audit plans by financial statement area

701–799 Other supporting documents, such as trial balances and reports

800 Financial reporting frameworks

Index by Financial Statement Area (extracts from an index)

10 Financial statements and auditor’s report

11 File completion memos, checklists, etc.

12 Overall audit strategy

15 Materiality

A Cash

C Receivables

D Inventory

BB Payables

DD Long-term debt

20 Revenues

30 Purchases

40 Payroll

50 Taxation

100 Subsequent events

120 Contingencies

150 Other supporting documents, such as trial balances and reports

EXAMPLES OF AUDIT WORKING PAPERS

Three examples of audit working papers are presented in this section. Figure 3.7 shows an extract from a
memo on possible adjustments relating to testing of inventory. Figure 3.8 shows an extract showing possible
adjustments where misstatements were identified and the action taken. Figure 3.9 shows an example of
an audit program for the audit covering substantive procedures for inventory. Review these examples and
take notice of the detail contained within each document.

FIGURE 3.7 Extract memo — inventory testing

Inventory
Inventory listing from our inventory count did not tie into the final listing — understated inventory by 1800€
and income by 1800€: see WP D. 108.
Audit Response
Error was caused by Ruby not using the final inventory listing. Our substantive procedures will be
expanded to ensure that all adjustments discussed at the count have been reflected in the final listing.
df_Folio:216
P

216 Advanced Audit and Assurance

 Accounts payable Cutoff Error
Ruby did not accrue for a major repair and service to the lathe. Caught during subsequent payments
testing. See WP CC. 110. Affects liabilities and pre-tax income by 900€.
Audit Response
Should expand scope or our cutoff testing, since it appears Ruby was too busy this period to keep a
listing of all expenses paid subsequent to period end that related to fiscal year 20X2. Threshold for testing
lowered to 400€.
Management has agreed to correct these misstatements.
Prepared by: FJ Date: February 24, 20X3
Prepared by: LF Date: March 5, 20X3
Source: IFAC 2018b, p. 240.

FIGURE 3.8 Extract showing possible adjustments

February 18, 20X3

Extract from the Summary of Possible Adjustments — Dephta

Amount of Over (Under) Statement

Circumstances of Pre-tax
Description Occurrence WP Ref. Assets Liabilities Income Equity Corrected?

Errors in New Clerk made D.300 (19 000) (19 000) (15 200) Yes
inventory some mistakes.
valuation
calculation.
Personal Found during 550.8 (4800) (4800) (3840) Yes
expenses paid expense testing.
through Dephta This prompted
and not added some additional
to shareholder work to find similar
account. items.
Customer Review of aging C.305 12 000 12 000 9600 Yes
account over and subsequent
90 days no payments.
subsequent
payments
received.
Total of identified misstatements (7000) (4800) (11 800) (9440)
during the audit
Misstatements corrected by (7000) (4800) (11 800) (9440)
management
Total uncorrected misstatements 0 0 0 0

A cross-reference would also be provided in the listing above to where additional work has been
performed to ensure other similar misstatements do not exist or that the misstatement is not indicative of
a more serious issue such as management override.
Source: IFAC 2018b, p. 239.

QUESTION 3.17

Jackie James is reading the documents prepared by the members of the team working on the audit
of trade debtors for a large client. Jackie is the senior manager assisting the engagement partner,
Ruby Rogers. Jackie and Ruby have worked together on many audits, and Jackie knows the types
of questions that Ruby will ask about the working papers if they are not up to the standard required
by ISA 230 Audit Documentation. Jackie is trying to make sure that all documents are up to the
required standard before Ruby reviewed them.

P df_Folio:217

MODULE 3 Performing the Audit of Historical Financial Information 217

 Jackie is particularly concerned about the documents relating to the trade debtors’ confirma-
tions. This is because the audit assistant who wrote up the confirmation results recommended that
no further work was required. On review of the results, Jackie discovered that the audit assistant
had incorrectly treated ‘no reply’ results as acceptable for a positive confirmation when they are
acceptable only for a negative confirmation. Jackie had ordered further work be done to follow up
these ‘no reply’ results.
Using ISA 230 Audit Documentation and ISA 505 External Confirmations to support your decision,
how would you treat the corrections made to the audit assistant’s recommendations and the addi-
tional work on trade debtors’ confirmations in the working papers?

FIGURE 3.9 Illustrative audit program for substantive procedures of inventories

Prepared by:__________ Date: ___________

Reviewed by: ____________ Date: ___________
XYZ Co. Ltd
Audit program for substantive procedures of inventories
30 June 2020
Substantive procedures W/P ref. Auditor Date
1. Verify totals and agreement of inventory balances and records that will be
subjected to further testing:
(a) Trace opening inventory balances to previous year’s working papers.
(b) Review activity in inventory accounts and investigate unusual items.
(c) Verify totals of perpetual records and other inventory schedules and
their agreement with closing general ledger balances.
2. Perform analytical procedures:
(a) Review industry experience and trends.
(b) Examine an analysis of inventory turnover.
(c) Review relationship of inventory balances with recent purchasing and
sales activities.
(d) Compare inventory balances with expected sales volume.
3. Test details of inventory transactions:
(a) Vouch additions to inventory records and to suppliers’ invoices.
(b) Trace data from purchases to inventory records.
(c) Test cutoff of purchases (receiving) and sales (shipping).
4. Observe the stocktake:
(a) Make test counts.
(b) Look for indications of slow-moving, damaged or obsolete inventory.
(c) Account for all inventory tags and count sheets used in the stocktake.
5. Test clerical accuracy of inventory records:
(a) Recalculate extensions of quantities times unit prices.
(b) Trace test counts to records.
(c) Vouch items on inventory listings to inventory tags and count sheets.
(d) Reconcile physical counts to perpetual records and general ledger
balances.
6. Test inventory pricing:
(a) Examine suppliers’ paid invoices for purchased inventory.
(b) Obtain market quotations and perform lower of cost and net realisable
value test.
(c) Review perpetual inventory records and purchasing records for
indications of current activity.
(d) Compare inventories with current sales catalogue and sales reports.
(e) Enquire about slow-moving, excess or obsolete inventories and
determine need for write-downs.
7. Confirm inventories at locations outside the entity.
8. Examine consignment agreements and contracts.
9. Confirm agreements for assignment and pledging of inventories.
10. Review disclosures for inventories in drafts of the financial statements
and determine conformity with the Corporations Act and applicable
accounting standards.

Source: Leung et al. 2018.

df_Folio:218
P

218 Advanced Audit and Assurance

 The key points covered in this section, and the learning objectives they align to, are below.

KEY POINTS

3.1 Evaluate the appropriateness of processes and procedures undertaken by auditors, as

applicable to the audit strategy and the audit plan.
• Auditors need to document the evidence gathered during the audit as it enhances the quality
of the audit and facilitates the effective review and evaluation of the audit evidence obtained
and conclusions reached before the auditor’s report is finalised. The auditor can only rely on
documented evidence.
• Auditors need to maintain sufficient controls to protect client data and information contained in
client files, including where client data is stored with third parties, such as the cloud.
3.4 Apply the appropriate standards that relate to the auditor’s response to assessed risks.
• ISA 230 Audit Documentation outlines the requirements of audit documentation in that it needs
to provide evidence of the basis for the auditor’s conclusion and that the audit was planned in
accordance with applicable auditing standards and legal and regulatory requirements.

3.8 EVALUATION OF AUDIT EVIDENCE

The auditor is required to evaluate the audit evidence to ensure appropriate procedures have been under-
taken based on the audit strategy and the audit plan (described in module 2). All material misstatements
identified during the audit need to be evaluated, including those due to fraud. In addition, auditors need to
ensure that they have collected sufficient appropriate audit evidence on which to base their audit opinion.
Sufficient appropriate audit evidence is required to reduce the risks of material misstatement in the financial
report to an acceptably low level. It is important to remember that there is always a risk of undetected
misstatements in the financial report due to the inherent limitations of an audit.
Based on evidence obtained from tests of controls and substantive procedures, it may be necessary for the
auditor to revise and modify their planned audit procedures, overall audit strategy and overall materiality
threshold.

MISSTATEMENTS IDENTIFIED DURING THE AUDIT

In module 2, ISA 320 Materiality in Planning and Performing an Audit was considered, which dealt with
the auditor’s responsibility to apply the concept of materiality in planning and performing the audit. Here,
ISA 450 Evaluation of Misstatements Identified during the Audit is considered. It deals with the auditor’s
responsibility to evaluate the effect of identified misstatements (see ISA 450, para. 4, for a description)
and uncorrected misstatements (misstatements that the auditor has accumulated and that have not been
corrected) (ISA 450, para. 4).
Misstatements can result from:
• an inaccuracy in gathering and processing data …
• omission of an amount or disclosure …
• incorrect accounting estimates …
• judgments of management concerning accounting estimates …
• an inappropriate classification, aggregation or disaggregation of information; and
• … omission of a disclosure necessary for the financial statements to achieve fair presentation beyond
disclosures required by the framework (ISA 450, para. A1).
The auditor is required to accumulate misstatements identified during the audit, except where these are
clearly trivial (ISA 450, para. 5). ‘Clearly trivial’ does not mean the same as ‘not material’ (ISA 450,
para. A2) — that is, it will normally be a much smaller number (e.g. to classify $12 000 as an expense
when it should be capitalised is likely to be clearly trivial if the company’s net profit is $120 million).
When evaluating the effect of the misstatements, the auditor should consider the nature of the misstatement
(e.g. factual, judgmental or projected misstatements — see ISA 450, para. A6). Factual items are likely
to be more clear-cut than judgmental or projected items (e.g. management may be able to provide sound
reasons for the differences in judgments between management and the auditor). Figure 3.10 illustrates how
the materiality threshold of misstatements is determined by the impact the misstatements could have on
the decisions made by a reasonable user of the financial statements.
Pdf_Folio:219

MODULE 3 Performing the Audit of Historical Financial Information 219

 FIGURE 3.10 Extent of misstatements

Level of
aggregated or
The decisions of a reasonable user of the qualitative
financial statements would be affected. misstatement
is material

Materiality threshold established by auditor

Level of
aggregated or
The decisions of a reasonable user of the qualitative
financial statements would not be affected. misstatement
is immaterial

Depending on the level of the misstatements and the circumstances of their occurrence there may be a
need to revise the overall audit strategy and audit plan (ISA 450, para. 6), as discussed earlier in relation
to ISA 300. For example, if many of the misstatements identified during the audit occurred in a particular
month, yet the original audit plan placed no particular emphasis on this month, a revised audit plan may
be necessary.
If ADA has been used and the entire population has been tested, this does not imply that the auditor is
able to provide something more than a reasonable assurance opinion (IAASB 2016). Using ADA does not
change the meaning of ‘reasonable assurance’.
Unless prohibited by law or regulation, auditors are required to communicate to management all
misstatements accumulated and request management to correct those misstatements (ISA 450, para. 8).
Examples of laws or regulations that may restrict such communication are given in ISA 450,
paragraph A11. For example, in some jurisdictions, there may be a specific prohibition against such
communication if it might prejudice an investigation by an appropriate authority into actual or suspected
money laundering (ISA 450, para. A11).
If management refuses to correct some of the misstatements, the auditor needs to obtain an understanding
of the reasons and take that into account in forming an opinion (ISA 450, para. 9).
Note that management may refuse to correct some misstatements because they genuinely believe they
have made the correct judgments. This is much more likely to be the case where there are differences arising
from the judgments of management concerning estimates compared to the auditor’s judgments. It may also
relate to what is the appropriate accounting policy or treatment in areas where accounting standards are
vague. These differences between auditors and management often lead to prolonged negotiations where
additional evidence is collected by both sides and the accounting firms may draw on the expertise of the
technical experts within their firms.
The auditor also needs to consider uncorrected misstatements that are considered material, either
individually or in aggregate. ISA 450, paragraph 11, requires the auditor to:
• consider the size and nature of these misstatements
• consider the effect of uncorrected misstatements related to prior periods or the relevant classes of
transactions, account balances or disclosures and the financial statements as a whole, including:
– total current assets and current liabilities
– total assets and liabilities
– net income
– total revenue and expenses.
Pdf_Folio:220

220 Advanced Audit and Assurance

 However, some misstatements and qualitative findings are not able to be aggregated, such as the
possibility of fraud and incomplete financial statement disclosures. These should be evaluated individually
and in aggregate with other misstatements to determine whether they are material. When considering the
possibility of misstatements due to fraud, it is important that the engagement team spend time together
to discuss their findings as a group as fraud is often identified from audit team members piecing together
small and insignificant matters to form a bigger picture.
The auditor is required to communicate any uncorrected misstatements to those charged with governance
and highlight the effect they may have on the auditor’s report (ISA 450, para. 12). The inclusion of this
paragraph places the auditor in a much stronger position in any disagreements with management over
recording of misstatements.
Refer to ISA 450, paragraphs A10–A23, for more details on evaluating the effect of uncorrected
misstatements.

QUESTION 3.18

Outline the differences between the application of materiality at the planning and final review stages
of the audit.

QUESTION 3.19

Outline the differences between the application of qualitative and quantitative materiality consid-
erations.

SUFFICIENCY AND APPROPRIATENESS OF EVIDENCE

Following the evaluation of audit evidence and the materiality of uncorrected misstatements, the final step
is to determine whether:
• sufficient appropriate evidence has been obtained
• accounting estimates and their disclosures are reasonable based on the applicable financial reporting
framework (discussed in module 4).
Where sufficient appropriate evidence is not available or it refutes management’s estimates, the auditor
would discuss the findings with management and consider the need to change the risk assessment and
perform further audit procedures.
Determining how much evidence is sufficient and appropriate is a matter of professional judgment. It
is based on further audit procedures performed to address the assessed risks of material misstatement,
including any additional or modified procedures performed to address risks not identified at the planning
stage of the audit.
Factors to consider in evaluating the sufficiency and appropriateness of audit evidence include:
• materiality of misstatements
• management responses to audit findings
• previous experience in performing similar procedures and the identification of any misstatements
• results of audit procedures performed
– is there any indication of fraud or error?
– do the results support the audit objectives?
• quality of information to support the audit conclusions
• persuasiveness of audit evidence
• whether the evidence obtained to understand the entity and its environment support or contradict the
results.

QUESTION 3.20

Outline the factors that will determine whether the auditor has obtained sufficient appropriate
evidence to support a particular control risk assessment.
P df_Folio:221

MODULE 3 Performing the Audit of Historical Financial Information 221

 The key points covered in this section, and the learning objectives they align to, are below.

KEY POINTS

3.1 Evaluate the appropriateness of processes and procedures undertaken by auditors, as

applicable to the audit strategy and the audit plan.
• The auditor is required to evaluate the audit evidence to ensure appropriate procedures have been
undertaken based on the audit strategy and the audit plan.
• Depending on the level of the misstatements and the circumstances of their occurrence, there may
be a need to revise the overall audit strategy and audit plan.
3.3 Evaluate the sufficiency and appropriateness of the audit evidence gathered.
• Auditors need to ensure that they have collected sufficient appropriate audit evidence on which to
base their audit opinion.
• The auditor is required to accumulate misstatements identified during the audit, except where these
are clearly trivial.
• All material misstatements identified during the audit need to be evaluated, including those due to
fraud.
• The auditor also needs to consider uncorrected misstatements that are considered material, either
individually or in aggregate.
• Sufficient appropriate audit evidence is required to reduce the risks of material misstatement in the
financial report to an acceptably low level.
3.4 Apply the appropriate standards that relate to the auditor’s response to assessed risks.
• ISA 450 Evaluation of Misstatements Identified during the Audit deals with the auditor’s
responsibility to evaluate the effect of identified misstatements and uncorrected misstatements
(misstatements that the auditor has accumulated and that have not been corrected).

REVIEW
In this module, the general principles underlying the evidence-gathering procedures in an audit have been
discussed. Emphasis has been placed on the need for auditors to obtain sufficient appropriate audit evidence
on which to base their opinion. Tests of controls were also described in this module. Substantive procedures
adopted to gather evidence can be grouped under substantive analytical procedures and tests of details. Both
types of procedures were examined in detail.
Audit evidence-gathering techniques in e-commerce environments and advanced audit data analytic
techniques were also considered.
The requirement to maintain audit documentation in relation to the conduct of the audit was examined
along with the need to maintain the security and confidentiality of the documents used in the audit.
Finally, the auditor is required to evaluate the audit evidence to ensure sufficient appropriate audit
evidence has been collected to inform their audit opinion.

WESTERWAYS CASE STUDY ACTIVITY

Performing the Audit of Westerways Pty Ltd

Risk Assessments at Westerways Pty Ltd for the 20X9 Audit
Assume that for the year 20X9, the auditors have performed their first risk assessment procedures and
have updated their notes on the client’s information systems. They will now proceed to complete their
standard working papers to the point of assessing the risks of material misstatement at the assertion
level. They will not include an expectation of the operating effectiveness of internal controls in their risk
assessments for any assertions. However, they will search for significant risks and, if they find any of
these, they will identify and assess the relevant controls. Also, they will search for assertions that cannot
be confirmed through the performance of substantive procedures and, if they find any, they will identify
and assess the relevant internal controls and confirm that they are able to obtain sufficient audit evidence
through control tests to reduce their audit risk to an acceptable level.

df_Folio:222
P

222 Advanced Audit and Assurance

 The CLT Approach to Sampling
CLT have investigated the possibility of using statistical sampling techniques, which would enable them
to measure both the accuracy of their estimates as to aspects of the population and the risk they are
taking of arriving at an incorrect conclusion from their samples. However, they have decided that the extra
knowledge and work required to use statistical techniques do not justify their use. Given the nature of their
audit clients, they use judgment sampling on all audits. The firm does, however, recognise that random
sampling gives results which are representative of the population and they use random sampling (often
with stratification of the population) unless there is reason not to.
Sample sizes are determined purely by judgment, subject to some firm rules of thumb. In normal
circumstances they:
• take samples from every month in the year, with random selection within the months
• for large populations, take out samples of not less than thirty to obtain sufficient assurance to make
inferences to the population, based on their understanding of normal distribution theory
• normally, take out samples of not more than sixty, on the grounds that such as sample will be sufficiently
representative of the population and if it produces unacceptable results a review of the findings is
needed preparatory to use of an alternative evidence development strategy or a decision to extend
testing
• for substantive testing of balances, such as debtors’ confirmations, stratify the population and test all
the higher stratum items and a random sample from each of the lower strata, trying to achieve testing
of a high proportion by value from the lowest possible sample size but also cover the whole population.
Go to the Westerways case study at the end of the Study Guide and complete the following tasks.
............................................................................................................................................................................
CASE STUDY TASKS
1. Evaluation of tests performed in 20X8 for cost of sales and inventory.
In Appendix 7 in the case study materials, an extract from the CLT audit test programme for their 20X8
audit of the financial statements of Westerways Pty Ltd is provided. You are preparing the 20X9 audit test
programme, having made your assessments of risk of material misstatements at the financial report level
and for the assertions (see Appendix 6). Evaluate the tests listed for cost of sales and inventory in the
20X8 audit programme for apparent adequacy. That is, comment on whether you consider the tests are
appropriate for reduction of audit risk to your acceptable level. Suggest any additional or alternative tests,
or question the inclusion of particular tests. Note that some of the tests under ‘General’ are relevant to the
cost of sales and inventory sections and should be taken into account in your answer. Lay out your answer
by assertion by transaction class and account balance, using the working paper provided in Appendix 9
at the end of the Westerways case study materials at the back of the Study Guide. An example is given of
one test for the existence assertion for the inventory account balance.
2. Substantive procedures
For the expenditure cycle, making use of your assessments of risk of material misstatement (see Appendix
6), the background information on the company and using as a guide the 20X8 audit programme extract
given in Appendix 7.
(a) Complete form PL-ART-Exp outlining proposed substantive procedures for the account balances, trade
payable and inventory.
(b) Write up the part of the 20X9 Audit Programme containing the substantive tests of balances for trade
payable and inventory (i.e. form TE-ATP-Exp).
Note: working papers are available in Appendix 9 at the end of the Case Study information provided in
the Study Guide.

REFERENCES
Australian Securities and Investments Commission (ASIC) 2019, Audit Inspection Program Report for 2017–18, Report 607,
accessed June 2019, https://asic.gov.au/media/4990650/rep607-published-24-january-2019.pdf
Chartered Institute of Internal Auditors (CIIA) 2019, ‘Computer assisted audit techniques’, 2 January, accessed August 2019,
https://www.iia.org.uk/resources/delivering-internal-audit/computer-assisted-audit-techniques-caats/?downloadPdf=true
International Auditing and Assurance Standards Board (IAASB) 2016, Exploring the Growing Use Technology in the Audit, with a
Focus on Data Analytics, accessed June 2019, https://www.ifac.org/system/files/publications/files/IAASB-Data-Analytics-WG-
Publication-Aug-25-2016-for-comms-9.1.16.pdf
International Auditing and Assurance Standards Board (IAASB) 2018, International Standard on Auditing 540 (Revised):
Auditing Accounting Estimates and Related Disclosures, accessed June 2019, https://www.ifac.org/publications-resources/isa-
540-revised-auditing-accounting-estimates-and-related-disclosures
International Federation of Accountants (IFAC) 2018a, Guide to Quality Control for Small- and Medium-Sized Practices, Volume
1 – Core Concepts, Fourth Edition, accessed June 2019, https://www.ifac.org/publications-resources/guide-using-international-
standards-auditing-audits-small-and-medium-sized-18
Pdf_Folio:223

MODULE 3 Performing the Audit of Historical Financial Information 223

International Federation of Accountants (IFAC) 2018b, Guide to Quality Control for Small- and Medium-Sized Practices,
Volume 2 – Practical Guidance, Fourth Edition, accessed June 2019, https://www.ifac.org/publications-resources/guide-using-
international-standards-auditing-audits-small-and-medium-sized-18
International Federation of Accountants (IFAC) 2018c, Handbook of International Quality Control, Auditing, Review,
Other Assurance, and Related Services Pronouncements, 2017-2018 edn, IFAC, New York, accessed June 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance-3
Johnson, R & Wiley, L 2019, Auditing: A Practical Approach with Data Analytics, 1st edn, Wiley, US.
Leung, P, Coram, P, Cooper, BJ & Richardson, P 2018, Audit and Assurance, 1st edn, Wiley, Milton.
Murphy, ML & Tysiac, K 2015, ‘Data analytics helps auditors gain deep insight’, Journal of Accountancy, 14 April, accessed June
2019, http://www.journalofaccountancy.com/issues/2015/apr/data-analytics-for-auditors.html
Parkes, A, Considine, B, Oleson, K & Blount, Y 2015, Accounting Information Systems, 5th edn, John Wiley & Sons Australia,
Milton.
Shabbir, M 2019, ‘Computer Assisted Audit Techniques (CAATs) – Modern Audit Tool’, Mayur Batra Group, News, 11 March,
accessed August 2019, http://www.mayurbatragroup.ae/insights/computer-assisted-audit-techniques-caats-modern-audit-tool

Pdf_Folio:224

224 Advanced Audit and Assurance

MODULE 4

CONCLUSIONS AND
REPORTING
RESPONSIBILITIES FOR
AN AUDIT OF
HISTORICAL FINANCIAL
INFORMATION
Module 1
Auditing and Assurance Framework

Audits of historical financial Module 5

information Other assurance engagements

Module 2 Module 3 Module 4

Planning the audit Performing the audit Conclusions and reporting
responsibilities

• Assessment of significant items

• Litigation and claims
• Going concern assessment
Audit conclusions Completing the fieldwork
• Representation letters
• Review of subsequent events
• Perform analytical procedures

• Final evaluation of materiality

Evaluating the findings, • Working paper review
Final review reviewing working papers • Technical review
and formulating an opinion • Engagement quality control review
• Audit opinion

Preparing the audit report Audit report containing opinion

Reporting responsibilities
P df_Folio:225
Communication and • Communication with relevant
reporting responsibilities parties
to relevant parties • Reporting responsibilities
LEARNING OBJECTIVES

After completing this module, you should be able to:

4.1 explain the auditor’s reporting responsibilities in relation to the auditor’s report and opinion
4.2 evaluate the key issues involved in the final review and completion of an audit
4.3 evaluate the indicators of potential fraud and recommend a course of action
4.4 evaluate circumstances that may give rise to modifications to the standard auditor’s report, to the auditor’s
opinion and other than to the auditor’s opinion
4.5 apply the appropriate standards that relate to a range of engagement circumstances that impact the
auditor’s report and the auditor’s opinion.

RELEVANT STANDARDS AND GUIDANCE MATERIALS

International standards Australian standards

International Framework for Assurance Engagements Framework for Assurance Engagements

ISA 220 Quality Control for an Audit of Financial ASA 220 Quality Control for an Audit of a Financial
Statements Report and Other Historical Financial Information
(Compiled)

ISA 240 The Auditor’s Responsibilities Relating to Fraud ASA 240 The Auditor’s Responsibilities Relating to
in an Audit of Financial Statements Fraud in an Audit of a Financial Report (Compiled)

ISA 250 (Revised) Consideration of Laws and ASA 250 Consideration of Laws and Regulations in an
Regulations in an Audit of Financial Statements Audit of a Financial Report

ISA 260 (Revised) Communication with Those Charged ASA 260 (Revised) Communication with Those
with Governance Charged with Governance (Compiled)

ISA 265 Communicating Deficiencies in Internal Control ASA 265 Communicating Deficiencies in Internal
to Those Charged with Governance and Management Control to Those Charged with Governance and
Management (Compiled)

ISA 320 Materiality in Planning and Performing an Audit ASA 320 Materiality in Planning and Performing an
Audit (Compiled)

ISA 330 The Auditor’s Responses to Assessed Risks. ASA 330 The Auditor’s Responses to Assessed Risks
(Compiled)

ISA 450 Evaluation of Misstatements Identified during ASA 450 Evaluation of Misstatements Identified during
the Audit the Audit (Compiled)

ISA 501 Audit Evidence — Specific Considerations for ASA 501 Audit Evidence — Specific Considerations for
Selected Items Inventory and Segment Information (Compiled)
ASA 502 Audit Evidence — Specific Considerations for
Litigation and Claims (Compiled)

ISA 520 Analytical Procedures ASA 520 Analytical Procedures (Compiled)

ISA 540 (Revised) Auditing Accounting Estimates, and ASA 540 Auditing Accounting Estimates and Related
Related Disclosures Disclosures

ISA 550 Related Parties ASA 550 Related Parties (Compiled)

ISA 560 Subsequent Events ASA 560 Subsequent Events (Compiled)

ISA 570 (Revised) Going Concern ASA 570 (Revised) Going Concern

ISA 580 Written Representations ASA 580 Written Representations (Compiled)

ISA 700 (Revised) Forming an Opinion and Reporting ASA 700 (Revised) Forming an Opinion and Reporting
on Financial Statements on a Financial Report (Compiled)

ISA 701 Communicating Key Audit Matters in the ASA 701 Communicating Key Audit Matters in the
Independent Auditor’s Report Independent Auditor’s Report (Compiled)

ISA 705 (Revised) Modifications to the Opinion in the ASA 705 (Revised) Modifications to the Opinion in the
Independent Auditor’s Report Independent Auditor’s Report

Pdf_Folio:226

226 Advanced Audit and Assurance

 ISA 706 (Revised) Emphasis of Matter Paragraphs ASA 706 (Revised) Emphasis of Matter Paragraphs
and Other Matter Paragraphs in the Independent and Other Matter Paragraphs in the Independent
Auditor’s Report Auditor’s Report

ISA 710 Comparative Information — Corresponding ASA 710 Comparative Information — Corresponding
Figures and Comparative Financial Statements Figures and Comparative Financial Reports (Compiled)

ISA 720 (Revised) The Auditor’s Responsibilities ASA 720 (Revised) The Auditor’s Responsibilities
Relating to Other Information Relating to Other Information

IAS 10 Events after the Reporting Period AASB 110 Events after the Reporting Period

IAS 37 Provisions, Contingent Liabilities and AASB 137 Provisions, Contingent Liabilities and
Contingent Assets Contingent Assets

P df_Folio:227

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 227
PREVIEW
Having discussed the audit planning, evaluation of internal controls and evidence-gathering stages of the
audit process in modules 2 and 3, this module focuses on the final stage of the process: the completion of
the fieldwork, conclusions the auditor draws, and the preparation and issuing of the auditor’s report.
As can be seen from the International Framework for Assurance Engagements (the Framework), which
was discussed in module 1, the objective of an assurance engagement is for a practitioner to:
obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of
confidence of the intended users other than the responsible party about the outcome of the measurement or
evaluation of an underlying subject matter against criteria (IAASB, Framework, para. 10).

The credibility of the written report is enhanced by having the assurance practitioner, who is both
independent and an expert, examine the subject matter in accordance with suitable criteria and report
on it.
The International Framework for Assurance Engagements was discussed in detail in module 1. If
necessary, you should review that module.
This module discusses the various forms of reporting associated with audits of financial statements.
Initially, this module explores unmodified auditor’s reports on general purpose financial statements, which
provide reasonable assurance to users.
The departures from the standard form (unmodified) audit opinion are then discussed, as are the varying
circumstances under which different types of audit opinions can be issued. It should be noted that these
forms of departures are also applicable to most other types of assurance engagements and levels of
assurance (to be discussed in module 5). The implications of comparative information contained within the
financial statements are also considered. This is followed by a discussion on the auditor’s responsibility
regarding information contained within the annual report that is not covered by the auditor’s report.
This module also discusses the auditor’s communication and reporting responsibilities, particularly to
those charged with governance and management.

4.1 COMPLETING THE FIELDWORK

After completing the audit planning and performing tests of controls and substantive procedures (discussed
in modules 2 and 3 respectively), it is time to complete the fieldwork, evaluate the findings and complete
the reporting requirements. In this section, the tasks completed to finalise the fieldwork are discussed.
The procedures performed in completing the audit fieldwork have a number of distinctive characteristics
as they:
• involve the auditor making many subjective judgments
• often involve potentially high-risk issues
• do not relate to specific accounts or transaction cycles.
Therefore, they are usually performed by senior members of the audit team, such as audit managers (and
closely reviewed by audit partners), who have extensive audit experience with the entity.
In completing the fieldwork, the auditor performs specific auditing procedures to obtain additional audit
evidence. The specific audit evidence relates to:
• reviewing significant areas, such as:
– accounting estimates used by management
– related party transactions
– identified material misstatements due to fraud
• reviewing for evidence of pending litigation and claims
• considering factors that may have an impact on going concern assumptions
• obtaining the management representation letter
• reviewing for subsequent events that may have an effect on the financial statements
• performing analytical procedures.

Pdf_Folio:228

228 Advanced Audit and Assurance

SIGNIFICANT AREAS
In completing the fieldwork, the auditor needs to revisit significant areas identified during the audit.
Significant areas usually include accounting estimates, related party transactions and fraud. Each of these
is discussed next.

Accounting Estimates
In responding to the assessed risks of material misstatement regarding accounting estimates, the auditor
will undertake one or any combination of the following:

(a) Obtain audit evidence from events occurring up to the date of the auditor’s report.
(b) Test how management made the accounting estimate and the data on which it is based. In doing so, the
auditor shall evaluate whether:
(i) the method of measurement used is appropriate in the circumstances; and
(ii) the assumptions used by management are reasonable in light of the measurement objectives of the
applicable financial reporting framework.
(c) Test the operating effectiveness of the controls over how management made the accounting estimate,
together with appropriate substantive procedures.
(d) Develop a point estimate or a range to evaluate management’s point estimate (ISA 540 (Revised)
Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures,
paras 18–36).

For example, auditors may need to consider climate-related estimates used by management in accor-
dance with ISA 540 (Revised). Auditors will need to substantiate climate-related risks disclosed in the
financial statements by entities to ensure the disclosures are appropriate given the uncertainty surrounding
such risks (Thomson, Fikkers & Stott 2019).
In making the evaluation as to whether sufficient appropriate audit evidence has been obtained, the
auditor should consider all the relevant audit evidence obtained — this includes corroborative and
contradictory evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor
will need to evaluate the implications for the audit.
In determining whether the accounting estimates made by management are reasonable, the auditor takes
into account qualitative aspects of the entity’s accounting practices. An important part of this includes
indicators of management bias, or a lack of neutrality, which may arise in the judgments made by
management with regards to the amounts and disclosures in the financial statements. Indicators of a lack
of neutrality include:

(a) management adjusting misstatements that have the effect of increasing reported earnings, but not
adjusting those that have the effect of decreasing reported earnings
(b) possible management bias in the accounting estimates they have made (ISA 700 (Revised), para. A2).

Indicators of possible management bias do not constitute misstatements for purposes of drawing
conclusions on the reasonableness of individual accounting estimates. They may, however, affect the
auditor’s evaluation of whether the financial statements as a whole are free from material misstatement
(ISA 700 (Revised), para. A3).
Further details of the overall evaluation of accounting estimates based on audit procedures are
contained in ISA 540 (Revised), paragraphs 33–36. Read these sections and the associated application
and other explanatory material now.

Related Parties
As outlined in module 3, due to the nature of related-party relationships and transactions, the auditor
usually has a high level of professional scepticism towards any transactions or relationships with related
parties. Of particular interest to auditors are:
• transactions outside the normal course of business
• the possibility of fraud.
During the fieldwork stage of the audit, the auditor needs to ascertain whether sufficient appropriate
evidence has been obtained about related parties and their transactions to determine whether a material
misstatement exists and whether disclosures are adequate for the financial statements to achieve fair
presentation (ISA 550 Related Parties, para. 25).
Pdf_Folio:229

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 229
 As mentioned in module 3, the auditor would be concerned with the existence of related parties and any
transactions the entity has had with related parties. The auditor should review management information
that identifies related parties and perform audit procedures to ensure that the risk of not detecting related
parties is low. Procedures may include reviewing working papers from the previous period, shareholder
records and minutes of shareholders and directors’ meetings.
In addition, the auditor should be alert for material related-party transactions, including those that have
abnormal conditions, lack logical reasons for occurrence, have substance that is different from form, or
have been processed in an unusual manner.
When considering whether sufficient appropriate evidence has been obtained about related parties and
their transactions, the auditor considers both the size and nature of misstatements and the reason why they
occurred. The nature of the related-party relationship may be relevant to users in addition to the size of the
misstatement.
As mentioned later in this module, the management representation letter may complement other auditing
procedures in connection with the completeness of identified related-party transactions.
The next area to consider as part of completing the fieldwork is to evaluate the sufficiency of the evidence
obtained in relation to the assessed risk of material misstatement due to fraud.

Fraud
An auditor who assesses a risk of material misstatement due to fraud must design and perform further
audit procedures that respond to the nature, timing and extent of the risk at both the financial statement
and assertion levels. The response to specific fraud risks identified should be consistent with the response
to assessed risks contained in ISA 330 The Auditor’s Responses to Assessed Risks.
Some of the responses the auditor can use to address the assessed risks of material misstatement due
to fraud at the financial statement level are outlined in ISA 240 The Auditor’s Responsibilities Relating to
Fraud in an Audit of Financial Statements, paragraph 30. They include:

(a) assigning personnel with the appropriate knowledge, skill and ability to the areas where there are
significant risks of material misstatement
(b) evaluating whether the selection and application of accounting policies by the entity is indicative of an
attempt by management to manage earnings
(c) incorporating an element of unpredictability into the planned audit procedures.

Management is in a unique position to perpetrate fraud by overriding controls to manipulate accounting

records and prepare fraudulent financial statements. The risk of management override of controls varies
from entity to entity, but it is present in all entities and is, therefore, considered to be a significant risk.
Given the significant risk, the auditor should undertake audit procedures to reduce this risk, including
testing the appropriateness of journal entries recorded in the general ledger and other adjustments made
in preparing the financial statements. This testing would include selecting and testing journal entries and
other adjustments made at the end of a reporting period (ISA 240, para. 33(a)).
Fraudulent financial reporting is sometimes accomplished through intentional misstatement of account-
ing estimates, such as depreciation or the allowance for bad debts (ISA 240). The auditor is expected to
evaluate whether the judgments and decisions made by management in making the accounting estimates
indicate a possible bias that may represent a risk of material misstatement due to fraud. If so, the auditor
should retrospectively review management judgments and assumptions related to significant accounting
estimates reflected in the prior year’s financial statements (ISA 240, para. 33(b)).
The objective of this review is to determine whether possible bias on the part of management is indicated.
It is not intended to call into question the auditor’s professional judgments made in the previous year that
were based on information available at that time.
If the auditor identifies a possible bias in the accounting estimates made by management, they need to
evaluate whether the circumstances producing such a bias represent a risk of material misstatement due to
fraud. The auditor takes into account whether all the estimates appear to understate or overstate provisions
and accruals and, as a consequence, revenues and expenses in the same fashion. Such estimates may be
designed to smooth profits or to achieve a designated level of earnings to deceive financial statement users.
As the audit is drawing to a close, the analytical procedures performed are aimed at determining
whether the financial statements are consistent with the trends and relationships identified throughout
the audit. Assessment of risk, and appropriate audit response associated with events and relationships
occurring at or near year-end, requires the exercise of professional judgment, particularly where unusual
or uncharacteristic trends are identified. Where misstatements indicative of fraud are identified, the auditor
Pdf_Folio:230

230 Advanced Audit and Assurance

must reconsider the risk of misstatement in other aspects of the audit, including specific locations and
management representations.
A summary of indicators of possible fraud is shown in figure 4.1.

FIGURE 4.1 Indicators of possible fraud

Discrepancies in the accounting records

• Unsupported balances
• Unauthorised transactions
• Last-minute adjustments that significantly affect results
• Evidence of employees accessing systems/records inconsistent
with their duties

Conflicting or missing evidence

• Missing documents or electronic evidence

• Altered documents
• Missing originals
• Missing inventories or physical assets
• Missing cancelled cheques
• Large number of credit entries made to trade debtors accounts

Problematic or unusual relationships between management

and the auditor

• Denial of access to audit evidence — records, facilities,

employees, customers or suppliers
• Undue pressure by management to resolve complex issues quickly
• Unusual delays by management in providing requested information
• Unwillingness to add or revise disclosures in the financial
statements to make them more complete and understandable

Other

• Tolerance of violations of the entity’s code of conduct

• Frequent changes in accounting estimates

Source: Adapted from IFAC 2018a, ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements,
Appendix C, p. 205.

To gain further understanding of the factors related to fraud, you should refer to Appendix 3 of
ISA 240 ‘Examples of Circumstances that Indicate the Possibility of Fraud’.

QUESTION 4.1

An auditor could use data analytics to compare payroll transactions with the supporting employee
data, to uncover payroll fraud. Identify five indicators of potential payroll fraud that audit data
analytics could be designed to uncover. What factors should the auditors consider in evaluating
the findings?

LITIGATION AND CLAIMS

A contingency is an existing condition, situation or set of circumstances that involves uncertainty as to
possible gain (contingent asset) or loss (contingent liability) that will be resolved when one (or more)
future event(s) occur or fail to occur. Contingent liabilities are the most common and are the subject of the
Pdf_Folio:231

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 231
rest of this section. IAS 37 Provisions, Contingent Liabilities and Contingent Assets, paragraph 10 defines
a contingent liability as either:
(a) a possible obligation that arises from past events and whose existence will be confirmed only by the
occurrence or non-occurrence of one or more uncertain future events not wholly within the control of
the entity; or
(b) a present obligation that arises from past events but is not recognised because:
(i) it is not probable that an outflow of resources economic benefits will be required to settle the
obligation; or
(ii) the amount of the obligation cannot be measured with sufficient reliability.

When the conditional event meets the recognition criteria of reliability of measurement and probability
of occurrence, the obligation should be recognised as a liability in the financial statements and thus is no
longer a ‘conditional’ liability. When the conditional event does not meet the criteria for recognition, it
may still meet the disclosure requirements as a contingent liability. Irrespective of whether conditional
liabilities should be recognised as liabilities or otherwise described in the notes, they are of relevance to
the auditor because they are unlikely to be recorded in the accounting records until the occurrence of the
uncertain future event. Therefore, there is a risk that they will not be completely and properly disclosed.
These obligations include potential liabilities from income tax disputes, product warranties, guarantees of
obligations of others, and litigation and claims.
The auditor’s concerns about contingent liabilities are not limited to completing the audit. However,
the review will often be towards the end of the audit because the auditor needs the most complete
information set available. During audit testing, and particularly in searching for unrecorded liabilities,
the auditor should be alert to the possibility of contingent liabilities. Moreover, in reading the minutes of
board meetings and in reviewing contracts, the auditor should look for circumstances that may indicate
contingencies that should be investigated. Contingencies that are often the highest risk to auditors are
associated with litigation. The most appropriate audit procedure in relation to this type of contingency is
enquiry of the entity’s lawyer(s) by means of a representation letter to a lawyer (Leung 2019).
Solicitors’ Representation Letters
The auditor is required by ISA 501 Audit Evidence — Specific Considerations for Selected Items to design
and perform audit procedures in order to identify litigation and claims involving the entity, which may give
rise to a risk of material misstatement. These include:
(a) Inquiry of management and, where applicable, others within the entity, including in-house legal
counsel;
(b) Reviewing minutes of meetings of those charged with governance and correspondence between the
entity and its external legal counsel; and
(c) Reviewing legal expense accounts (ISA 501, para. 9).

If the auditor identifies a risk of material misstatement regarding litigation or claims that have
existed or may exist, the auditor should seek a direct communication with the entity’s external legal
counsel. Direct communication with the entity’s external legal counsel may help the auditor in obtaining
sufficient appropriate audit evidence as to whether potential material litigation and claims are known and
management’s estimates of the financial implications, including costs, are reasonable (Leung et al. 2019).
This is normally done through a letter of enquiry prepared by management, and sent by the auditor,
that requests that the entity’s external legal counsel communicates directly with the auditor (ISA 501,
para. 10).
In Australia, auditing standard ASA 502 Audit Evidence — Specific Considerations for Litigation and
Claims has an additional requirement.
Where in-house legal counsel has the primary responsibility for litigation and claims and is in the best
position to corroborate management’s representations, the auditor shall endeavour to obtain a representation
letter, from the in-house legal counsel, seeking information similar to that sought from the entity’s external
legal counsel (ASA 502, para. Aus 5.1).

GOING CONCERN
At the planning stage of the audit, the auditor is required to evaluate the entity’s ability to continue as a
going concern. As discussed in module 2, going concern is a risk that must be assessed in every audit. In
this module, we focus on how the auditor responds to this assessed risk when events or conditions cast
Pdf_Folio:232

232 Advanced Audit and Assurance

significant doubt on the entity’s ability to continue as a going concern and management’s use of the going
concern basis for the preparation of the financial statements.
The auditor’s responses to events or conditions that ‘may cast significant doubt on the entity’s ability to
continue as a going concern’ are discussed in ISA 570 (Revised) Going Concern, paragraphs 16 and A16–
A20. Specifically, ISA 570 (Revised), paragraph 16 requires the auditor to ‘obtain sufficient appropriate
evidence to determine whether or not a material uncertainty exists related to events or conditions that may
cast significant doubt on the entity’s ability to continue as a going concern’.
‘When management has not performed an assessment of the entity’s ability to continue as a going
concern’, the auditor should request that management make such an assessment. When they have made
such an assessment, the auditor should review management’s plans for future actions. Such plans might
include:
• liquidation of assets
• new borrowings
• restructuring of debt facilities
• reduction of expenditures
• increasing capital (ISA 570 (Revised), paras. 16 and A17).
The auditor should also consider mitigating factors that may reduce the likelihood of a going concern
problem. Procedures relating to mitigating factors are explored in more depth later in this module.
Other audit procedures relevant to determining the existence of a material going concern uncertainty are
listed in ISA 570 (Revised), paragraph A16, including:
• reviewing for subsequent events that might affect the entity’s ability to continue as a going concern
• analysing and discussing the latest available interim financial statements, cash flow analysis and profit
forecasts, and evaluating the reliability of the underlying data and assumptions used in preparing those
forecasts
• reading the minutes of directors’ meetings for any information that may reflect the current financial
position or affect the future financial position
• reviewing the terms of debenture and loan agreements
• considering the entity’s plans to deal with unfilled customer orders
• requesting information from the entity’s solicitors about any material legal matters
• confirming the existence, legality and enforceability of arrangements with related parties or other third
parties to provide financial support, and assessing the financial ability of such parties to provide funds
• reviewing reports of regulatory actions
• requesting written representations from management regarding future plans and their feasibility.
When the analysis of cash flow and budget forecasts is a significant factor in considering the future
outcome of events or conditions, the auditor will need to take into account the reliability of the entity’s
information system for generating such information and whether there is adequate support for the
assumptions underlying any budgets or forecasts (ISA 570 (Revised), para. 16(c)). The evidence provided
by budgets and forecasts should not be relied on in isolation; rather, the evidence should be compared with
information the auditor has obtained from other sources.
The auditor can assess the accuracy of budgets by comparing budgets prepared for recent periods with
historical results and the budget for the current period with results achieved to date. The auditor should
exercise some caution in reviewing budgets prepared by management who, given their strong interest in the
entity’s survival, might be tempted to state budgets and forecasts more optimistically than warranted. The
auditor should also consider the reliability of information used for preparing any interim information,
budgets and forecasts, and should be prepared to question underlying assumptions that appear to be
inconsistent with the nature and future prospects of the entity’s business. Particular attention should be
given to:
• price changes
• profit margins
• interest rates
• collections of trade debtors
• loan repayment commitments
• activity levels.
The auditor should review the terms of any debentures and loan agreements to determine whether the
entity is in danger of non-compliance with them. The auditor should also ensure that loan repayment
commitments have been properly reflected in the cash forecasts. Files of correspondence with trustees and
financial institutions should be examined for evidence of variations in the terms of the agreements.
Pdf_Folio:233

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 233
Going Concern — SMEs
Managers of small-to-medium enterprises (SMEs) may not prepare a detailed assessment of the entity’s
ability to continue as a going concern. Instead they may rely on their in-depth knowledge of the business
and its future prospects. The auditor would normally evaluate an SME’s ability to continue as a going
concern by:
• discussing long-term financing with management
• corroborating management’s intentions with other evidence obtained when gaining an understanding of
the entity
• inspecting supporting documentation and making enquiries as to future predictions of the viability of
the business operations
• making enquiries to identify events or conditions beyond management’s assessment period that would
cast significant doubt on the entity’s ability to continue as a going concern (IFAC 2018b).
Factors that could cast significant doubt on an SME’s ability to continue as a going concern include:
• the entity’s ability to withstand adverse conditions
– SMEs may be able to respond quickly to exploit opportunities, but may not have the reserves to
sustain operations
• availability of financing
– for example, banks and other lenders ceasing to support the entity
– withdrawal or major alteration in the terms of a loan or loan guarantee from the owner-manager (or
other related parties including family members)
• other major changes
– for example, loss of a principal supplier, major customer, key employee, operating license, franchise,
or other legal agreement (IFAC 2018b).
Mitigating Circumstances
The auditor should be aware of, and evaluate the effect of, any mitigating circumstances that might serve
to offset the conditions that have raised doubts about the entity’s ability to continue as a going concern.
When going concern problems are identified, the auditor needs to discuss with management its plans
for overcoming the problem, such as the possibility of raising additional finance (ISA 570 (Revised),
para. A17).
For example, the effect of an entity being unable to make its normal debt repayments may be
counterbalanced by management’s plans to maintain adequate cash flows by alternative means, such as
by disposing of assets, rescheduling loan repayments or obtaining additional capital. The auditor will need
to consider the bases upon which the plans have been prepared, their feasibility and their likelihood of
implementation.
The significance of those going concern risks related to cash flow or solvency can often be mitigated by
management’s plans or opportunities with respect to the risk factors (asset, debt, cost and equity) identified.
Table 4.1 provides examples of these factors.

TABLE 4.1 Examples of mitigating factors

Factor Example

Asset factors • Ability to dispose of assets

• Ability to delay the replacement of assets
• Possibility of selling and leasing back assets

Debt factors • Availability of new or unused lines of credit

• Capability to renegotiate existing loans

Cost factors • Capability to postpone certain costs

• Possibility of reducing overheads and administration expenditures

Equity factors • Ability to defer dividend payments

• Ability to obtain additional equity contributions

Source: CPA Australia 2019.

Pdf_Folio:234

234 Advanced Audit and Assurance

Financial Support
The auditor should confirm the existence, legality and enforceability of arrangements made with third
parties to maintain or provide additional financial support to the entity. The auditor will also need to be
satisfied as to the capacity and intention of the third party to provide the necessary level of support. In
practice, many entities would be unable to continue operations without such support, and the auditor will
need to identify and assess any instances where doubts are raised about the continuity of the support.
The auditor should not normally encounter any major problems in carrying out these procedures
when the provider of the financial support is a state or federal government, a bank, or major financial
institution. Note, however, that the situation might be entirely different if the entity is supported financially
by proprietors, shareholders, related entities or even governments of some foreign countries. Formal
agreements may not exist or be legally enforceable, and there may be insufficient evidence available to the
auditor to assess the financial standing of the provider. It is generally easier to obtain this evidence if the
entity providing the financial support is a listed company.
Often, a parent company will support a subsidiary that is in financial difficulty. The support of chief
entities is usually evidenced by them providing their subsidiary companies with comfort letters, known
as ‘letters of support’ or ‘letters of subordination’. The basic characteristics of these letters are discussed
here.
• Letter of support. The parent company agrees to provide financial assistance to a subsidiary for a fixed
period (usually 12 months). This support is appropriate when the subsidiary cannot pay its debts (to
either the parent company or external creditors) as and when they fall due. It is active in nature because
the parent company promises to take action by providing financial assistance.
• Letter of subordination. The parent company agrees not to demand repayment of debts the subsidiary
owes for a fixed period (usually 12 months). This agreement is appropriate when the subsidiary can
afford to pay all its debts except those to the parent company. It is passive in nature as the parent company
promises not to take action to recover its debts.
In determining how much reliance can be placed on a letter of support or subordination, the auditor
should consider the following issues.
• To be effective, the agreement should be formally drafted. Agreements intended to be legally enforceable
are often required to be under seal, and they must also be approved by the solicitors of the parent
company and subsidiary.
• For the agreement to become binding on the parent company, it should be approved by a resolution of
a quorum of the parent company’s board and minuted in its books.
• Details of the agreement should also be minuted in the books of the subsidiary company.
• If the agreement has been drafted in a way that permits termination either by the parent company or by
agreement between the parent company and its subsidiary, the auditors should check that no termination
has in fact occurred.
• If it appears that the subsidiary is unable to pay its external creditors (quite apart from the inter-company
debt), the auditors cannot rely on a letter of subordination.
• Irrespective of whether the auditors of the subsidiary are also the parent company’s auditors, they must
satisfy themselves that the parent company is capable of offering the support it purports to offer in its
agreement and that the amount of that support is adequate.

MANAGEMENT REPRESENTATION LETTER

Towards the conclusion of the audit, it is usual for the auditor to obtain a ‘representation letter’ from
the organisation’s management. A management representation letter contains representations from
management to an auditor made during the conduct of the audit. The purpose of the representation letter
is two-fold.
1. It impresses upon management its ultimate responsibility for the content of the financial statements.
2. It confirms, in writing, any representations made by management during the conduct of the audit.
The auditor shall request written representations about management’s responsibilities using the same
wording as in the terms of the audit engagement. Management’s responsibilities included in the letter
should cover the following matters:
• that the financial report has been prepared in accordance with the applicable financial reporting
framework, and other statutory reporting requirements, including where relevant their fair presentation,
as set out in the audit engagement
Pdf_Folio:235

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 235
 • all relevant information and access as agreed in the terms of the audit engagement has been provided to
the auditor
• all transactions have been recorded and are reflected in the financial report (ISA 580, paras 10–11).

The management representation letter may complement other auditing procedures (e.g. in connection
with (1) the completeness of identified contingent liabilities and related party transactions or (2) the
existence of mitigating factors in the presence of going concern problems). In some cases, however, a
representation letter may be the main source of audit evidence. When a client plans to discontinue a
line of business, for example, the auditor may be unable to corroborate this event through other auditing
procedures.
If the written representations are inconsistent with other audit evidence, the auditor will need to
undertake further audit procedures to resolve the matter. If the auditor concludes that the written
representations are not reliable, this may result in a need to modify the auditor’s report (discussed in more
detail later in this module).
In Australia, the auditor does not need to include in the management representation letter any matters
that are covered by representations made by the directors or management in the annual report (e.g. in the
directors’ report or directors’ declaration). These management representations are required by statute or
regulation, such as the Corporations Act 2001 (Cwlth) (Corporations Act).
If management refuses to sign a management representation letter, that would cause the auditors to
question management’s integrity, competence and ethical values, and could have serious ramifications for
the audit. Auditors would be especially concerned about the reliability of audit evidence obtained through
enquiry of management. The refusal by management to sign the representation letter would be considered a
scope limitation and could affect the auditor’s opinion on the financial statements (Johnson & Wiley 2019).
Further details on the requirements for representations by management are contained in ISA 580
Written Representations, paragraphs 9–20. Read these sections and the associated application and
other explanatory material now.

QUESTION 4.2

You are the manager for the engagement to audit Ruff Racers Ltd, an entity that develops nutritional
products to help improve the performance of racing greyhounds. There is a material issue still
outstanding that needs to be addressed before you can conclude the audit.
From the review of board meeting minutes, it was found that Ruff Racers is being sued by a
customer, BlueHound, who claims that the new dog food formula it purchased from Ruff Racers
led to the sickness and death of a racing hound. However, the CEO of Ruff Racers has rejected
the claims as unsubstantiated and states that extensive research has shown the new formula to
be safe. A review of correspondence from the solicitors does not yet indicate the availability of
evidence to support the claims made by BlueHound.
Evaluate the issue and determine the appropriate course of action in relation to concluding the
audit of Ruff Racers Ltd. Justify your conclusions.

SUBSEQUENT EVENTS
In this section, the auditor’s responsibilities regarding subsequent events will be considered, and then the
various audit procedures the auditor should consider applying will be described. Subsequent events are
events occurring between the period end and the date of the auditor’s report, and facts discovered after the
date of the auditor’s report.
At the outset, it should be noted that the auditor’s report should be dated (discussed in more detail
later in this module). Dating the report informs the reader that the auditor considered the effect on the
financial statements and the auditor’s report of events or transactions that the auditor was aware of, up to
that date. The impact on the financial statements of subsequent events is dealt with in IAS 10 Events after
the Reporting Period, and the audit implications are set out in ISA 560 Subsequent Events.
An example of a material subsequent event is when a trade debtor becomes bankrupt after the end of
the reporting period due to conditions that existed at balance date. This event signals that the debt was
not collectable at the end of the financial reporting period. As such, the entity should adjust the carrying
amount of the trade debtor by recording the value outstanding as a bad debt.
Before continuing, please review ISA 560.
df_Folio:236
P

236 Advanced Audit and Assurance

Auditor’s Responsibilities for Subsequent Events
The auditor’s responsibilities for subsequent events are detailed in ISA 560 and cover three periods, as
shown in figure 4.2.

FIGURE 4.2 Subsequent events timeline

Period 1 Period 2 Period 3

Date of Date of Date of

Date of management’s auditor’s issue of
the approval of report on the
financial the financial the financial financial
statements statements statements statements

Obtain evidence about Respond to new facts

subsequent events that become known
Source: IFAC 2018b, p. 129.

Following is a brief explanation of each of these periods.

• Period 1: For events occurring between the date of the financial statements and the date of the auditor’s
report (ISA 560, paras 6–9), the auditor should perform audit procedures to gain confidence that all
events that require adjustment or disclosure have been identified and appropriately reflected in the
financial statements.
• Period 2: For facts which become known to the auditor after the date of the auditor’s report but before the
financial statements are issued (ISA 560, paras 10–13), there is no obligation for the auditor to perform
any audit procedures after the date of the auditor’s report. However, if the auditor becomes aware of a
fact that may have caused them to amend their report, had they known of it at the date of their report,
then they should:
(a) Discuss the matter with management and, where appropriate, those charged with governance;
(b) Determine whether the financial statements need amendment and, if so,
(c) Inquire how management intends to address the matter in the financial statements (ISA 560,
para. 10).

If management amends the financial statements, the auditor should carry out the procedures necessary
to determine that the amendment has been appropriately carried out.
• Period 3: For facts which become known to the auditor after the financial statements have been issued,
the auditor has similar responsibilities to those outlined under time period 2 (ISA 560, paras 14–17).
In addition, if new financial statements and a new or amended auditor’s report are issued, the auditor
should indicate an ‘Emphasis of Matter’ or ‘Other Matter’ paragraph (discussed later in this module)
in the re-issued auditor’s report discussing the reason for the revision of the previously issued financial
statements. If management refuses to revise the financial statements, the auditor should take action to
prevent future reliance on the auditor’s report.
In Australia, directors have a duty to consider and disclose any matter arising in the period from the
balance date to the date of signing the directors’ statement when such a matter prejudices the truth and
fairness of the accounts (Corporations Act, ss. 297, 298, 299, 300). The auditor must make a judgment
as to the adequacy of the disclosure. The directors’ report must provide the particulars of any subsequent
matter or circumstance that has affected, or may affect, the operations, results and state of affairs of the
company and group in succeeding financial years (Corporations Act, s. 299).

Applicable Audit Procedures

The audit procedures for transactions and events that have occurred after the balance date are carried out
up to the date on which the auditor signs the auditor’s report. The longer this period extends, the greater
are the potential number of items to be investigated, potentially involving more audit work. Undue delays
in finalising the preparation of the financial statements and completion of the audit are not in the interests
of either management or the auditor.
Pdf_Folio:237

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 237
Specific Procedures
The auditor will carry out procedures specifically aimed at detecting and evaluating material subsequent
events. Essentially, these will involve undertaking procedures as near to the time of completion (and signing
of) the auditor’s report as is practicable and will ordinarily include the following:
• reviewing procedures established by management to ensure that subsequent events are identified
• reading minutes of the meetings of shareholders, the governing body, and audit and executive commit-
tees held after the period’s end
• reading the entity’s latest available interim financial statements and reviewing any budgets, cash flow
forecasts and other related management reports that are considered appropriate
• enquiring of the entity’s lawyers
• enquiring of management as to whether any subsequent events have occurred that might affect the
financial statements.
Examples of enquiries of management on specific matters are as follows:
the current status of items that were accounted for on the basis of preliminary or inconclusive data …
• Whether new commitments, borrowings or guarantees have been entered into;
• Whether sales or acquisitions of assets have occurred or are planned;
• Whether … the issue of new shares or debentures … is planned;
• Whether any assets have been … destroyed, for example by fire or flood;
• Whether there have been any developments regarding [risk areas and] contingencies;
• Whether any unusual accounting adjustments have been made or are contemplated;
• Whether any events have occurred or are likely to occur that will bring into question the appropriateness
of accounting policies used in the financial statements …;
• Whether any events have occurred that are relevant to the measurement of estimates or provisions made
in the financial statements; and
• Whether any events have occurred that are relevant to the recoverability of assets (ISA 560, para. A9).

In a continuing audit, much of the work performed for subsequent events can be used in next year’s
audit, particularly in the stages of planning and understanding the entity, where up-to-date knowledge of
the business is required.
As noted, although the auditor need not perform specific procedures to identify subsequent events
after the date of the auditor’s report, the auditor still has a responsibility with regard to any subsequent
events that come to their attention. This is discussed in ISA 560, paragraphs 10–17. Review these
paragraphs now before proceeding.
Now review example 4.1, which considers the appropriate treatment of different types of subsequent
events.

EXAMPLE 4.1

Subsequent Events Review

Angela Carson audited the accounts of Carey Ltd (Carey), an engineering firm listed on the Singapore
Stock Exchange, for the year ended 30 June 20X9. Angela is aware that the following events that took
place after 30 June (but before she had issued her report dated 19 September 20X9) may affect the
company’s financial statements.
(a) On 25 July 20X9, Carey settled and paid a claim involving prior employees alleging sexual discrimina-
tion as a result of promotions announced at the Christmas party in 20X8. Five women who had been
overlooked for management promotions undertook legal action in March 20X9.
(b) On 1 August 20X9, Carey Ltd made an announcement to the Singapore Stock Exchange of its intention
to take over a private engineering partnership. This would increase sales revenue of Carey Ltd by 15%.
It was to be funded by a 1:10 rights issue.
(c) On 12 August 20X9, a fire damaged the head office of Carey. The buildings, fixtures and fittings were
only partly insured.
(d) At its 5 September 20X9 meeting, Carey’s board of directors voted to double the advertising budget
for the coming year and authorised a change in advertising agencies.
Note that each event is independent and is to be considered separately.
............................................................................................................................................................................
What is the required treatment of each event in the financial statements? Justify your decisions.
Check your response against the suggested answer at the end of the book.

df_Folio:238
P

238 Advanced Audit and Assurance

 QUESTION 4.3

The financial year of Toys Galore Ltd (TGL) ended on 30 June 20X0. The auditor’s report was signed
on 25 August, and the financial statements were issued on 10 September. The following events
were noted after the end of the financial year.
1. On 15 August McVicar, a debtor of TGL, declared bankruptcy on that date. The most recent sale
had taken place on 20 May, and no transactions had occurred since that date.
2. On 12 September, the auditor became aware that a fire burnt down one of TGL’s warehouses,
resulting in a loss of 40% of the inventory that was on hand at that date.
3. On 30 September, management discovered that Johnno, a major debtor of TGL who was facing
financial difficulties, became bankrupt on 15 September. All sales to Johnno were made before
the end of the financial year.

For each of the material subsequent events:

(a) Indicate your responsibilities as the auditor for TGL.
(b) Indicate the type of adjustment or disclosure required (if any).

The next issue discussed is the performance of analytical procedures which are performed before
completing the fieldwork.

PERFORMING ANALYTICAL PROCEDURES

Analytical procedures are an important part of the completion of the audit. As stated in ISA 520 Analytical
Procedures, paragraph 6:
The auditor shall design and perform analytical procedures near the end of the audit that assist the auditor
when forming an overall conclusion as to whether the financial report is consistent with the auditor’s
understanding of the entity.

In earlier modules, the application of analytical procedures in planning an audit, in risk assessment and
performing year-end substantive procedures was explained. Near the end of the audit, the auditor designs
and performs analytical procedures in order to arrive at an overall conclusion as to whether the financial
report is consistent with the auditor’s understanding of the entity. Due to the knowledge gained through
audit procedures during the audit, the auditor would not normally expect to find any major unexpected
variations during the overall review of the financial statements as a whole. If variations are revealed, it
may be necessary for the auditor to perform additional procedures, or reperform the original procedures.
Analytical procedures are applied to critical audit areas after audit adjustments have been made to the
financial statements. The reason for using analytical procedures in the overall review is to corroborate
conclusions formed during the audit and to assist in arriving at the overall conclusion that the financial
statements as a whole are consistent with the auditor’s knowledge of the entity’s business. Applying
analytical review procedures at the end of the audit is also a useful way of gaining assurance that the
company will remain a going concern for the relevant period.
Many types of analytical procedures may be used. Typical analytical procedures conducted during the
final review include:
• comparing entity data with expected entity results
• comparing company data with available industry data
• using relevant non-financial data, such as units sold or the number of employees, to analyse relationships
with financial data.
In carrying out an overall review, the auditor reads the financial statements and accompanying notes.
The auditor considers the adequacy of the evidence gathered for unusual or unexpected balances and
relationships that have been either anticipated (planning stage) or identified during the audit (when
performing substantive procedures). Analytical procedures are then applied to the financial statements.
These procedures will help to determine whether any other unusual or unexpected relationships exist.
If such relationships are identified, then the auditor should perform additional audit procedures before
completing the audit. Given the knowledge gained over the course of the audit, the auditor is usually in a
good position to critically evaluate the results of analytical procedures at the end of the audit.
The auditor who completed a large amount of the audit fieldwork may be ‘too close’ to the audit work
performed and may miss unusual or unexpected relationships that would be recognised by someone who
Pdf_Folio:239

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 239
has not been directly involved with the audit. For this reason, and because this review is so important,
the audit partner or audit manager on the engagement also reviews the analytical procedures. This audit
partner or manager should have a comprehensive knowledge of the entity’s business and not have been
directly involved with the audit fieldwork. Often, audit partners or managers identify inconsistencies or
problems because they have extensive business knowledge and because they can look at the figures more
objectively than someone who completed most of the fieldwork.
Example 4.2 demonstrates the performance of analytical review procedures and the analysis of the
findings. Review this example now.

EXAMPLE 4.2

Analytical Review Procedures

You are the audit manager of cabinet maker Jobstone Ltd and are preparing a final review of the financial
report for the year ended 30 June 20X9. You know from your discussions with the client that it has been
having a difficult time recently after a customer went into liquidation. This created cash flow problems that
resulted in Jobstone being late in making the most recent repayment against the bank loan. This was the
second time it had breached the terms of its loan agreement in the last four months.
Following are some extracts from the financial statements for the year ended 30 June 20X9.

20X9 20X8
$m $m
Income statement

Revenue 18.6 19.7

Gross profit 7.4 9.3

Profit before tax 0.4 2.6

Statement of financial position

Non-current assets

Property, plant and equipment 11.8 8.7

Current assets

Inventory 2.7 1.2

Trade debtors 1.4 0.8

Cash - 0.4

Current liabilities

Bank overdraft 0.7 -

Trade payables 1.9 0.9

Bank loan 4.8 0.2

............................................................................................................................................................................
(a) Perform an analytical procedures review of the provided extract from the financial statements.
(b) Analyse your findings from the analytical procedures review in light of Jobstone’s cash-flow problems
identified in this example.
Check your response against the suggested answer at the end of the book.

QUESTION 4.4

(a) Auditors could perform analytical procedures at the planning, testing and conclusion stages of
the audit. Why does an auditor perform analytical procedures at the conclusion and reporting
stage of an audit?
(b) If the results of the final analytical review are inconsistent with the auditor’s expectations, what
action should the auditor take?
df_Folio:240
P

240 Advanced Audit and Assurance

 After the fieldwork is completed, the auditor moves on to the final review stage and evaluates the findings
and reviews the audit working papers. These procedures are discussed in the next section.
The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

4.2 Evaluate the key issues involved in the final review and completion of an audit.
• In making the sufficiency and appropriateness evaluation of accounting estimates, the auditor
should consider all the relevant audit evidence obtained — this includes corroborative and
contradictory evidence. If the auditor is unable to obtain sufficient appropriate audit evidence,
the auditor will need to evaluate the implications for the audit.
• During the completing the fieldwork stage of the audit, the auditor needs to ascertain whether
sufficient appropriate evidence has been obtained about related parties and their transactions to
determine whether a material misstatement exists and whether disclosures are adequate.
• The auditor is expected to evaluate whether the judgments and decisions made by management
in making accounting estimates indicate a possible bias that may represent a risk of material
misstatement due to fraud.
• If the auditor identifies a risk of material misstatement following the evaluation of litigation or claims
that have existed or may exist, the auditor should seek direct communication with the entity’s
external legal counsel.
• The auditor should evaluate mitigating factors that may reduce the likelihood of a going concern
problem.
• The management representation letter may complement other auditing procedures (e.g. in con-
nection with (1) the completeness of identified contingent liabilities and related party transactions
or (2) the existence of mitigating factors in the presence of going concern problems).
• The auditor will carry out procedures specifically aimed at detecting and evaluating material
subsequent events. Essentially, these will involve undertaking procedures as near to the time of
completion (and signing of) the auditor’s report as is practicable.
• Near the end of the audit, the auditor designs and performs analytical procedures in order to arrive
at an overall conclusion as to whether the financial statements are consistent with the auditor’s
understanding of the entity.
4.3 Evaluate the indicators of potential fraud and recommend a course of action.
• Where misstatements indicative of fraud are identified, the auditor must reconsider the risk
of misstatement in other aspects of the audit, including specific locations and management
representations.
4.5 Apply the appropriate standards that relate to a range of engagement circumstances that
impact the auditor’s report and the auditor’s opinion.
• IAS 10 Events after the Reporting Period requires adjustment of the amounts recognised in the
company’s financial statements to reflect adjusting events after the reporting date and disclosure
of non-adjusting events after the reporting date if they are material and could influence the
economic decisions of users that are made on the basis of the financial statements.
• ISA 560 Subsequent Events requires the auditor to perform audit procedures designed to obtain
sufficient appropriate audit evidence to demonstrate that all events that may require adjustment or
disclosure in the financial statements, up to the date of the auditor’s report, have been identified.
• ISA 570 (Revised) Going Concern requires the auditor to obtain sufficient appropriate evidence to
determine whether or not a material uncertainty exists related to events or conditions that may
cast significant doubt on the entity’s ability to continue as a going concern.
• ISA 501 Audit Evidence — Specific Considerations for Selected Items require auditors to design
and perform audit procedures in order to identify litigation and claims involving the entity which
may give rise to a risk of material misstatement.
• ASA 502 Audit Evidence — Specific Considerations for Litigation and Claims also requires auditors
to obtain a representation letter seeking information from the in-house legal counsel where they
have the primary responsibility for litigation and claims and is in the best position to corroborate
management’s representations.
• IAS 37 Provisions, Contingent Liabilities and Contingent Assets defines a contingent liability.
Pending litigation and claims are classified as contingent liabilities.
• ISA 580 Written Representations specifies the requirements for management representation letters
which may complement other auditing procedures (e.g. in connection with (1) the completeness
of identified contingent liabilities and related party transactions or (2) the existence of mitigating
factors in the presence of going concern problems).
• ISA 540 (Revised) Auditing Accounting Estimates, Including Fair Value Accounting Estimates,
and Related Disclosures specify the procedures auditors should perform to obtain sufficient
appropriate audit evidence relating to accounting estimates.
P df_Folio:241

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 241
 • ISA 550 Related Parties requires auditors to determine whether sufficient appropriate evidence
has been obtained about related parties and their transactions to determine whether a material
misstatement exists and whether disclosures are adequate for the financial statements to achieve
fair presentation.
• ISA 250 (Revised) Consideration of Laws and Regulations in an Audit of a Financial Statements
specifies the auditor’s responsibilities in relation to compliance with laws and regulations.
• ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
specifies that the objective of the review of management judgments and assumptions related to
significant accounting estimates is to determine whether possible bias on the part of management
is indicated.
• ISA 520 Analytical Procedures requires the auditor to design and perform analytical procedures
near the end of the audit that assist the auditor when forming an overall conclusion as to whether
the financial report is consistent with the auditor’s understanding of the entity.

4.2 FINAL REVIEW

In evaluating the findings during the final review stage, the auditor has the following objectives: (1) to
ensure that the audit process has complied with auditing standards, and (2) to determine the type of audit
opinion to be expressed (which is discussed in more detail later in this module). To meet these objectives,
the auditor:
• makes the final evaluation of materiality and audit risk
• undertakes the technical review of the financial statements
• undertakes the final review(s) of working papers
• forms an opinion and drafts the auditor’s report (Leung et al. 2018).
In addition, the assurance firm is required to undertake an engagement quality control review when
they complete an audit of listed entities and other public interest entities. Each of these steps is discussed
next.
In formulating an opinion on the financial statements, the auditor should assimilate all the evidence
gathered during the examination. A final assessment of materiality and audit risk is an essential prerequisite
in deciding on the opinion to express. ISA 450 Evaluation of Misstatements Identified during the Audit
requires the auditor to evaluate the effect of identified misstatements on the audit and the effect of
uncorrected misstatements, if any, on the financial statements (Leung et al. 2018).
A misstatement occurs when the amount, classification, presentation, or disclosure of a balance in the
financial statements differs to that required for the balance to be in accordance with the applicable financial
reporting framework. As misstatements are identified and accumulated during the audit, it is important for
auditors to communicate misstatements to management in a timely manner so that action can be taken to
correct the misstatements (Johnson & Wiley 2019). Paragraph A6 of ISA 450 classifies misstatements into
three categories: factual, judgmental, and projected misstatements.
Factual misstatements are misstatements that are known with certainty. This may include misstate-
ments found with the application of audit data analytics in which auditors use software to screen the entire
population. It may also include the audit of 100% of a population that has relatively few sampling units,
such as notes payable. When auditors audit the entire population, they can draw a conclusion with certainty
about the misstatements found in the population (Johnson & Wiley 2019). Auditors typically request that
management make adjusting entries to correct all factual misstatements since there should not be any
disagreements with management regarding factual misstatements.
Judgmental misstatements typically involve accounting estimates in which uncertainty is a factor.
After performing audit procedures, auditors may determine a different amount for an accounting estimate
than management. For example, suppose auditors estimate a different amount for a fair value estimate of
goodwill than management. They will request that management review the assumptions and methods that
were used in determining its estimate. After reviewing the estimate, management may decide to adjust its
estimate or not to adjust. Any difference between what management decides to record and what the auditor
recommends should be recorded would be considered a misstatement. Auditors document discussions with
management about the issue, including management’s reasons for not making recommended adjustments
(Johnson & Wiley 2019).
df_Folio:242
P

242 Advanced Audit and Assurance

 Projected misstatements are the result of audit sampling, which was discussed in module 3. If
misstatements are found in an audit sample, auditors use appropriate statistical or nonstatistical methods
to project the sample misstatement to the entire population. If the projected misstatement is material,
they request that management examines the population of transactions to understand the cause of the
misstatement and make appropriate adjustments to the affected accounts. After management makes
adjusting entries to correct the misstatements, auditors should perform additional audit procedures to
determine if any misstatements still remain (Johnson & Wiley 2019).
Finally, the auditor needs to evaluate whether any uncorrected misstatements are material.

FINAL EVALUATION OF MATERIALITY AND AUDIT RISK

Materiality and Pervasiveness
Materiality and pervasiveness are terms that are used to identify the type of auditor’s report to be issued.
If the effects of an issue are considered immaterial by an auditor who is satisfied in all other respects,
then an unmodified opinion is appropriate. If the effects are considered material, then a modified opinion
(qualified, disclaimer or adverse) is the appropriate opinion. Audit opinions will be discussed further later
in this module.
As identified in module 2, the auditor uses the concept of materiality in planning and performing the
audit. The level of materiality used for planning and performing the audit is revised for the financial
statements as a whole if the auditor becomes aware of information during the audit that indicates a different
materiality level is appropriate. Such revisions would be the reason for differences between the amount
determined for the initial planning materiality and the materiality amount used to determine the type of
auditor’s report to issue.
The process for evaluating the effect of uncorrected misstatements is outlined in ISA 450, which was
discussed earlier in module 2. The auditor is required to determine whether uncorrected misstatements are
material, individually or in aggregate, taking into consideration the size and nature of the misstatements
(ISA 450, para. 11). Each individual misstatement is considered to see whether the materiality level for
the related class of transactions, account balance or disclosure has been exceeded.
The ‘Application and other explanatory material’ of ISA 705 (Revised) Modifications to the Opinion in
the Independent Auditor’s Report identifies that the more serious forms of modified opinion (adverse and
disclaimer of opinion) are appropriate in cases that are, or could be, both material and pervasive.

Pervasive effects … are those that, in the auditor’s judgment:

(i) Are not confined to specific elements, accounts or items in the financial statements;
(ii) If so confined, represent or could represent a substantial proportion of the financial statements; or
(iii) In relation to disclosures, are fundamental to users’ understanding of the financial statements
(ISA 705 (Revised), para. 5(a)).

A material misstatement will affect the overall outcome of the financial statements and may affect the
decision-making process for end-users. If the possibility of material misstatements is pervasive (i.e. it
affects many facets of the financial statements), the issue of concern is that the financial statements cannot
be relied upon to represent a true and fair view of the entity’s state of affairs. In practice, where the effect of
a single issue is very material, a qualified opinion is more likely to be observed if the impact of the issue on
the financial statements can be adequately described in the auditor’s report. Thus, the more serious forms
of modified opinion are more commonly associated with multiple concerns affecting a number of accounts
in the financial statements, or a single concern that affects many accounts in the financial statements (such
as the result of a failure to use Australian Accounting Standards in Australia, or a failure to consolidate
the financial statements of a major subsidiary).
Example 4.3 demonstrates how auditors make the final assessment of aggregated misstatements and its
effect on the financial statements as a whole. Review this example now.

Pdf_Folio:243

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 243
 EXAMPLE 4.3

Final Assessment of Aggregated Misstatements

You are nearing completion of the 30 June 20X7 audit of Goodies Ltd, a wholesaler of breakfast foods and
bakery supplies. Your manager has completed the working paper review and has compiled the following
list of errors.
1. Sales cutoff at Melbourne branch was incorrect. Three invoices dated 1 July 20X7 were processed with
30 June 20X7 sales. These amounted to $5600. Additional audit procedures confirmed there were no
other cutoff errors. Mark-up is a standard 70% on cost price.
2. Year-end stocktake procedures revealed one stock line worth $11 250 was counted twice. The error
was discovered and corrected by the client’s accounting staff.
3. In order to carry out the debtors’ circularisation, the debtors’ ledger was divided into two parts:
(i) All balances over $8000. All these balances were circularised. The total value of the part was
$41 800.
(ii) All other balances. A random sample of 15 of these balances was circularised. The total value of
these balances was $52 650.
Audit procedures revealed $2510 of overstatement errors in part (i). These errors were due to
customers being invoiced for goods they didn’t order. Mark-up is a standard 70% on cost price. Audit
procedures also revealed $2080 of overstatement errors in part (ii). The errors in part (ii) resulted from
customers being billed twice. (The corresponding entry to inventory was correctly recorded only once.)
4. The loan confirmation from the bank revealed that interest payable for the month of June was $5200.
The client has recorded an accrual of only $4200.
5. Audit procedures performed on related parties revealed one director-related transaction for $1200 was
not disclosed in the draft notes to the financial statements.
6. A clerical error resulted in the June rent accrual of $5600 mistakenly being recorded as a noncurrent
rather than a current liability.
You also have the following balances from the draft financial statements:

Sales $1 437 300 Other creditors $51 850

Trade debtors 257 500 Cost of goods sold 840 700
Inventory 146 290 Total interest payable for year 61 400
Net profit 100 000 Planning materiality 5 000

The manager has asked you to review the errors and prepare a summary working paper that will enable
her to assess whether the financial statements are materially misstated.
............................................................................................................................................................................
Using the provided information, prepare a summary of audit differences working paper for the audit manager.
Analyse the findings and determine whether the financial statements are materially misstated.
Check your response against the suggested answer at the end of the book.

QUESTION 4.5

What should the auditor do in relation to the aggregated uncorrected misstatements identified prior
to formulating their opinion on the financial statements?

QUESTION 4.6

You are the senior auditor on the audit of TopSocks Ltd for the year ended 30 June 20X9. In the
audit plan, trade debtors, inventory and warranty provisions were identified as significant risks and
specific audit attention was devoted to related assertions. The following is an extract from the draft
financial accounts prepared by TopSocks Ltd management for the year ended 30 June 20X9 and
the related provisions identified as critical audit areas.

$000s
Trade debtors 4122
Inventories 3589
Warranty provision 1788
Profit before tax 5097
df_Folio:244
P

244 Advanced Audit and Assurance

 In testing these areas, representative samples were selected and the results of these tests show
the following:

Sample size Error Under/over

$000s $000s

Trade debtors 770 60 Overstatement

Inventories 223 8 Understatement

Warranty provision 1064 96 Overstatement

Discuss the effect of these tests on your conclusions about the related assertions and state the
impact on your audit opinion.

Technical Review of Financial Statements

The technical review by an audit partner or manager is to ensure that the form and content of the financial
statements are in accordance with the applicable financial reporting framework. In Australia, this includes
the Corporations Act and Australian Securities Exchange requirements (where applicable).
The review of the audit working papers and the technical review of the financial statements made at
the end of the engagement are a final check to ensure that all significant issues have been identified and
appropriately addressed. It also includes ensuring that all work outlined in the audit plan and audit program
has been appropriately completed and signed off. A final checking off of the findings in the audit working
papers to the financial statements and the other information contained in the annual report is undertaken.
All identified misstatements, other than those that are clearly trivial, are accumulated to determine whether
the financial statements as a whole are materially misstated.

FINAL REVIEW OF WORKING PAPERS

The working papers must clearly record the work undertaken by the engagement partner and, therefore,
must include:
• evidence of a review by the auditor manager, with notes covering the discussion and resolution of any
significant matters raised by the engagement partner (these papers should all bear the initials of the
engagement partner)
• the signed auditor’s report.
Many firms today are using electronic work papers, with all pre-prepared work papers in computerised
form. This aids the completion and review process in that many more checks and balances (which increase
quality control) can be built into the system. For example, when using electronic work papers it is not
possible to sign off (i.e. give final clearance to) a section of an audit until that section has been reviewed,
and it is subsequently not possible to sign off an audit until all sections have been reviewed, all review
points cleared, and the final checklist completed.
It is important to maintain detailed audit logs of all data analytics procedures performed. The technology
used should have the ability to log each step of the analysis, representing a comprehensive audit trail. This
enables auditors to automatically document procedures as they are performed, resulting in higher quality
audit documentation and reduced time spent on documenting the procedures performed during the audit
and the evidence obtained.
The use of audit data analytics procedures should be integrated with audit programs and working papers.
This would enable the auditor to move directly from a specific audit program and working papers to an
audit data analytics process. Ideally, the results of the data analytics should be linked directly to the working
papers.
As part of the audit completion process, it is customary to use an audit completion checklist to ensure
that all important matters have been covered. This ensures that all review points have been completed
before the audit file can be signed off by the audit partner and lodged as complete.
Before the auditor’s report is issued, the engagement partner, through ‘review of the audit documentation
and discussion with the engagement team, [shall] be satisfied that sufficient appropriate audit evidence
has been obtained to support the conclusions reached and for the auditor’s report to be issued’ (ISA 220
Quality Control for an Audit of Financial Statements, para. 17). This will include critical areas of judgment,
Pdf_Folio:245

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 245
 significant risks and other areas considered important by the partner. Given the importance of the review
process, we include a separate, more detailed section on it here.
The audit review will usually be conducted on two levels.
1. A detailed review of all audit working papers by the person (often termed ‘auditor in-charge’) who is
directly responsible for carrying out detailed audit procedures and for supervising the work of audit
assistants.
2. A higher-level review by the individual who has the ultimate responsibility for the audit and who signs
the auditor’s report. In practice, a substantial part of this higher-level review may be carried out by an
audit manager, but it should be noted that the delegation of any part of the high-level review in no way
absolves the engagement partner from the primary responsibility for the audit.
The extent of the more detailed review will vary according to the problems and complexities of the
engagement, the level of audit risk and the experience and competence of the audit field staff. The objective
of this review is to ensure that:
• the auditor’s internal policies and procedures and the auditing standards have been complied with in the
conduct of the audit and in the preparation of the working papers
• all audit procedures have been successfully completed
• all queries raised during the conduct of the audit or during reviews have been cleared
• the evidence collected supports the audit opinion
• control weaknesses and other matters of concern have been communicated to the management or the
directors of the entity being audited, in an appropriate manner.
The reviewer should appropriately document any queries raised in the detailed review. All working
papers reviewed should be initialled to verify their examination. When the reviewer is satisfied that all
queries have been successfully cleared and documented, the audit files would be passed to the engagement
partner for a final review.
The extent of the work undertaken by the engagement partner will vary but, in any event, it will include:
• participation in the planning of the audit
• review and approval of the audit plan
• review and approval of the audit program
• review and clearance of all matters raised by the audit manager
• approval and signing of management letters, reports and correspondence issued by the auditor in relation
to the audit.
When considering the extent of the review of the audit working papers, the engagement partner will
have regard to the degree of complexity of the engagement and the problems encountered, any previous
experience gained through working with the organisation, and the extent to which the audit manager is
involved in the conduct of the audit.
If there are no adverse circumstances following this consideration, the engagement partner may
undertake the review as illustrated in figure 4.3.

QUESTION 4.7

Sally Fletcher has just completed testing of the depreciation of property, plant and equipment for
her client Happy Grapple Ltd. Information from the draft financial report of Happy Grapple shows
(rounded to $000s):

Profit before tax $ 2 737

Property, plant and equipment $16 564

In testing depreciation, Sally selected a sample of 35 items with a value of $1 672 000 and
established a tolerable error of 5% of base values. The result of the tests showed systematic errors
in the sample of $72 400 and Sally has concluded that this is an acceptable error and no further
audit work is required.
You are Sally’s manager and are reviewing her work. Do you agree with her conclusions in relation
to depreciation? Justify your conclusions.

P df_Folio:246

246 Advanced Audit and Assurance

 FIGURE 4.3 Engagement partner’s review of audit working papers

Queries raised by the audit manager/director

• Review queries
• Ensure all queries are resolved

Working papers prepared by the audit

manager/director

• Review working papers

• Check for evidence of completion
• Ascertain that audit manager/director has
reviewed the individual working papers

Critical areas

• Review all critical areas, including those drawn

to engagement partner’s attention by the
audit manager/director, in particular:
– adequacy of provisions
– contingent matters that could
affect the entity’s financial
position
– post-balance date events
– analytical procedures.

Contentious matters and problems

• Discuss with audit manager

• Review with management

Draft financial statements and related reports

• Check all review notes have been

addressed
• Review draft financial statements and
related reports
• Ensure draft financial statements and
reports comply with the relevant
accounting and disclosure requirements

ENGAGEMENT QUALITY CONTROL REVIEW

As discussed in module 1, on completion of the audit of listed entities and other public interest entities,
assurance firms must perform an engagement quality control review (EQCR), which must be undertaken
by someone (usually an experienced audit partner) who was not associated with the audit engagement.
The EQCR provides an objective and independent evaluation of the significant judgments made and the
conclusions reached by the audit team and the audit partner. The partner signing off the audit discusses
significant matters arising during the audit engagement, including those identified during the EQCR. For
those engagements requiring an EQCR, the engagement will not be deemed to have been completed until
the completion of the EQCR.
Pdf_Folio:247

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 247
 ISA 220 also emphasises the requirement for an engagement quality control review (EQCR), previously
called a second partner review. For audits of financial statements of listed entities and other audit
engagements for which the firm decides that an EQCR is required, the engagement partner shall:
(a) Determine that an engagement quality control reviewer has been appointed;
(b) Discuss significant matters arising during the audit engagement, including those identified during the
engagement quality control review, with the engagement quality control reviewer; and
(c) Not date the auditor’s report until the completion of the engagement quality control review (ISA 220,
para. 19).
An EQCR shall include an objective evaluation of ‘the significant judgments made by the engagement
team, and the conclusions reached in formulating the auditor’s report’ (ISA 220, para. 20). The evaluation
must involve:
1. Discussion of significant matters with the engagement partner;
2. Review of the financial statements and the proposed auditor’s report;
3. Review of selected audit documentation relating to the significant judgments …; and
4. Evaluation of the conclusions reached … and consideration of whether the proposed auditor’s report is
appropriate (ISA 220, para. 20).
For audits of listed entities, the engagement quality control reviewer also considers:
• The engagement team’s evaluation of the firm’s independence in relation to the audit engagement;
• Whether appropriate consultation has taken place on matters involving differences of opinion or other
difficult or contentious matters …; and
• Whether audit documentation selected for review reflects the work performed in relation to the
significant judgments and supports the conclusions reached (ISA 220, para. 21).
The evaluation may also include:
• Significant risks identified during the engagement in accordance with ISA 315 (Revised), and the
responses to those risks in accordance with ISA 330, including the engagement team’s assessment of,
and response to, the risk of fraud in accordance with ISA 240.
• Judgments made, particularly with respect to materiality and significant risks.
• The significance and disposition of corrected and uncorrected misstatements identified during the audit.
• The matters to be communicated to management and those charged with governance and, where
applicable, other parties such as regulatory bodies (ISA 220, para. A30).
The extent of the engagement quality review will vary between audits and will be affected by such
factors as the complexity of the audit, the level of audit risk, and the experience of the engagement partner
and the audit team.
Consideration of the Results of the Firm’s Monitoring Process
If a difference of opinion arises within the engagement team or between the engagement partner and the
EQCR, then ‘the engagement team shall follow the firm’s policies and procedures for dealing with and
resolving differences of opinion’ (ISA 220, para. 22).
The engagement partner is required to consider information circulated by the audit firm in its monitoring
process, and whether any deficiencies noted (and rectifying measures taken) have implications for the audit
engagement (ISA 220, para. 23). This information could include findings from internal quality control
reviews and reviews by external inspections (e.g. ASIC).
ASIC’s information sheet on ‘Improving and maintaining audit quality’ (INFO 222) emphasises that:
Partners and firms should not hesitate to revisit an audited entity to undertake additional work. Undertaking
the work necessary to complete their audits for the reporting period in question will ensure that the audit
report is supportable and that the market can be properly informed if any material misstatements are
detected (ASIC 2017).
After completing the final evaluation of materiality and audit risk, conducting a technical review of the
financial statements, and a final review of the working papers and the engagement team’s performance, it
is time for the auditor to evaluate the findings and form an opinion on the financial statements.

FINAL CHECKLIST
The adage ‘last but not least’ applies to completing the audit. The decisions made by the auditor in this
last stage are usually crucial to the ultimate outcome of the audit. Moreover, the conclusions reached by
Pdf_Folio:248

248 Advanced Audit and Assurance

the auditor in completing the audit often have a direct impact on the opinion to be expressed on the entity’s
financial statements (Leung et al. 2018).
In completing the audit, the auditor often works under tight time constraints because entities usually
seek the earliest possible date for the issue of the auditor’s report. Despite potential problems with tight
deadlines, the auditor must take the time to make sound professional judgments and to express the opinion
appropriate in the circumstances (Leung et al. 2018).
The final step in the audit process before preparing the audit report is to check that the items in
figure 4.4 have been appropriately considered.

FIGURE 4.4 Final considerations before the audit report is prepared

Materiality

Does materiality need to be adjusted?

Do the uncorrected misstatements either individually or in aggregate result
in the financial statements being materially misstated?

Audit evidence

Are management’s accounting estimates reasonable?

Do the analytical procedures performed at the end of the audit corroborate
conclusions formed during the audit?
Has sufficient appropriate audit evidence been obtained?

Accounting policies

Are the accounting policies used by management relevant to the entity?

Have significant accounting policies been appropriately disclosed?

Financial statement disclosures

Have all financial statement disclosures required by the applicable

financial reporting framework been made?
Is the information presented in the financial statements relevant, reliable,
comparable and understandable?
Have adequate disclosures been made to enable users to understand the
effect of material transactions and events on the information within the
financial statements?

Fair presentation frameworks

Does the overall presentation, structure and content of the financial

statements faithfully represent the underlying transactions and events in
accordance with the applicable financial reporting framework?
Are the financial statements consistent with the understanding obtained
about the entity and its environment?

Audit opinion

Audit report

Source: Adapted from IFAC 2018b.

The auditor would determine the appropriate audit opinion based on the evaluations of the overall
financial statement presentation, including disclosures. The audit opinion is expressed within the audit
report and is discussed next.
Example 4.4 highlights the factors that the auditor should take into account in forming an opinion on
the content of the auditor’s report. Review the example now.
Pdf_Folio:249

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 249
 EXAMPLE 4.4

Forming an Opinion
E-ffervescence.com Ltd had been listed for five years, and it had an earnings and dividend growth history
that was the envy of most other new listings in the technology industry. Analysts were predicting a rosy
future for the company with the ‘whizz kid’ entrepreneur at the helm who seemingly could do no wrong.
E-ffervescence marketed its own and other brands of health products over the internet. Its statistics in
terms of growth in ‘hits’ were almost exponential, and the list of health product manufacturers who wanted
to supply through E-ffervescence’s site was growing.
Jack King, the founding CEO and driving force behind E-ffervescence, was extremely upbeat about the
company’s performance. He owned 20% of the company’s shares, and his strength lay in the research and
development that was required to bring new products to the market rather than in attention to financial
matters. One of the perennial problems with such newly listed technology enterprises is the need for
access to capital for research and development and the long lead time before products get to market.
However, Jack was not worried: the lead time for discovery to market for E-ffervescence was much lower
than that of competitors, and the capital market seemed to have great confidence in the company, giving
it a price-to-earnings multiple of 30.
Jack’s accountant kept trying to alert him to a likely technical breach of the company’s debt covenants
that would trigger automatic invocation of payment in full of the debt within the following fiscal year rather
than the three years remaining in the debt contract. Jack knew how important debt covenants were but
argued the company was close to launching its new anti-obesity product with the potential to double sales
revenue in the following year, and so it was inconsequential whether repayment of the debt in either one,
two or three years occurred.
When the auditor discovered the breach of the covenant and its consequences during the annual
audit, disclosure of the full amount of the loan as a current liability rather than partially non-current
was recommended as an adjustment to the financial statements. Between balance date and completion
of the audit fieldwork, there was a significant downturn in the sharemarket, especially impacting ‘new
technology’ companies and companies with high levels of debt. Many companies were effectively
re-rated overnight, especially if they did not have a proven earnings stream. Although E-ffervescence
had a proven and sustainable earnings stream, the flow of future finance into this ‘new economy’ sector
slowed significantly. Any company seeking extra finance to refinance would struggle in this market.
Almost overnight the optimistic picture Jack had foreseen for his company became less rosy and
the lack of cash flow became crucial. In the aftermath of these developments, Jack refused to alter
the disclosure for the loan. He argued that the key clause creating the need for prompt repayment
of the debt in full was not triggered until after the reporting period date and so it was quite correct to
leave what would have been due in two years as a non-current liability. He went on to state that bringing
the whole amount in as a current liability reduced the quick asset ratio from 0.80 to 0.60 and would make it
more difficult to get bridging finance to continue in business until the crisis over approval for marketing the
anti-obesity drug was over. Jack went on to argue that if the auditor continued with this line of argument,
responsibility for the potential downfall of the company was not out of the question.
............................................................................................................................................................................
(a) Evaluate the case facts to inform the preparation of the auditor’s report.
(b) What role does the materiality of the bank loan play in the auditor’s evaluation of the case facts?
(c) What are the reporting options available to the auditor under these circumstances?
Check your response against the suggested answer at the end of the book.

The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

4.2 Evaluate the key issues involved in the final review and completion of an audit.
• In the event of the auditor becoming aware of information during the audit that would have caused
the auditor to calculate a different materiality level initially, the auditor will revise the materiality used
during planning at, or near, the end of the audit to determine the type of auditor’s report to issue.
• If the auditor’s evaluation of the possibility of material misstatements is pervasive (i.e. it affects
many facets of the financial statements), the issue of concern is that the financial statements
cannot be relied upon to represent a true and fair view of the entity’s state of affairs.
• The extent of the more detailed review will vary according to the problems and complexities of the
engagement, the level of audit risk and the experience and competence of the audit field staff.

df_Folio:250
P

250 Advanced Audit and Assurance

 • The auditor evaluates all the identified misstatements and accumulates them to determine whether
the financial statements as a whole are materially misstated.
• Example 4.3 demonstrated the compilation of a summary schedule of misstatements to enable
the aggregate errors to be assessed and compared to materiality.
• An Engagement Quality Control Review (EQCR) shall include an objective evaluation of the
significant judgments made by the engagement team, and the conclusions reached in formulating
the auditor’s opinion.
• The final step in the audit process before preparing the audit report is to evaluate the audit evidence
obtained and consider the impact of any identified misstatements on the financial statements as
a whole so that an audit opinion can be formed based on the findings.
• Example 4.4 demonstrated the evaluation of circumstances to determine what factors the auditor
should take into account in forming an opinion on the content of the auditor’s report.
4.5 Apply the appropriate standards that relate to a range of engagement circumstances that
impact the auditor’s report and the auditor’s opinion.
• ISA 450 Evaluation of Misstatements Identified during the Audit requires the auditor to evaluate
the effect of identified misstatements on the audit and the effect of uncorrected misstatements, if
any, on the financial statements.
• ISA 320 Materiality in Planning and Performing an Audit outlines the need to revise the materiality
used during audit planning when the auditor becomes aware of information during the audit that
would have caused a different materiality level to be set initially.
• ISA 705 (Revised) Modifications to the Opinion in the Independent Auditor’s Report identifies that
the more serious forms of modified opinion (adverse and disclaimer of opinion) are appropriate in
cases that are, or could be, both material and pervasive.
• ISA 710 Comparative Information — Corresponding Figures and Comparative Financial Statements
establishes standards and provides guidance to auditors as to their responsibilities with respect
to comparative information in an audit of financial statements.

4.3 PREPARING THE AUDIT REPORT

This section of the module focuses on audits of general purpose financial statements that provide a
reasonable level of assurance. It is important that the auditor’s report is an effective communication device
because it is the main means of communication between the auditor and the financial statement user.
This module reflects recent significant steps that have been undertaken to enhance the communication
effectiveness of the auditor’s report. You will recall from your study of module 1 that expression of
an opinion is the final outcome of the audit process, and the objective of a financial statement audit
is to enable the auditor to express an opinion as to whether the financial statements are prepared in
accordance with established criteria, usually comprising approved accounting standards and relevant
legislative requirements.
The audit conclusions and preparation of the audit report can be complex as it involves many ISAs,
mostly from the ISA 700 series. Figure 4.5 highlights the types of auditor’s reports and the relevant ISAs
which are discussed in this section. First, matters relating to an unmodified auditor’s report are discussed.
This is followed by a discussion of modifications to the auditor’s report, including matters that do not affect
the auditor’s opinion and those that do affect the auditor’s opinion.

UNMODIFIED AUDITOR’S REPORT

Guidance on issuing a standard (unmodified) auditor’s report is contained in ISA 700 (Revised) Forming
an Opinion and Reporting on Financial Statements. The issuing of a standard (unmodified) auditor’s report
signifies that the auditor has formed the opinion that the financial statements are prepared, in all material
respects, in accordance with the applicable financial reporting framework. The opinion that the financial
statements are prepared, in all material respects, in accordance with the applicable financial reporting
framework means that the auditor has concluded that they have obtained reasonable assurance that the
financial statements as a whole are free of material misstatement, whether due to fraud or error.

Pdf_Folio:251

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 251
 FIGURE 4.5 Types of auditor’s reports

Auditor’s report

Standard (unmodified) auditor’s report

(ISA 700 (Revised)) containing information
on material uncertainty related to Modifications to standard
going concern (ISA 570 (Revised)) (when auditor’s report
applicable), key audit matters (ISA 701)
and other information (ISA 720 (Revised))

Modifications to the auditor’s Modifications to the auditor’s

opinion (ISA 570 (Revised) report other than the opinion
and ISA 705 (Revised)) paragraph (ISA 706 (Revised))

Emphasis of Matter (ISA 706

Qualified
(Revised))

Other Matter (ISA 706

Disclaimer (Revised)) including
comparative information
(ISA 710)

Adverse

Source: CPA Australia 2019.

This conclusion will take into account whether:

(a) sufficient appropriate evidence has been obtained in accordance with ISA 330, which was discussed
in modules 2 and 3
(b) any uncorrected misstatements are material, either individually or in aggregate, in accordance with
ISA 450, which was discussed earlier in this module (ISA 700 (Revised), para. 11).
If the auditor concludes that a standard (unmodified) auditor’s report is appropriate, this is generally
communicated by the use of a standard format audit report. A measure of consistency in the format of
the auditor’s report is seen as desirable in order to make more readily identifiable those audits that have
been conducted in accordance with recognised auditing standards, and aiding the identification of any
modifications to the auditor’s report.
This standard format covers both the structure of the report and the wording. The structure comprises:
• ‘a title that clearly indicates that it is the report of an independent auditor’ (ISA 700 (Revised), para. 21)
• an addressee, outlining to whom the auditor’s report is addressed (ISA 700 (Revised), para. 22)
• an auditor’s opinion section, which includes the auditor’s opinion and also identifies the components
that comprise the financial statements that are covered by the audit (ISA 700 (Revised), paras 23–27)
• a basis for opinion section, which ‘states that the audit was [undertaken] in accordance with International
Standards on Auditing’, ‘includes a statement that the auditor is independent of the entity in accordance
with the relevant ethical requirements’, and has obtained sufficient appropriate audit evidence as a basis
for their opinion (ISA 700 (Revised), para. 28)
• a going concern section, which is included, where applicable, where the auditor is required to report in
accordance with ISA 570 (Revised) (ISA 700 (Revised), para. 29)
• a KAMs section, where for audits of listed companies, the auditor is required to report in accordance
with ISA 701 (ISA 700 (Revised), paras 30–31)
Pdf_Folio:252

252 Advanced Audit and Assurance

• an other information paragraph, where applicable, where the auditor reports their responsibilities for
other information contained in the annual report in accordance with ISA 720 (Revised) (ISA 700
(Revised), para. 32)
• a responsibilities of management for the financial statements section, which outlines the responsibility
of those charged with governance and/or management for the financial statements (ISA 700 (Revised),
paras 33–36)
• an auditor’s responsibilities for the audit of the financial statements section, which outlines the
responsibilities of the auditor (ISA 700 (Revised), paras 37–40)
• an other reporting responsibilities section, for those instances where the auditor may be required to report
on matters additional to their responsibility to report on the financial statements (ISA 700 (Revised),
paras 43–45)
• the name of the engagement partner (ISA 700 (Revised), para. 46)
• the signature of the engagement partner (ISA 700 (Revised), para. 47)
• the auditor’s address (ISA 700 (Revised), para. 48)
• the date of the auditor’s report (ISA 700 (Revised), para. 49).
Before discussing the key sections of the standard auditor’s report, we will explain the fair presentation
framework further.

Fair Presentation Framework

Financial statements are prepared to meet the information needs of users. ISA 700 (Revised) acknowledges
two financial reporting frameworks:
1. a fair presentation framework (a conceptual framework)
2. a compliance framework (a rule-based framework).
A fair presentation framework is a financial reporting framework that requires compliance with the
requirements of the framework, but in addition, provides some flexibility that allows management to:
• include additional disclosures to achieve fair presentation of the financial statements
• depart from the requirements of the framework, if necessary, to achieve fair presentation of the financial
statements. This should only be necessary in extremely rare circumstances (ISA 700, para. 7(b)).
As such, although a fair presentation framework requires compliance, it allows preparers some flexibility
so that a better presentation of the financial statements can be achieved to make them more relevant and
reliable to meet the needs of users.
When management prepares the financial statements in accordance with a compliance financial report-
ing framework, the preparers of the financial statements must strictly comply with the requirements of the
framework. In contrast to a fair presentation framework, no flexibility is permitted under a compliance
framework. The compliance financial reporting framework will be discussed further in module 5.
Preparers of financial statements need to inform users which financial reporting framework has been
used. If a fair presentation framework has been used, additional disclosures or any departure from the
framework must be prominently disclosed so that users can understand the reasons for such departures
and how it resulted in more relevant and reliable financial statements.
When expressing an unmodified opinion on financial statements prepared in accordance with a fair
presentation framework, the auditor’s opinion usually uses one of the following phrases, which are regarded
as being equivalent:
(a) The financial statements are presented fairly, in all material respects … in accordance with [the
applicable financial reporting framework].
(b) The financial statements give a true and fair view of … in accordance with [the applicable financial
reporting framework].

An Australian Perspective
Section 297 of the Corporations Act requires the auditor to give an opinion as to whether the accounts are
drawn up so as to give a true and fair view. It further states that this section does not affect the obligation
under section 296 for a financial report to comply with Australian Accounting Standards without exception.
If, however, directors do not believe that the financial report resulting from following associated standards
are true and fair, they must add such information in the notes to the financial report as is necessary to give
a true and fair view (s. 297).
In practice, in Australia, there are virtually no current examples of listed companies adding additional
notes in order to provide a true and fair view. If the auditors are of the view that the further information
Pdf_Folio:253

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 253
necessary to give a true and fair view is not disclosed, this would constitute a disagreement with
management and, if material, lead to a modified opinion. Again, in practice in Australia, there are virtually
no current examples of auditors of listed companies modifying the auditor’s report on this basis (Carson &
Zhang et al. 2016). These observations suggest that both management and auditors believe that preparation
of accounts in accordance with the current Australian Accounting Standards provides a true and fair view.

Material Uncertainty Related to Going Concern

Management is responsible, either explicitly or implicitly, for making an assessment of the entity’s ability
to continue as a going concern (ISA 570 (Revised), paras 3–5).
The responsibilities of the auditor are to:
obtain sufficient appropriate audit evidence regarding, and conclude on, the appropriateness of manage-
ment’s use of the going concern basis of accounting in the preparation of the financial statements, and to
conclude, based on the audit evidence obtained, whether a material uncertainty exists about the entity’s
ability to continue as a going concern (ISA 570 (Revised), para. 6).

Following an investigation of events or conditions indicating going concern problems and the completion
of additional audit procedures considered necessary in the circumstances, the auditor should conclude
whether a material uncertainty exists about the entity’s ability to continue as a going concern. The key
provisions of ISA 570 (Revised) relating to auditors’ reporting considerations when the going concern
basis is appropriate are summarised next. Auditor’s reporting considerations when the going concern basis
is not appropriate will be discussed later in this module.
Going Concern Basis is Appropriate
When the auditor is satisfied that there is a reasonable expectation that the entity will continue as a going
concern for the relevant period, the auditor should issue an unmodified opinion.
When ‘the auditor concludes that [the] use of the going concern basis of accounting is appropriate …
but a material uncertainty exists, the auditor shall determine whether the financial statements:
(a) Adequately disclose the principal events or conditions that may cast significant doubt on the entity’s
ability to continue as a going concern and management’s plans to deal with these events or conditions;
and
(b) Disclose clearly that there is a material uncertainty related to events or conditions that may cast
significant doubt on the entity’s ability to continue as a going concern and, therefore, that it may
be unable to realize its assets and discharge its liabilities in the normal course of business (ISA 570
(Revised), para. 19).
When there is adequate disclosure of the existing material uncertainty, the auditor shall express an
unmodified opinion and include a separate section under the heading ‘material uncertainty related to
going concern’. This paragraph should highlight the material uncertainty and draw attention to the note
in the financial statements where this matter is disclosed (ISA 570 (Revised), para. 22). An example of
such a paragraph that might be used in the auditor’s report can be found in the Appendix to ISA 570
(Revised), Illustration 1. Other instances where matters that could modify the audit report, but not the
auditor’s opinion, are discussed on page 262.
An example of a real-life ‘material uncertainty related to going concern’ paragraph is included in the
audit report extract presented as example 4.5. Review this example now.

EXAMPLE 4.5

Material Uncertainty Related to Going Concern — Simavita Ltd

We draw attention to Note 2(a) in the financial report, which indicates that the Group incurred a loss before
tax of $4 942 295 for year ended June 30, 2018 and net operating cash outflows during the same period
amounted to $4 061 777. The Group had a net current asset deficiency as at June 30, 2018 of $1 723 120
(2017: net current assets of $3 088 430). As a result, the continuing viability of the Group is dependent upon
continued support of its shareholders, successfully raising further capital, successfully implementing its
revenue growth and cost containment strategies. These conditions, along with other matters detailed in
Note 2(a) indicate that a material uncertainty exists that may cast significant doubt on the Group’s ability
to continue as a going concern. Our opinion is not modified in respect of this matter.
Source: Extracted from Simavita Limited, 2018 Annual Report, p. 50, accessed July 2019, https://www.asx.com.au/asx/
share-price-research/company/SVA
dP f_Folio:254

254 Advanced Audit and Assurance

 For another real-life example of this paragraph, refer to page 65 of the Tech Mpire Limited Annual
Report 2018 available on the Australian Securities Exchange (ASX) website: https://www.asx.com.au/
asxpdf/20180831/pdf/43xxhk92p72hkp.pdf
If the disclosures considered necessary by the auditor are not made in the financial statements, the
auditor shall express a qualified opinion or adverse opinion (depending on the auditor’s judgment of the
pervasiveness of the issue to the financial statements). These will be discussed further when qualified and
adverse opinions are discussed.
Evaluate the client’s circumstances provided in example 4.6 and then use your professional judgment
skills to identify the significant events or conditions that cast significant doubt on the client’s ability to
continue as a going concern.

EXAMPLE 4.6

Going Concern Issues

Stan Samson is the partner in charge of the audit for a new client, Southern Slumberland (SS). The client
engaged Stan’s audit firm in November 20X7, in preparation for the 20X8 audit. From 30 January 20X8
onwards, SS has consistently paid its suppliers late, well in excess of the suppliers’ agreed credit terms.
This has resulted in some suppliers demanding cash on delivery from SS. Stan is also aware from his review
of correspondence between SS and its bank that the entity has been experiencing cash flow problems
since 20X6.
............................................................................................................................................................................
Evaluate SS’s circumstances and identify any events or conditions that individually or collectively may cast
significant doubt on SS’s ability to continue as a going concern.
Check your response against the suggested answer at the end of the book.

Key Audit Matters

It is recognised that the auditor possesses a great deal of information about the entity and the audited
financial statements that users of the audited financial statements believe would be of great value to them
in their decision making. One of the major changes made to the auditor reporting standards is to disclose
this information under ISA 701 Communicating Key Audit Matters in the Independent Auditor’s Report.
Key audit matters (KAMs) are ‘those matters that, in the auditor’s professional judgment, were of most
significance in the audit of the [current period’s] financial statements’ (ISA 701, para. 8). The KAMs that
may be selected are from the population of those matters that are communicated to those charged with
governance (ISA 701, para. 9). It was anticipated by the standard setters that there would only be a small
number of such key matters disclosed in the auditor’s report and experience to date shows this is the case. For
example, 2017 statistics from analysis conducted across 42 countries by Ernst & Young (EY) show that:
• most audit reports covered between two and four KAMs (78%)
• the subject matter of the top three KAMs related to:
– impairment
– investment valuation
– revenue recognition.
Areas of significant auditor attention are often areas of complexity and/or areas involving significant
management judgment in the financial statements. They, therefore, often involve difficult or complex
auditor judgments.
In making this determination, the auditor takes into account:
(a) Areas of higher assessed risk of material misstatement, or significant risks identified in accordance
with ISA 315 (Revised) [discussed in module 2];
(b) Significant auditor judgments relating to areas in the financial statements that involved significant
management judgment, including accounting estimates that have been identified as having high
estimation uncertainty;
(c) The effect on the audit of significant events or transactions that occurred during the period (ISA 701,
para. 9).

Review figure 4.6: Determining and communicating key audit matters, which was developed by the
IAASB (2016) to provide an overview of how to determine which matters are KAMs, in accordance with
ISA 701, and what is communicated in respect of KAMs.
Pdf_Folio:255

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 255
 FIGURE 4.6 Determining and communicating key audit matters

The auditor takes into account the

Matters communicated
following in making this
with those charged
determination.
with governance
• Areas of higher assessed risk of
material misstatement, or
Matters that significant risks.
required • Significant auditor judgments
significant auditor relating to areas in the financial
attention statements that involved
significant management.
judgment, including accounting
KAM—matters of In certain limited estimates identified as having
most significance in KAM circumstances, if there are high estimation uncertainty.
the audit of the no KAMs to communicate, • Effect on the audit of significant
current period the auditor’s report events or transactions that
includes a statement to occurred during the period.
that effect.

Robust application guidance supports the auditor’s judgment

The nature and extent of communication with
those charged with governance provides an
indication of which matters are of most significance.
Other considerations in determining the
relative significance of a matter include:
• importance of the matter to intended users’
understanding of the financial statements
as a whole, in particular its materiality to the
financial statements
• nature of the underlying accounting policy or
complexity or subjectivity in management’s
selection of an appropriate accounting policy
• nature and materiality of corrected and
uncorrected misstatements related to the
matter
• nature and extent of audit effort needed to
address the matter
• nature and severity of difficulties in applying
audit procedures or obtaining relevant and
reliable audit evidence
• severity of any control deficiencies related to
the matter.
The concept of significant auditor attention
recognises that an audit is risk-based.
Accordingly, matters that pose challenges to the
auditor in obtaining sufficient appropriate audit
evidence or in forming an opinion on the financial
statements may be particularly relevant in
determining KAMs.
Areas of significant auditor attention often relate to
areas of complexity and significant management
judgment in the financial statements, and therefore
often involve difficult or complex auditor judgments.
In turn, this often affects the overall audit strategy,
allocation of resources, and extent of audit effort.
These effects may include, for example, the extent
of involvement of senior personnel on that audit
engagement or the involvement of an auditor’s
expert or individuals with expertise in a specialised
area of accounting or auditing, whether engaged or
employed by the firm to address these areas.

The description of KAM in the auditor’s report shall include a reference to the related
disclosure(s), if any, in the financial statements and shall address:

a) Why the matter was considered to be one of most significance in the audit and therefore
determined to be a key audit matter; and
b) How the matter was addressed in the audit.

Source: International Auditing and Assurance Standards Board (IAASB) 2016, Determining and Communicating Key Audit
Matters (‘KAM’), accessed July 2019, http://www.ifac.org/publications-resources/determining-and-communicating-key-
audit-matters. © July 2016 by the International Federation of Accountants (IFAC). All rights reserved. Reproduced with permission
of IFAC.

Pdf_Folio:256

256 Advanced Audit and Assurance

 Communication of KAMs in the auditor’s report is required for all audits of listed entities con-
ducted in accordance with ISAs, or when otherwise required by law or regulation (ISA 700 (Revised),
paras 30–31). In accordance with ISA 701 (para. 11), the auditor describes each KAM in a separate section
of the auditor’s report headed ‘Key Audit Matters’.
The introductory language in this section of the auditor’s report states that:
(a) Key audit matters are those matters that, in the auditor’s professional judgment, were of most
significance in the audit of the financial statements [of the current period]; and
(b) These matters were addressed in the context of the audit of the financial statements as a whole, and
in forming the auditor’s opinion thereon, and the auditor does not provide a separate opinion on these
matters (ISA 701, para. 11).

When the auditor modifies their opinion in accordance with ISA 705 (Revised) as a result of what they
have identified as a key matter, they do not include this matter in the KAMs section of the auditor’s report
(ISA 701, para. 12). Communicating KAMs cannot be a substitute for disclosures that management are
required to make in the financial statements.
The auditor uses an appropriate subheading to identify each KAM. The description of each matter in the
KAM section should include a reference to any related disclosure in the financial statements and should
outline:
(a) Why the matter was considered to be one of most significance in the audit and therefore determined to
be a key audit matter; and
(b) How the matter was addressed in the audit (ISA 701, para. 13).

The only circumstances in which a KAM is not communicated in the auditor’s report are when:
(a) Law or regulation precludes public disclosure about the matter; or
(b) In extremely rare circumstances, the auditor determines that the matter should not be communicated
in the auditor’s report because the adverse consequences of doing so would reasonably be expected
to outweigh the public interest benefits of such communication. This shall not apply if the entity has
publicly disclosed information about the matter (ISA 701, para. 14).

The auditor shall communicate those matters determined to be KAMs to those charged with governance,
or, if applicable, the auditor’s determination that there were no KAMs to communicate in the auditor’s
report (ISA 701, para. 17).
Research conducted by Fargher (2019) suggests that most issues included as KAMs do not improve the
quality of financial reporting as the majority of KAMs do not provide any new information to users of the
audited financial statements. Reasons quoted for this were because many of the KAMs related to known
current-year transactions or were disclosed in the previous years’ annual reports.
In New Zealand, the requirement to communicate KAMs in the auditor’s report for listed entities was
extended to cover audits of complete sets of general purpose financial statements for FMC reporting entities
(as defined in the Financial Markets Conduct Act 2013 (NZ) (FMC) s. 6(1)) that are considered to have a
higher level of public accountability (ISA (NZ) 700 (Revised), para. NZ30.1). For FMC reporting entities
other than listed issuers, this will become a requirement two years after the requirement to disclose KAMs
by listed entities, for periods ending on or after 31 December 2018 (ISA (NZ) 700 (Revised), para. NZ5.2).
The IAASB has prepared some example KAMs. One such illustrative example is included as
example 4.7. Review this example now.

EXAMPLE 4.7

KAM — Revenue Recognition

Revenue Recognition — Description of Why Subject Matter Was Identified as a KAM
The amount of revenue and profit recognised in the year on the sale of [name of product] and aftermarket
services is dependent on the appropriate assessment of whether or not each long-term aftermarket
contract for services is linked to or separate from the contract for sale of [name of product]. As the
commercial arrangements can be complex, significant judgment is applied in selecting the accounting
basis in each case. In our view, revenue recognition is significant to our audit as the Group might
inappropriately account for sales of [name of product] and long-term service agreements as a single
arrangement for accounting purposes and this would usually lead to revenue and profit being recognised
too early because the margin in the long-term service agreement is usually higher than the margin in
P df_Folio:257

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 257
 the [name of product] sale agreement (IAASB 2015, p. 5). Note: the auditor may refer to the related note
disclosure in the description of the KAM.
Revenue Recognition — Description of How the KAM Was Addressed in the Audit
Our audit procedures to address the risk of material misstatement relating to revenue recognition, which
was considered to be a significant risk, included:
• testing of controls, assisted by our own IT specialists, including, among others, those over input of
individual advertising campaigns’ terms and pricing; comparison of those terms and pricing data against
the related overarching contracts with advertising agencies; and linkage to viewer data
• detailed analysis of revenue and the timing of its recognition based on expectations derived from our
industry knowledge and external market data, following up variances from our expectations (IAASB
2015, p. 6.)

Example 4.8 shows KPMG’s reporting of one of the KAMs identified in the Qantas 2018 Annual Report.
Review this example now and then compare to the example provided by IAASB shown in example 4.7.

EXAMPLE 4.8

Revenue Recognition KAM — Qantas 2018 Annual Report

The Key Audit Matter How the matter was addressed in our audit

Recognition of passenger revenue is a key
audit matter due to:
• its financial significance
• the high volume of relatively low value
passenger tickets
• accounting process complexity arising
from a variety of ticket conditions and
points of sale.
Our audit effort was directed to assessing
these conditions, in particular the
accounting process complexity, which is
influenced by:
• the use of multiple systems and their
interface and interactions with agents,
other airlines and industry bodies given
the possible variations in the method of
purchasing and modifying tickets
• the accuracy of automated revenue
recognition within the Group’s systems
and consistency with accounting
standards, given the Group’s dependence
on automated processes for recording
ticket sales and recognising revenue at
passenger flight date
• the application of estimates to recognise
revenue for the proportion of tickets that
are unused on the scheduled flight date,
but with terms and conditions that allow
future usage
• manual revenue recognition processes
related to tickets identified as exceptions
to automated rules.
Given the dependence on systems and
controls, we involved our IT specialists in
addressing this key audit matter.
Working with our IT specialists, our procedures included
the following.
• Analysing the end to end flow of ticket information
through passenger revenue systems and evaluating
the logic of accounting outputs against accounting
standards.
• Evaluating the accurate processing of tickets and
associated accounting outcomes in internal passenger
revenue systems. We did this by testing the key controls
restricting access to appropriate users and preventing
unauthorised changes to the systems. We tested key
controls within the system that relate to ticket validation
and the recognition of revenue at flight date.
• Testing key controls related to manual changes to
revenue accounting records where tickets have been
identified as exceptions to automated validation.
• Assessing the historical accuracy of the Group’s
expectation of the proportion of tickets that will expire
unused after scheduled flight date by comparing
previous estimates to actual outcomes.
• Checking the accurate calculation and use of source
system reports in the Group’s expectation of the
proportion of tickets that will expire unused after
scheduled flight date.
• Analysing passenger revenue recognised by comparison
to an expectation created using key revenue indicators,
external data and knowledge of the Group.
• Testing of balance sheet reconciliations including
comparing to source systems and information available
post year-end.

Source: Qantas 2018, Annual Report, accessed July 2019, https://investor.qantas.com/investors/?page=annual-reports

df_Folio:258
P

258 Advanced Audit and Assurance

 QUESTION 4.8

Consider the following scenarios and then determine which of these issues are likely to be disclosed
by the auditor as a KAM. Justify your conclusions.
(a) The determination of the amount of the write-down of goodwill, which is a significant balance in
the client’s financial statements and the write-down has been determined as a significant risk.
(b) The risk of fluctuations in the market price of oil for an oil production company.
(c) A complex judgment about the most appropriate basis for revenue recognition.
(d) A disagreement with management about the carrying value of a non-current asset.

Other Information Contained in the Annual Report

ISA 720 (Revised) The Auditor’s Responsibilities Relating to Other Information outlines the appropriate
response by the auditor when the annual report includes other unaudited information that could undermine
the credibility of the financial statements and the auditor’s report. Examples of this other information are:
1. Management report, management commentary, or operating and financial review or similar reports by
those charged with governance (for example, a directors’ report):
2. Chairman’s statement;
3. Corporate governance statement; and
4. Internal control and risk assessment reports (ISA 720 (Revised), para. A3).

The auditor is required to read and consider the other information contained in the annual report
(ISA 720 (Revised), para. 14). This is because other information that is materially inconsistent with the
financial statements or the auditor’s knowledge obtained in the audit may indicate that there is a material
misstatement of the financial statements or that a material misstatement of the other information exists.
Either of these may undermine the credibility of the financial statements and the auditor’s report. It is also
recognised that such material misstatements may also inappropriately influence the economic decisions
of the users for whom the auditor’s report is prepared. When other information is incorrectly stated or
otherwise misleading, a misstatement may exist. For example, when the other information paragraph
omits or obscures information that is necessary to properly understand the matter disclosed in the other
information section.
If the auditor identifies that a material inconsistency appears to exist …, [they should] discuss the matter
with management and, if necessary, perform other procedures to conclude whether:
(a) a material misstatement of the other information exists;
(b) a material misstatement of the financial statements exists; or
(c) the auditor’s understanding of the entity and its environment needs to be updated (ISA 720 (Revised),
para. 16).

If it is considered necessary to revise the audited financial statements prior to the date of the auditor’s
report and management refuses to make the revision, the auditor should modify their opinion in accordance
with ISA 705 (ISA 720 (Revised), para. 20).
If the auditor concludes that a material misstatement exists in the other information obtained prior to the
date of the auditor’s report, and the other information is not corrected after communicating with those
charged with governance, the auditor shall take appropriate action, including:

(a) Considering the implications for the auditor’s report and communicating with those charged with
governance about how the auditor plans to address the material misstatement in the auditor’s report; or
(b) Withdrawing from the engagement, where withdrawal is possible under applicable law or regulation
(ISA 720 (Revised), para. 18).

If the other information is obtained after the date of the auditor’s report and the auditor concludes
that a material misstatement exists and is not corrected after communicating with those charged with
governance, the auditor should ‘take appropriate action considering [their] legal rights and obligations
to seek to have the uncorrected material misstatement appropriately brought to the attention of users for
whom the auditor’s report is prepared’ (ISA 720 (Revised), para. 19).

Pdf_Folio:259

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 259
 In practice, in most countries, it would be very rare that material inconsistencies in the other information
were not corrected after these inconsistencies were communicated to those charged with governance. In
Australia, the withdrawal from the engagement is not permitted for audits undertaken in accordance with
the Corporations Act.
ISA 720 (Revised) requires the auditor’s report to contain:
‘a separate section … ‘Other Information’ …, when, at the date of the auditor’s report:
(a) For an audit of financial statements of a listed entity, the auditor has obtained, or expects to obtain, the
other information; or
(b) For an audit of financial statements of an entity other than a listed entity, the auditor has obtained some
or all of the other information (ISA 720 (Revised), para. 21).

This section outlines the auditor’s responsibility for this other information. It will include:
(a) A statement that management is responsible for the other information;
(b) An identification of:
(i) Other information, if any, obtained by the auditor prior to the date of the auditor’s report; and
(ii) For an audit of financial statements of a listed entity, other information, if any, expected to be
obtained after the date of the auditor’s report;
(c) A statement that the auditor’s opinion does not cover the other information and, accordingly, that the
auditor does not express an audit opinion or any form of assurance conclusion thereon;
(d) A description of the auditor’s responsibilities relating to reading, considering and reporting on other
information as required by this ISA … (ISA 720 (Revised), para. 22).

Examples of reports that the auditor does not need to consider because they are outside the scope of the
audit, when issued as standalone documents rather than as part of the annual report, include:
1. Separate industry or regulatory reports (for example, capital adequacy reports), such as may be prepared
in the banking, insurance, and pension industries.
2. Corporate social responsibility reports.
3. Sustainability reports.
4. Diversity and equal opportunity reports.
5. Product responsibility reports.
6. Labour practices and working conditions reports.
7. Human rights reports (ISA 720 (Revised), para. A5).

You should now read ISA 720 (Revised), paragraphs 11–25 and related application material to
confirm your understanding of the auditor’s responsibilities with regards to other information in
documents containing audited financial statements.

Independence Declarations
It will be noted that the standard format report is headed ‘Independent Auditor’s Report’, and it says
the auditor is independent of the company in accordance with the International Ethics Standards Board for
Accountants (IESBA) Code and other relevant ethical requirements in the jurisdiction (ISA 700 (Revised),
para. 28(c)).
In Australia, a further independence declaration is also currently required of the auditors. It is seen
as important that the auditor makes such a statement and communicates this to the financial statement
users. This has been imposed in Australia through the Corporations Act, which requires auditors,
when undertaking audits of companies, registered schemes or disclosing entities, to abide by certain
independence requirements.
Section 307C of the Corporations Act requires the individual auditor or lead auditor in a firm or company
to give the directors of the audited entity a declaration that there have been no contraventions of the auditor
independence requirements of the Corporations Act or any applicable ethics code or code of professional
conduct. The declaration can be either an unqualified declaration or a qualified declaration; however,
when a qualified declaration is given, the auditor is required to disclose in the declaration the details of
the contraventions. Failure to give the declaration is a strict liability offence. However, section 307C(7)
provides some indemnity safeguards. Under section 298(1)(c), the declaration is required to be included
in the directors’ report for that year.
Example 4.9 shows the ‘Auditor’s independence declaration’ from the ASX Annual Report 2018. The
declaration is included just after the Director’s report. Read this example now.
Pdf_Folio:260

260 Advanced Audit and Assurance

 EXAMPLE 4.9

Auditor’s Independence Declaration

Auditor’s Independence Declaration
As lead auditor for the audit of ASX Limited for the year ended 30 June 2018, I declare that to the best of
my knowledge and belief, there have been:
(a) no contraventions of the auditor independence requirements of the Corporations Act 2001 in relation
to the audit; and
(b) no contraventions of any applicable code of professional conduct in relation to the audit.
This declaration is in respect of ASX Limited and the entities it controlled during the period.
Matthew Lunn
Partner
PricewaterhouseCoopers
Sydney, 16 August 2018
Source: PricewaterhouseCoopers 2018, ‘Auditor’s independence declaration’, in ASX Limited, ASX Annual Report 2018,
p. 53, accessed July 2019, https://www.asx.com.au/documents/investor-relations/AnnualReport2018.pdf. Reproduced with
permission of PricewaterhouseCoopers.

Along the same lines as the independence declarations, and because of concerns about the impact of the
provision of non-audit services on auditor independence in Australia, section 300(11B) of the Corporations
Act also requires the board of directors of a listed company to provide a statement in the annual report that
identifies all non-audit services provided by the audit firm and the fees applicable to each category of
non-audit service. The section also requires the report to include a statement by the directors that they are
satisfied that the provision of non-audit services is compatible with the general standard of independence
and an explanation of why those non-audit services do not compromise audit independence. Section
300(11D) requires that where the listed company has an audit committee, this statement must be made
in accordance with advice provided by that committee.
Independence requirements were discussed in module 2.
Example 4.10 shows the ‘Directors’ declaration of satisfaction with independence of auditor’ from the
ASX Annual Report 2018. This declaration is included as part of the Director’s report. Review the example
now.

EXAMPLE 4.10

Directors’ Declaration of Satisfaction With Independence of Auditor

Directors’ Declaration of Satisfaction With Independence of Auditor
The board of directors has considered the non-audit services provided during the year by the auditor and
in accordance with written advice provided by resolution of the Audit and Risk Committee, is satisfied
that the provision of those non-audit services is compatible with, and did not compromise, the auditor
independence requirements of the Corporations Act 2001 for the following reasons.
• Non-audit services were subject to the corporate governance procedures adopted by the Group and
have been reviewed by the Audit and Risk Committee.
• Non-audit services provided do not undermine the general principles relating to auditor independence
as set out in APES 110 Code of Ethics for Professional Accountants, as they did not involve reviewing or
auditing the auditor’s own work, acting in a management or decision-making capacity for the Company,
acting as an advocate for the Company or jointly sharing risks and rewards.
A copy of the Auditor’s independence declaration as required under section 307C of the Corporations Act
2001 is on page 53.
Source: ASX Limited 2018, ‘Directors’ report’, in ASX Limited, ASX Annual Report 2018, p. 52, accessed July 2019,
https://www.asx.com.au/documents/investor-relations/AnnualReport2018.pdf. Reproduced with permission of Pricewater-
houseCoopers.

QUESTION 4.9

The financial statements of a company for the current year show an operating profit after tax of
$50 million and share capital and reserves totalling $100 million. The auditor decided to issue an
unmodified opinion in each of the following cases.
P df_Folio:261

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 261
 (a) The auditor was unable to attend the physical count of inventories that were held at international
locations totalling $200 million but was satisfied, by other means, of their existence and
condition.
(b) The company is the defendant in a lawsuit involving a claim against the company for $20 million.
No provision has been made in the financial statements because the company’s legal counsel
is firmly of the opinion that the company’s defence will prove successful.
(c) The company is the defendant in a lawsuit involving a claim against the company for $2 million.
Based on legal advice, the directors hope to settle out of court for $100 000; however, no
provision has been made for this eventuality in the financial statements, as the directors feel
it would prejudice their negotiations.
(d) In the auditor’s opinion, the allowance for doubtful debts is understated by $100 000.
Explain the circumstances under which the auditor could be justified in issuing an unmodified
opinion in each case.

SMEs — Unmodified Auditor’s Report

For audits of financial statements of SMEs conducted in accordance with ISAs, where KAMs are not
presented, the wording of the unmodified auditor’s report is standard. However, there will be exceptions,
such as in situations where an Emphasis of Matter is required (discussed later).

MODIFIED AUDITOR’S REPORT

The standard auditor’s report may need to be modified in certain situations. There are two broad categories
of modifications:
• matters that modify the audit report but do not affect the auditor’s opinion
• matters that modify the audit report and affect the auditor’s opinion.
Matters That Modify the Audit Report But Do Not Affect the
Auditor’s Opinion
ISA 706 (Revised) Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent
Auditor’s Report covers the auditor’s responsibility regarding:
… additional communication in the auditor’s report when the auditor considers it necessary to:
(a) Draw users’ attention to … matters presented or disclosed in the financial statements that are of such
importance that they are fundamental to users’ understanding of the financial statements; or
(b) Draw users’ attention to … matters other than those presented or disclosed in the financial statements
that are relevant to users’ understanding of the audit, the auditor’s responsibilities or the auditor’s report
(ISA 706 (Revised), para. 1).
A paragraph included in the auditor’s report that describes a matter under paragraph (a) is known as an
Emphasis of Matter paragraph. A paragraph included in the auditor’s report that describes a matter under
paragraph (b) is known as an other matter paragraph (ISA 706 (Revised), para. 7). Note these matters
do not affect the auditor’s opinion, but they do modify the auditor’s report from the standard unmodified
auditor’s report.
Emphasis of Matter Paragraph
In some cases, the auditor considers it necessary to draw the reader’s attention to a matter presented
or disclosed in the financial statements (usually in the notes to the financial statements) that is of such
importance that the auditor considers it is fundamental to the users’ understanding of the financial
statements. When the auditor determines that this is appropriate, the auditor includes an Emphasis of
Matter paragraph in the auditor’s report provided that they have ‘obtained sufficient appropriate audit
evidence that the matter is not materially misstated in the financial statements’. This paragraph should not
contain any new information, but should refer only to information presented or disclosed in the financial
statements (ISA 706 (Revised), para. 9).
An Emphasis of Matter paragraph is not a modification to the auditor’s opinion, and care needs to
be taken to ensure that this is clear to the user of the auditor’s report when describing the matter. This
is achieved by two principal actions. First, the paragraph should be placed ‘within a separate section of
the auditor’s report with an appropriate heading that includes the term “Emphasis of Matter”’ (ISA 706
(Revised), para. 9(a)). Second, the paragraph should clearly communicate ‘that the auditor’s opinion is not
modified in respect of the matter emphasized’ (ISA 706 (Revised), para. 9(c)) by use of words such as,
‘Our opinion is not modified in respect of this matter’.
df_Folio:262
P

262 Advanced Audit and Assurance

 The circumstances that may result in an Emphasis of Matter paragraph are not restricted, although
examples of circumstances where the auditor may consider it necessary to include an Emphasis of Matter
paragraph are outlined in the application material to ISA 706. For example, matters where the audit opinion
is not modified and an Emphasis of Matter paragraph may be required include:
• An uncertainty relating to the future outcome of exceptional litigation or regulatory action;
• A significant subsequent event that occurs between the date of the financial statements and the date of
the auditor’s report;
• Early application (where permitted) of a new accounting standard [e.g. a new International Financial
Reporting Standard] that has a material effect on the financial statements; and
• A major catastrophe that has had, or continues to have, a significant effect on the entity’s financial
position (ISA 706 (Revised), para. A5).

The auditor is cautioned that the widespread use of Emphasis of Matter paragraphs diminishes the
effectiveness of the auditor’s communication of such matters.
Example 4.11 provides an example of an Emphasis of Matter paragraph in an auditor’s report. Review
this example now.

EXAMPLE 4.11

Example of Emphasis of Matter Paragraph Relating to Uncertainty of a

Future Outcome
Emphasis of Matter
We draw attention to Note X of the financial statements, which describes the effects of a fire in the
Company’s production facilities. Our opinion is not modified in respect of this matter.
Source: International Auditing and Assurance Standards Board (IAASB) 2018a, ISA 706 (Revised) Emphasis of Matter
Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report, in Handbook of International Quality Control,
Auditing, Review, Other Assurance, and Related Services Pronouncements, 2018–19 edn, vol. 1, p. 827, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

For an example of an Emphasis of Matter paragraph, refer to the Independent auditor’s report to the
members of Cochlear Ltd available at: https://www.cochlear.com/intl/about/investor/annual-reports,
See pages 103–104, in particular page 103.

QUESTION 4.10

Consider the following scenarios and then determine whether the auditor might consider it
necessary to include an Emphasis of Matter paragraph. Justify your conclusions.
(a) The auditor has determined that the write-down of goodwill is a significant risk, but is satisfied
that the client has appropriately determined and disclosed the amount of the write-down.
(b) The auditor becomes aware that a significant proportion of an entity’s operating facilities has
been destroyed in a fire after year-end but before they have signed the auditor’s report.
(c) The auditor has concerns as to whether the entity will continue as a going concern, but is
satisfied that there is adequate disclosure of the uncertainty in the notes to the financial
statements.

We now turn our attention to when Other Matter paragraphs are relevant.
Other Matter Paragraph
The inclusion of an Other Matter paragraph in the auditor’s report provides the auditor with the ability to
draw the user’s attention to any other matter that is not presented or disclosed in the financial statements
that they believe are sufficiently important to highlight and are relevant to the users’ understanding of the
audit, the auditor’s responsibilities or the auditor’s report (ISA 706 (Revised), para. 10).
Circumstances in which an Other Matter paragraph may be necessary include:
• where it is not possible to withdraw from the audit even though a limitation imposed by management
on the scope of the audit is pervasive (a matter relevant to the users’ understanding of the audit)
• where national regulations require or permit the auditor to further elaborate on their responsibilities in
the audit (a matter relevant to the users’ understanding of the auditor’s responsibilities)
Pdf_Folio:263

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 263
• where the auditor’s report covers more than one set of financial statements, both prepared in accordance
with general purpose financial frameworks, such as a national framework and International Financial
Reporting Standards (a matter relating to reporting on more than one set of financial statements) (ISA
706 (Revised), paras A9–A14).
Another area that can give rise to an Other Matter paragraph is comparative information included in the
financial statements.
Comparative Information
For comparative financial statements, the auditor is required to include this statement in an Other Matter
paragraph in the auditor’s report ‘unless the predecessor auditor’s report on the prior period’s financial
statements is reissued with the financial statements’ (ISA 710, para. 17).
ISA 710 Comparative Information — Corresponding Figures and Comparative Financial Statements
establishes standards and provides guidance to auditors as to their responsibilities with respect to
comparative information in an audit of financial statements. However, the principles espoused in
ISA 710 should also be applied to the audits of special purpose financial statements, which are discussed
in module 5. Comparative financial information is the amounts and disclosures included in the financial
statements in respect of one or more prior periods in accordance with the applicable financial reporting
framework. It is recognised that internationally, there are many differences in the types of comparative
information that is required to be disclosed under the various reporting frameworks. ISA 710 distinguishes
between two various broad approaches to the auditor’s reporting responsibilities in respect of such
comparative information:
• corresponding figures
• comparative financial statements (ISA 710, para. 2).
Corresponding figures is defined as:

Comparative information where amounts and other disclosures for the prior period are included as an
integral part of the current period financial statements, and are intended to be read only in relation to
the amounts and other disclosures relating to the current period (ISA 710, para. 6b).

Comparative financial statements are defined as:

Comparative information where amounts and other disclosures for the prior period are included for
comparison with the financial statements of the current period and, if audited, are referred to in the auditor’s
opinion. The level of information included in those comparative financial statements is comparable with
that of the financial statements of the current period (ISA 710, para. 6c).

The distinction between corresponding figures and comparative financial statements in the international
auditing standards is because the auditing standards have become more complex as they need to be applied
to multiple jurisdictions. The main question to ask is ‘Does the auditor’s report explicitly refer to the
comparative information?’
When corresponding figures are presented, the auditor’s opinion does not refer to the corresponding
figures because the auditor’s opinion is on the current period’s financial statements as a whole, including
the corresponding figures (ISA 710, paras 10 and A2).
For comparative financial statements:
Because the auditor’s report on comparative financial statements applies to the financial statements for each
of the periods presented, the auditor may express a qualified opinion or an adverse opinion, disclaim an
opinion, or include an Emphasis of Matter paragraph with respect to one or more periods, while expressing
a different auditor’s opinion on the financial statements of another period (ISA 710, para. A9).

The audit procedures for any comparative information are similar. The auditor needs to determine
whether the financial statements contain the required comparative information and whether this infor-
mation is appropriately classified. To do this, the auditor evaluates whether:
(a) The comparative information agrees with the amounts and other disclosures presented in the prior
period or, when appropriate, have been restated; and
(b) The accounting policies reflected in the comparative information are consistent with those applied
in the current period or … whether those changes have been properly accounted for and adequately
presented and disclosed (ISA 710, para. 7).
Pdf_Folio:264

264 Advanced Audit and Assurance

 For corresponding figures, in the circumstances where the prior period financial statements were audited
by a predecessor auditor and there is no prohibition by law or regulation from referring to the predecessor
auditor’s report on the corresponding figures, the auditor can state in an Other Matter paragraph in the
auditor’s report:
(a) That the financial statements of the prior period were audited by the predecessor auditor;
(b) The type of opinion expressed by the predecessor auditor and, if the opinion was modified, the reasons
therefore; and
(c) The date of that report (ISA 710, para. 13).

For both corresponding figures and comparative financial statements, if the prior period financial
statements were not audited, the auditor is required to state this in an Other Matter paragraph. Even after
making such a statement, the auditor needs to obtain ‘sufficient appropriate audit evidence that the opening
balances do not contain misstatements that materially affect the current period’s financial statements’
(ISA 710, paras 14, 19).
You should now read ISA 710, paragraphs 7–19, and related application material to confirm your
understanding of its requirements.

QUESTION 4.11

Determine if the following situation is an instance of auditing corresponding figures or comparative

financial statements. Justify your conclusion.
A company issues an auditor’s report that contains the following audit opinion:

In our opinion, the financial statements referred to above present fairly, in all material respects,
the financial position of XYZ Company as at December 31 20X1 and 20X0 and the results of its
operations and its cash flows for each of the years in the three-year period ended 31 December
20X1, and are in conformity with generally accepted accounting principles in the United States
of America.

Matters that Modify the Audit Report and Affect the Auditor’s Opinion
ISA 705 (Revised) establishes standards and provides guidance to the auditor about the form and content
of any modifications to the standard auditor’s opinion that are required. This standard, which covers
matters that modify the auditor’s report and affect the auditor’s opinion (resulting in a qualified opinion,
disclaimer of opinion or adverse opinion), needs to be distinguished from ISA 706 (Revised), which
covers matters (referred to as ‘Emphasis of Matter’ or ‘Other Matter’) that modify the standard auditor’s
report but do not modify the auditor’s opinion.
If the auditor is unable to issue an unmodified opinion, the auditor has a choice of issuing the following
modified opinions:
• a qualified opinion
• an adverse opinion
• a disclaimer of opinion (also known as an inability to form an opinion) (ISA 705 (Revised), para. 2).
The auditor’s decision as to which type of modified opinion is appropriate depends on:
(a) The nature of the matter giving rise to the modification, that is, whether the financial statements are
materially misstated or, in the case of an inability to obtain sufficient appropriate audit evidence, may
be materially misstated; and
(b) The auditor’s judgment about the pervasiveness of the effects or possible effects of the matter on the
financial statements (ISA 705 (Revised), para. 2).

Pervasive means that the effects or possible effects of misstatements are usually not confined to specific
elements, accounts or items in the financial statements. The concept was discussed earlier in this module.
The form and content of the standard (unmodified) auditor’s report changes when a modification to the
auditor’s opinion is issued. The opinion itself should be modified as discussed in the next section, and the
headings ‘Qualified Opinion’, ‘Adverse Opinion’ or ‘Disclaimer of Opinion’ shall be used as appropriate
(ISA 705 (Revised), para. 16). The use of these headings makes it clear to the reader that a modified opinion
of a particular type has been issued.
Pdf_Folio:265

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 265
 In addition to the specific elements required by ISA 700 (Revised), an additional section, outlining the
basis for modification, is added to the auditor’s report. This section should adequately describe the reasons
for the modification. It is placed immediately after the opinion paragraph in the auditor’s report in order
to provide the financial statement user with the context and rationale for the auditor’s opinion. The section
should be headed:
• Basis for Qualified Opinion
• Basis for Adverse Opinion
• Basis for Disclaimer of Opinion, as appropriate (ISA 705 (Revised), para. 20).
If there are specific amounts in the financial statements that are materially misstated, the basis for the
modification section should, if practical, include a description and quantification of the financial effects of
the misstatement (ISA 705 (Revised), para. 21). For example, if inventory is overstated, the auditor may
quantify the effect on income tax, income before taxes, net income and equity. If it is not practicable to
quantify the financial effects, a statement to this effect shall be included in the paragraph.
The form and content of the modified auditor’s report for each of these audit opinions are discussed
next.
Matters Giving Rise to a Modified Opinion and the Type of Modification
The matters giving rise to a modified opinion and the type of modification are outlined in figure 4.7. There
are two categories of matters giving rise to the need for a modified audit opinion:
• the financial statements are materially misstated
• the auditor is unable to obtain sufficient appropriate audit evidence.

FIGURE 4.7 The auditor’s judgment and the type of modified opinions to be expressed

Nature of matter
giving rise to Cannot obtain sufficient
Financial statements are
the modification appropriate audit
materially misstated
evidence

Financial statements may

be misstated

Auditor’s judgment
about effects on the Is the effect/possible Is the effect/possible
financial statements effect on the financial effect on the financial
statements pervasive? statements pervasive?

Yes No Yes No

Type of
modified opinion Adverse Qualified Disclaimer of Qualified
opinion opinion opinion opinion

Source: International Auditing and Assurance Standards Board (IAASB) 2018a, ISA 705 (Revised) Modifications to the Opinion in
the Independent Auditor’s Report, para. A1, in Handbook of International Quality Control, Auditing, Review, Other Assurance, and
Related Services Pronouncements, 2018–19 edn, vol. 1, p. 788, accessed July 2019, https://www.ifac.org/publications-resources/
2018-handbook-international-quality-control-auditing-review-other-assurance

Material misstatements may arise when there is a disagreement between the auditor and management
in relation to:
(a) the appropriateness of the accounting policies selected by management, such as the choice of an
accounting policy that is not allowed under the applicable financial reporting framework
(b) the method by which selected accounting policies have been applied, such as management applying
an accounting policy inconsistently to similar transactions
(c) the appropriateness or adequacy of disclosures in the financial statements, such as the omission of
certain disclosures required by the applicable financial reporting framework.
Pdf_Folio:266

266 Advanced Audit and Assurance

The auditor’s inability to obtain sufficient appropriate audit evidence may arise from:
(a) circumstances that are beyond the control of the entity, such as an entity’s records having been destroyed
by fire
(b) circumstances relating to the nature or timing of the auditor’s work, such as the auditor being appointed
after year-end and being unable to attend the inventory stocktake
(c) limitations imposed by management, such as the entity refusing the auditor’s request to undertake a
debtors’ confirmation procedure with certain debtors.
The auditor is particularly concerned about limitations imposed by management, and if they become
aware of these limitations after accepting an engagement and consider them likely to result in the issuing
of a qualified opinion or disclaimer of opinion, they should request that management remove the limitation
(ISA 705 (Revised), para. 11). If management refuses to remove the limitation, the auditor should then
discuss this with those charged with governance and determine whether they can undertake alternative
procedures to obtain sufficient appropriate audit evidence (ISA 705 (Revised), para. 12). If the auditor is
unable to obtain sufficient appropriate audit evidence and:
(a) … concludes that the possible effects on the financial statements of undetected misstatements, if any,
could be material but not pervasive, the auditor shall qualify the opinion; or
(b) … concludes that the possible effects on the financial statements of undetected misstatements, if any,
could be both material and pervasive so that a qualification of the opinion would be inadequate to
communicate the gravity of the situation, the auditor shall:
(i) Withdraw from the audit, where practicable and possible under applicable law or regulation; or
(ii) If withdrawal from the audit before issuing the auditor’s report is not practicable or possible,
disclaim an opinion on the financial statements (ISA 705 (Revised), para. 13).
A more complete discussion of the circumstances giving rise to the various forms of modified opinions
is contained in the Application and other explanatory material section to ISA 705 (Revised). Read
ISA 705 (Revised), paragraphs A1–A16 now.
Example 4.12 demonstrates the evaluation of Idealic Pty Ltd’s circumstances to determine whether an
unmodified opinion can be issued for the subsidiary and the determination of the type of audit opinion for
the consolidated financial statements. Review this example now.

EXAMPLE 4.12

Idealic Pty Ltd

Idealic Ltd is a food manufacturer that has a home office in Hong Kong and subsidiary companies in
Australia and South America. The subsidiary in Australia, Idealic (Australia) Pty Ltd, produces almonds
while the subsidiary in South America, Idealic (SA) Pty Ltd, produces sultanas. There are significant inter-
entity transactions between the two subsidiary companies. The operations in South America contribute
about 25% of consolidated revenue, although it is a break-even situation, and comprise about 15% of
consolidated assets. The year-end is 31 December. Recent political unrest and fear of military dictatorship
in the South American country in which the Idealic subsidiary is based has meant that since year-end, staff
have had to be withdrawn from that country. Therefore, the accounts required for consolidation cannot be
prepared in time for reporting deadlines. The auditor has to provide separate opinions on the Australian
subsidiary, Idealic (Australia) Pty Ltd, as well as the consolidated entity Idealic Ltd.
............................................................................................................................................................................
(a) Under what circumstances (if any) could the auditor issue an unmodified opinion on the financial statements
of the subsidiary Idealic (Australia) Pty Ltd?
(b) What type of opinion should the auditor issue on the financial statements of the consolidated entity
Idealic Ltd? Justify your decision.
Check your response against the suggested answer at the end of the book.

QUESTION 4.12

Evaluate the following scenarios and conclude whether they result in a material misstatement
or scope limitation. Identify the type of modifications to the audit opinion that would be most
appropriate in each case.

P df_Folio:267

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 267
 (a) The audit client is required to equity account its investment in an overseas company in
accordance with the applicable financial reporting framework, but the auditor is not able to
obtain sufficient information about the associated entity’s financial performance and position
to determine whether the equity accounting method has been appropriately applied.
(b) Based on testing of a sample of potentially obsolete inventory, the auditor concludes that the
client has under-provided for inventory write-off by 30%.
(c) The audit client has requested the auditor not to confirm a debt with a government department
on the basis that it is in confidential discussions with this department for a possible significant
contract.

Now that the matters giving rise to a modified opinion have been discussed, we turn our attention to the
three types of modified opinions — starting with the qualified opinion.
Qualified Opinion
The auditor should issue a qualified opinion when, after having obtained sufficient appropriate audit
evidence, they conclude that uncorrected misstatements, either individually or in the aggregate, are
material, but not pervasive, to the financial statements or, if unable to obtain sufficient appropriate audit
evidence, that the possible effects of undetected misstatements on the financial statements are potentially
material, but not pervasive (ISA 705 (Revised), para. 7). Therefore, in order to issue a qualified opinion,
the issue of concern must be of a material nature, but not so pervasive that the financial statements cannot
be relied upon (which would result in an adverse opinion), or that the auditor cannot determine whether
the financial statements can be relied upon (which would result in a disclaimer of opinion).
Thus, the auditor is stating that in their opinion, except for the reservations outlined, the remainder
of the financial statements can be relied upon. As outlined previously, the auditor should quantify any
reservations so that the user can adjust the information contained in the financial statements.
Qualified opinions are the most common of the three forms of modified opinions observed in practice,
although they are still issued relatively infrequently. The more serious forms of qualification, to be discussed
later, are rarely seen in practice. The fact that qualifications are rare is likely to increase their sanctioning
power; if qualifications were common, management would be less concerned about receiving one.
An example of a modified auditor’s report, outlining the basis for the qualified opinion and the
qualification, is given in example 4.13. Review this example now.

EXAMPLE 4.13

Basis for Modification and Audit Opinion Paragraph for a

Qualified Opinion
Qualified Opinion
We have audited the financial statements of ABC Company (the Company), which comprise the statement
of financial position as at December 31, 20X1, and the statement of comprehensive income, statement
of changes in equity and statement of cash flows for the year then ended, and notes to the financial
statements, including a summary of significant accounting policies.
In our opinion, except for the effects of the matter described in the Basis for Qualified Opinion section
of our report, the accompanying financial statements present fairly, in all material respects, (or give
a true and fair view of) the financial position of the Company as at December 31, 20X1, and (of) its
financial performance and its cash flows for the year then ended in accordance with International Financial
Reporting Standards (IFRSs).
Basis for Qualified Opinion
The company’s inventories are carried in the statement of financial position at xxx. Management has not
stated the inventories at the lower of cost and net realizable value but has stated them solely at cost,
which constitutes a departure from IFRSs. The company’s records indicate that, had management stated
the inventories at the lower of cost and net realizable value, an amount of xxx would have been required
to write the inventories down to their net realizable value. Accordingly, cost of sales would have been
increased by xxx, and income tax, net income and shareholders’ equity would have been reduced by xxx,
xxx and xxx, respectively.
We conducted our audit in accordance with International Standards on Auditing (ISAs). Our responsi-
bilities under those standards are further described in the Auditor’s Responsibilities for the Audit of the
Financial Statements section of our report. We are independent of the Company in accordance with the
ethical requirements that are relevant to our audit of the financial statements in [jurisdiction], and we have
df_Folio:268
P

268 Advanced Audit and Assurance

 fulfilled our other ethical responsibilities in accordance with these requirements. We believe that the audit
evidence we have obtained is sufficient and appropriate to provide a basis for our qualified opinion.
Source: International Auditing and Assurance Standards Board (IAASB) 2018a, ISA 705 (Revised) Modifications
to the Opinion in the Independent Auditor’s Report, in Handbook of International Quality Control, Auditing,
Review, Other Assurance, and Related Services Pronouncements, 2018–19 edn, vol. 1, p. 797, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

An example of a qualified auditor’s report for a fictional NZ entity, outlining the basis for the qualified
opinion and the qualification, is provided in example 4.14. Refer to the fictional Independent auditor’s
report to the members of ABC Finance Limited provided in this example now. Note that the 2018 financial
statements were qualified due to an inability to obtain sufficient appropriate corroborating evidence in
relation to material related party transactions. However, also note that there was one instances of Emphasis
of Matter paragraph concerning related party issues. This issue is not part of the qualification but has
been included an Emphasis of Matter paragraph to bring attention to this matters to users of the financial
statements.
Closely examine the extracts included in figure 4.8 so that you will be able to distinguish between items
requiring a qualification and those that do not modify the audit opinion (Emphasis of Matter paragraph).

FIGURE 4.8 Qualified opinion — ABC Finance Ltd 2018 Audit Report

To the shareholders of FE Investments Limited

Report on the restated and reissued financial statements

Qualified opinion
In our opinion, the accompanying financial
statements of ABC Finance Limited (the
‘Company’) on pages 5 to 17, except for the
possible effects of the matter described in the basis
for qualified opinion:
i. present fairly in all material respects the
Company’s financial position as at 31
March 2018 and its financial performance
and cash flows for the year ended on that
date; and
ii. comply with New Zealand Equivalents to
International Financial Reporting Standards
and International Financial Reporting
Standards.
We have audited the accompanying financial
statements which comprise:
− the balance sheet as at 31 March 2018;
− the statements of profit or loss, changes in
equity and cash flows for the year then ended;
and
− notes, including a summary of significant
accounting policies and other explanatory
information.

EXAMPLE 4.14

Basis for Qualified Opinion

We conducted our audit in accordance with International Standards on Auditing New Zealand) (‘ISAs (NZ)’).
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for
our qualified opinion.
We note that the Company had not established adequate controls over the identification and reporting
of related party transactions. The Company has related party relationships, transactions and balances
that are material in both nature and magitude. These circumstances require us to obtain significant
corroborative audit evidence to independently support the information provided by the company over
the completeness of related party transactions in order to issue an unqualified opinion on that aspect
of the financial statements. We have qualified our opinion as we have been unable to practically obtain
sufficient corroborative audit evidence over the completeness of related party transactions.
We are independent of the Company in accordance with Professional and Ethical Standard 1 (Revised)
Code of Ethics for Assurance Practitioners issued by the New Zealand Auditing and Assurance Standards
Board and the International Ethics Standards Board for Accountants’ Code of Ethics for Professional
Accountants (‘the Code’), and we have fulfilled our other ethical responsibilities in accordance with these
requirements and the Code.
P df_Folio:269

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 269
 Our responsibilities under ISAs (NZ) are further described in the auditor’s responsibilities for the audit
of the financial statements section of our report.
Emphasis of Matter — Regulatory Non-Compliance
Note 2 to the financial statements sets out the Company’s non-compliance with requirements of its trust
deed that relate to its related party exposure limit, concentration of debtors and its minimum capital. The
note also sets out the actions being taken by the Company to address this matters with the company’s
supervisor.
As part of our responsibilities as the Company’s auditor under the Financial Markets Conduct Act 2013,
we have formally notified that non-compliance to NZ Corporate Trustee Limited in their role as supervisor
of the Company.
Our opinion is not modifed in respect of this matter.

Disclaimer of Opinion
A disclaimer of opinion should be expressed when the auditor ‘is unable to obtain sufficient appropriate
audit evidence on which to base the opinion, and the auditor concludes that the possible effects’ of
the adjustments could be both material and pervasive (ISA 705 (Revised), para. 9). There is also a
specific requirement in ISA 580, which states that if the auditor ‘concludes that there is sufficient doubt
about the integrity of management such that the written representations required’ of management under
ISA 580, paragraph 10–11 cannot be relied upon, or if management does not provide the required written
representations, the auditor should issue a disclaimer of opinion (ISA 580, para. 20).
Similar to adverse opinions, disclaimers of opinion are a very significant form of modification and
communicate that the auditor cannot reasonably obtain the necessary evidence to resolve the uncertainty
or multiple uncertainties that have arisen. Before issuing such an opinion, the auditor should first exhaust
all reasonable alternative means of obtaining sufficient appropriate audit evidence.
This form of modification is again very rare in practice, with, in any year, usually less than 1% of listed
companies in Australia receiving such types of modification.
An example of the disclaimer of opinion and basis for disclaimer of opinion paragraphs for an auditor’s
report modified for a disclaimer of opinion is given in example 4.15. Review this example now.

EXAMPLE 4.15

Basis for modification and audit opinion paragraph for a disclaimer

of opinion
Disclaimer of Opinion
We were engaged to audit the financial statements of ABC Company (the Company), which comprise the
statement of financial position as at December 31 20X1, and the statement of comprehensive income,
statement of changes in equity and statement of cash flows for the year then ended, and notes to the
financial statements, including a summary of significant accounting policies.
We do not express an opinion on the accompanying financial statements of the Company. Because of
the significance of the matter described in the Basis for Disclaimer of Opinion section of our report, we
have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion
on these financial statements.
Basis for Disclaimer of Opinion
We were not appointed as auditors of the Company until after December 31, 20X1 and thus did not
observe the counting of physical inventories at the beginning and end of the year. We were unable to
satisfy ourselves by alternative means concerning the inventory quantities held at December 31, 20X0 and
20X1 which are stated in the statements of financial position at xxx and xxx, respectively. In addition, the
introduction of a new computerized accounts receivable system in September 20X1 resulted in numerous
errors in [trade debtors]. As of the date of our report, management was still in the process of rectifying the
system deficiencies and correcting the errors. We were unable to confirm or verify by alternative means
[trade debtors] included in the statement of financial position at a total amount of xxx as at December 31,
20X1. As a result of these matters, we were unable to determine whether any adjustments might have been
found necessary in respect of recorded or unrecorded inventories and [trade debtors], and the elements
making up the statement of comprehensive income, statement of changes in equity and statement of cash
flows.

df_Folio:270
P

270 Advanced Audit and Assurance

 Source: International Auditing and Assurance Standards Board (IAASB) 2018a, ISA 705 (Revised) Modifications
to the Opinion in the Independent Auditor’s Report, in Handbook of International Quality Control, Auditing,
Review, Other Assurance, and Related Services Pronouncements, 2018–19 edn, vol. 1, p. 809, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

For a real-life example of a disclaimer of opinion, refer to the 2018 independent auditor’s report to the
members of AusGroup Limited shown as example 4.16. Note the wording of the basis for the disclaimer
of opinion and then go back to the qualified and adverse opinion examples and compare and contrast the
basis for each opinion.

EXAMPLE 4.16

Independent Auditor’s Report to the Members of AusGroup Limited

For the Financial Year Ended 30 June 2018
Report on the Audit of the Financial Statements
Disclaimer of Opinion
We were engaged to audit the financial statements of AusGroup Limited (the Company) and its subsidiaries
(the Group), which comprise the consolidated balance sheet of the Group and the balance sheet of
the Company as at 30 June 2018, the consolidated statement of comprehensive income, consolidated
statement of changes in equity and consolidated statement of cash flows of the Group for the year then
ended, and notes to the financial statements, including a summary of significant accounting policies as
set out on pages 38 to 102.
We do not express an opinion on the accompanying financial statements of the Group. Because of the
significance of the matters describes in the ‘Basis for disclaimer of opinion’ section of our report, we have
not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion on
these financial statements.
Basis for Disclaimer of Opinion
(a) The Group’s non-current assets at 30 June 2018 include property, plant and equipment of
AU$45.2 million (2017: AU$43.4 million) and intangible asset of AU$32.1 million (2017:
AU $31.7 million) attributable to the Port and Marine cash-generating unit (‘CGU’). As disclosed in
note 24 to the financial statements, the Company has estimated the recoverable amount of the Port
and Marine CGU based on a fair value less cost of disposal method. We were unable to obtain sufficient
appropriate audit evidence regarding the key assumptions applied to arrive at the recoverable amount
of the Port and Marine CGU. Consequently, we were unable to determine whether any adjustments
were necessary in respect of the accompanying consolidated balance sheet of the Group as at 30
June 2018, and the consolidated statement of comprehensive income and consolidated statement of
changes in equity for the year ended 30 June 2018.
(b) Arising from above, we were also unable to determine whether any adjustment to the carrying amount
of the investments in subsidiaries shown in the Company’s balance sheet was necessary. Of the
Company’s non-current assets of AU$140.4 million as at 30 June 2018 (2017: AU$178.0 million)
AU$30.9 million (2017: AU$29.1 million) relates to investments in subsidiaries and AU$50.9 (2017:
AU$52.6 million) pertains to receivables owing from subsidiaries which comprise the Group’s Port and
Marine CGU.
We considered the impact of the above items to be material and pervasive to the overall financial
statement of the Group.
The financial statements for the year ended 30 June 2017 also included a disclaimer of opinion, with the
same basis as described above for the year ended 30 June 2018, which is in relation to the recoverable
amount of the Port and Marine CGU.
We also draw attention to Notes 2(a) and 17 of the financial statements which disclose conditions
that indicate the existence of material uncertainties surrounding the continuing use of the going concern
assumption in the preparation of the financial statements. These material uncertainties relate to (i) the
extension maturity date of the Multi Currency Notes (“Notes”) (amounting to AU$73.4 million as at 30 June
2018) from October 2018 to October 2022 and (iii) the completion of subscription of the share placement
and rights issue. On (i), the Company has received the agreement of the Noteholders’ Steering Committee
to the revised terms of the Notes, but the restructuring of the terms is subject to Noteholders’ approval.
The extension of maturity date is also conditional upon a partial redemption of the Notes, to be funded by
a share placement and rights issue. On (ii), the Company has executed a subscription agreement for the
placement, but certain conditions have not yet been fulfilled as of the date of this report.
Source: Extracted from AusGroup Ltd, 2018 Annual Report, p. 36, accessed July 2019,
https://www.ausgroupltd.com/investor-centre.
P df_Folio:271

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 271
 In the next section, the auditor’s communication and reporting responsibilities will be discussed.

QUESTION 4.13

Assume that you have collected the audit evidence required to reach a conclusion.
Evaluate each of the following scenarios and determine the type of opinion the auditor should
issue. Justify your conclusions.
(a) The auditor has concerns as to whether the entity will continue as a going concern, but is
satisfied that there is adequate disclosure of the uncertainty in the notes to the financial
statements.
(b) The auditor has concerns as to whether the entity will continue as a going concern but does not
believe that this is adequately disclosed in the notes to the financial statements.
(c) The auditor believes that it is improbable that the entity will continue as a going concern.
Management has refused to prepare the financial statements on a liquidation basis.

QUESTION 4.14

Evaluate each of the following independent situations and then determine the type of audit opinion
which should be given. Justify your conclusions.
(a) A flood destroyed the client’s offices and all the accounting records just before the end of the
financial year. The client does not have another copy of the records.
(b) An entity is facing significant litigation as a result of dumping oil in the ocean. This is adequately
disclosed in the notes to the financial statements.
(c) The client has provided a provision for inventory obsolescence of $250 000. Based on your audit
assessment, you have determined that the provision should be $300 000. Materiality for the client
has been set at $80 000, and you are satisfied in all other material respects.
(d) The client refuses to include all liabilities in the balance sheet, and the auditor believes that the
effect of this action is pervasive on the financial statements.
(e) You are currently performing the audit of XYZ Limited. Your audit firm has been in dispute with
management over the carrying value of brand names. Due to the materiality of the amounts
involved, you decided to engage an expert to perform an independent valuation. The result
from the expert was close to your original estimate and still materially different from that of
management. The directors refuse to amend the financial statements.
(f) The auditor believes that the client’s financial statements present a true and fair view of its
financial position and performance, and the financial statements are in accordance with the
applicable financial reporting framework.

Adverse Opinion
An adverse opinion is a very serious form of modified opinion issued when the auditor concludes that
misstatements are, either individually or in aggregate, material and pervasive to the financial statements
(ISA 705 (Revised), para. 8). The underlying message that the auditor is trying to convey is that they
consider the financial statements to be misleading or of little use to the intended users.
An example of the adverse opinion and basis for adverse opinion paragraphs contained in an auditor’s
report modified for an adverse opinion is given in example 4.17. Review this example now.

EXAMPLE 4.17

Basis for Modification and Audit Opinion Paragraph for an

Adverse Opinion
Adverse Opinion
We have audited the consolidated financial statements of ABC Company and its subsidiaries (the Group),
which comprise the consolidated statement of financial position as at December 31, 20X1, and the
consolidated statement of comprehensive income, consolidated statement of changes in equity and
consolidated statement of cash flows for the year then ended, and notes to the consolidated financial
statements, including a summary of significant accounting policies.

df_Folio:272
P

272 Advanced Audit and Assurance

 In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion
section of our report, the accompanying consolidated financial statements do not present fairly (or do
not give a true and fair view of) the consolidated financial position of the Group and its subsidiaries as at
December 31, 20X1, and (of) its consolidated financial performance and its consolidated cash flows for
the year then ended in accordance with International Financial Reporting Standards (IFRSs).
Basis for Adverse Opinion
As explained in Note X, the company has not consolidated subsidiary XYZ Company that the Group
acquired during 20X1 because it has not yet been able to determine the fair values of certain of the
subsidiary’s material assets and liabilities at the acquisition date. This investment is therefore accounted
for on a cost basis. Under IFRSs, the Company should have consolidated this subsidiary and accounted
for the acquisition based on provisional amounts. Had XYZ been consolidated, many elements in the
accompanying financial statements would have been materially affected. The effects on the consolidated
financial statements of the failure to consolidate have not been determined.
We conducted our audit in accordance with International Standards on Auditing (ISAs). Our responsi-
bilities under those standards are further described in the Auditor’s Responsibilities for the Audit of the
Consolidated Financial Statements section of our report. We are independent of the Group in accordance
with the ethical requirements that are relevant to our audit of the consolidated financial statements in
[jurisdiction], and we have fulfilled our other ethical responsibilities in accordance with these requirements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for
our adverse opinion.
Source: International Auditing and Assurance Standards Board (IAASB) 2018a, ISA 705 (Revised) Modifications
to the Opinion in the Independent Auditor’s Report, in Handbook of International Quality Control, Auditing,
Review, Other Assurance, and Related Services Pronouncements, 2018–19 edn, vol. 1, p. 800, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

This form of audit opinion is rarely observed in practice. Extracts of the basis for adverse opinion from
adverse auditor’s reports for financial statements between 2015 and 2018 are provided as example 4.18.
Review this example now, taking note of the reasons stated as to why an adverse opinion was deemed
necessary in each situation.

EXAMPLE 4.18

Basis for Modification for an Adverse Opinion

Basis for Adverse Opinion
Extract 1: Forestry Industry
At 30 June 2018, the Company recorded a negative working capital of $344 600 and accumulated losses
of $6 390 597. While the Directors and management have a plan to address this deficiency, the Company
has not been able to provide evidence of forthcoming financial support to assist the payments of liabilities
in the next 12 months. Accordingly, there is uncertainty as to whether the Company will be able to pay
its debts as they become due and payable, realise its assets, and extinguish its liabilities in the normal
course of business at the amounts stated in the financial statements.
Extract 2: Mining Services
With regard to the ability of the consolidated entity to continue as a going concern, the following matters
are noted. The consolidated entity has recorded a loss of $29 526 000 for the year ended 30 June 2015
and losses of $12 945 000 and $6 064 000 were recorded for the years ended 30 June 2014 and 30 June
2013 respectively. The consolidated entity has a net asset deficiency of $32 914 000 at 30 June 2015 and
has overdue federal and state taxes which are not covered by a payment agreement. In addition, the
consolidated entity is in breach of debt covenants with its financier, with a waiver provided in relation to
the breaches. As at the date of this report, the company has been unable to secure additional sources of
funding but continues to incur costs in the course of its operations. These matters indicate that the going
concern assumption used in the preparation of the financial report is not appropriate, and the consolidated
entity may be unable to realise its assets and discharge its liabilities in the normal course of business.
Accordingly, we disagree with the Directors position that has resulted in the financial report being prepared
on a going concern basis.
Extract 3: Mineral Sands
Hong Kong Financial Reporting Standard 10 (‘HKFRS 10’) ‘Consolidated Financial Statements’ requires
an entity that has one or more subsidiaries to prepare consolidated financial statements. The Company
has subsidiaries and therefore should prepare consolidated financial statements showing the financial
P df_Folio:273

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 273
 position and results of the Company and its subsidiaries. However, as disclosed in note 2.1 to the financial
statements, the directors have not prepared consolidated financial statements because in the opinion
of the directors, the Company has prepared the consolidated financial statements in accordance with
International Financial Reporting Standards (‘IFRS’) which is available for public use on the company’s
website, and it has no real value to reproduce consolidated financial statements under HKFRSs for
the statutory requirements of the Hong Kong Companies Ordinance to the members of the Company.
According to the Company’s accounting policies, interests in subsidiaries are stated at cost less
impairment losses, if applicable. The results of the subsidiaries are accounting for by the Company on
the basis of dividends received and receivable on the reporting date. The non-preparation of consolidated
financial statements is a departure from HKFRS 10 as well as sections 379(2) and 380 of the Hong Kong
Companies Ordinance. Had the subsidiaries been consolidated, many elements in the financial statements
would have been materially affected. The effects on the financial statements of the failure to consolidate
can be referenced to the consolidated financial statements published on the company’s website.
Extract 4: Financial Services
As explained in Note 12, the Management has performed an impairment test of the goodwill at
31 December 2018 and concluded that no impairment is required. Management estimated cash flow
projections over a period of five years using a strong growth rate. We consider the following.
• Cash flow projections used in measuring value in use must be based on reasonable and supportable
assumptions that take into account both past and actual cash flows and management’s past ability
to forecast cash flows accurately. Management performed a back testing of the 2017 assumptions
used for the impairment test of the goodwill at 31 December 2017 which showed significant negative
deviations. Over the last past few years, financial projections were consistently either not realised or
delayed.
• Despite what we consider to be aggressive growth rates, it still results in projected negative cash-flows
up to 2021 and the full amount of the value in use is based on the perpetual future cash flows calculated
from 2024 onwards.
• To achieve the financial cash-flow forecast, the Group will need to secure additional financing to
compensate the negative operational cash-flow which are projected beyond the next 12- to 15-month
period.
We are of the opinion that the risks linked to the recoverable amount of the goodwill are not sufficiently
reflected in the impairment considerations applied by the Group, and are of the opinion that the carrying
value of the goodwill is overstated by USD $21.1 million resulting in an understatement of the loss of
the year and an overstatement of the total equity in the same amount. As a consequence, the relevant
impairment disclosures are missing in Note 12. In our opinion, this has a pervasive and material impact
on the financial statements.
In addition, the Group recognises deferred tax asset (DTA) of its two subsidiaries. The recognition of
the DTA depends on the ability to generate taxable profit in the near future. We are of the opinion that the
deferred tax asset is overstated in the amount of USD $1.8 million, resulting in an understatement of the
loss of the year and an overstatement of the total equity in the same amount.

The first extract indicates that there is significant doubt on the company’s ability to continue as a
going concern. In fact, this company has recorded a negative working capital since 2012 indicating this
is an ongoing problem. Even though the company has managed to source the required funds to continue
operating in the past, there is no evidence to show that the necessary funds will be able to be sourced during
the next financial year. The company believes they will be able to continue to source the required funds
and prepared the financial statements on a going concern basis whereas the auditor believes that the going
concern basis is not appropriate.
The second extract also indicates a disagreement with management on the preparation of the financial
statements on a going concern basis being the reason for the adverse audit opinion.
The third extract highlights the importance of companies preparing their annual reports and consolidated
financial statements (when applicable) in accordance with the financial reporting standards and company
legislation in their jurisdiction.
The fourth extract highlights issues with assumptions used to calculate cash flow projections which are
then used to determine impairment of items such as goodwill. These assumptions must be realistic and
supported by reliable evidence.
Going Concern Basis is Not Appropriate
If the auditor believes that a going concern basis of accounting has been inappropriately used in preparing
the financial statements, the auditor should issue an adverse opinion (ISA 570 (Revised), para. 21).
df_Folio:274
P

274 Advanced Audit and Assurance

 If the going concern basis is not appropriate, an alternative, such as liquidation basis, should be used
for preparing the financial statements. If the auditor is convinced that the alternative basis is appropriate
and adequate disclosure has been given, they could then issue an unmodified opinion. They may also
draw attention to the alternative basis by including an Emphasis of Matter paragraph (ISA 570 (Revised),
para. A27).
If management is unwilling to make or extend its assessment of going concern when asked to do so by
the auditor, it may be appropriate for the auditor to issue a qualified opinion or a disclaimer of opinion.
This is on the basis that there will be significant uncertainty about the use of the going concern basis of
accounting (ISA 570 (Revised), paras 24, A35).
Carson & Zhang et al. (2016), ‘Audit Reports in Australia 2005–2015: An updated analysis’ provides
information on the types of auditor’s reports issued for Australian public companies between 2005 and
2015. It includes an analysis of the types of issues that give rise to a modified auditor’s opinion and how
frequently these types of modifications are occurring in practice.
In particular, Carson & Zhang et al. (2016) found that the main reason for auditor’s report modification
is going concern and that modification rates increased from 12% in 2005–07 to 34% in 2015.

QUESTION 4.15

The financial statements of a company for the current year show an operating profit after tax of
$50 million and share capital and reserves totalling $100 million. Evaluate each of the following
scenarios and determine the type of opinion the auditor should issue. Justify your conclusions.
(a) Assume the provision for long service leave in the financial statements is understated by
$30 million.
(b) Assume that the company is a trustee of a trust in which there is a deficiency of assets
amounting to $300 million and for which the company is required to assume liability. Although full
disclosure of the circumstances is made in the notes to the financial statements, the liabilities
of the trust are not included in the statement of financial position, and no provision for the
deficiency has been made in the income statement.

The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

4.1 Explain the auditor’s reporting responsibilities in relation to the auditor’s report and opinion.
• The auditor’s responsibility is to form an opinion on the financial statements based on the evidence
obtained during the audit.
• KAMs are often areas of complexity and/or areas involving significant management judgment in
the financial statements and, therefore, often involve difficult or complex auditor judgments.
• When the auditor has formed the opinion that the financial statements are prepared, in all
material respects, in accordance with the applicable financial reporting framework, the standard
unmodified audit report is issued signifying that the auditor has concluded that they have obtained
reasonable assurance that the financial statements as a whole are free of material misstatement,
whether due to fraud or error.
• The auditor uses an ‘Emphasis of Matter’ paragraph when matters are appropriately presented or
disclosed in the financial statements but they are of such importance that they are fundamental to
users’ understanding of the financial statements.
• When matters are not presented or disclosed in the financial statements but are relevant to users’
understanding of the audit, the auditor’s responsibilities or the auditor’s report, an ‘Other Matter’
paragraph is used to bring it to the attention of users.
• When the auditor concludes that a material uncertainty related to going concern exists and the
matter has been appropriately disclosed in the financial statements, the auditor should add a
paragraph titled ‘a Material Uncertainty Related to Going Concern’.
• The auditor is responsible for evaluating the circumstances to determine whether the standard
unmodified audit opinion is appropriate or whether a modified opinion is justified.

P df_Folio:275

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 275
 4.4 Evaluate circumstances that may give rise to modifications to the standard auditor’s report,
to the auditor’s opinion and other than to the auditor’s opinion.
• The auditor needs to evaluate the circumstances that may give rise to modifications to the
standard auditor’s report and/or to the auditor’s opinion. For example, while matters such as
those described in an Emphasis of Matter, Other Matter or Material Uncertainty Related to Going
Concern paragraphs do not modify the auditor’s opinion, they do modify the auditor’s report from
the standard unmodified report.
• The auditor evaluates the circumstances to determine whether modifications to the standard
auditor’s report is necessary, resulting in a qualified opinion, disclaimer of opinion or adverse
opinion.
• The auditor evaluates the audit evidence to determine the appropriate audit opinion to issue.
This requires professional judgment to ascertain whether the matters are material or material and
pervasive.
• Example 4.6 demonstrates the use of professional judgment to evaluate an entity’s circumstances
to identify significant events or conditions that cast doubt on the entity’s ability to continue as a
going concern.
• The auditor should issue a qualified opinion when, after having obtained sufficient appropriate
audit evidence, they conclude that uncorrected misstatements, either individually or in the
aggregate, are material, but not pervasive, to the financial statements or, if unable to obtain
sufficient appropriate audit evidence, that the possible effects of undetected misstatements on
the financial statements are potentially material, but not pervasive.
• When the auditor concludes that misstatements are, either individually or in aggregate, material
and pervasive to the financial statements, an adverse audit opinion is issued, indicating that the
auditor considers the financial statements to be misleading or of little use to the intended users.
• When the auditor is unable to obtain sufficient appropriate audit evidence on which to base the
opinion, and the auditor concludes that the possible effects of the adjustments could be both
material and pervasive, a disclaimer of opinion is expressed indicating that the auditor cannot
determine whether the financial statements can be relied upon.
• Example 4.12 demonstrates the use of professional judgment to evaluate issues about a subsidiary
and consolidated financial statements to justify the type of audit opinion issued.
4.5 Apply the appropriate standards that relate to a range of engagement circumstances that
impact the auditor’s report and the auditor’s opinion.
• ISA 570 (Revised) Going Concern applies where the use of the going concern basis of accounting is
considered appropriate but a material uncertainty exists. The auditor shall express an unmodified
opinion and include a separate section in the auditor’s report under the heading ‘Material
Uncertainty Related to Going Concern’.
• ISA 700 (Revised) Forming an Opinion and Reporting on Financial Statements deals with the
auditor’s responsibility to form an opinion on the financial statements and the types of opinion
that can be issued.
• ISA 701 Communicating Key Audit Matters in the Independent Auditor’s Report requires the auditor
to describe each KAM in a separate section of the auditor’s report headed ‘Key Audit Matters’.
• ISA 705 (Revised) Modifications to the Opinion in the Independent Auditor’s Report addresses the
auditor’s responsibility to issue an appropriate report in circumstances when, in forming an opinion
in accordance with ISA 700 (Revised), the auditor concludes that a modification to the auditor’s
opinion on the financial statements is necessary.
• ISA 705 (Revised) Modifications to the Opinion in the Independent Auditor’s Report addresses
matters that modify the auditor’s report and affect the auditor’s opinion (resulting in a qualified
opinion, disclaimer of opinion or adverse opinion).
• ISA 706 (Revised) Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent
Auditor’s Report covers matters (referred to as ‘Emphasis of Matter’ or ‘Other Matter’) that modify
the standard auditor’s report but do not modify the auditor’s opinion.
• ISA 710 Comparative Information — Corresponding Figures and Comparative Financial Statements
establishes standards and provides guidance to auditors as to their responsibilities with respect
to comparative information in an audit of financial statements.
• ISA 720 (Revised) The Auditor’s Responsibilities Relating to Other Information outlines the
appropriate response by the auditor when the annual report includes other unaudited information
that could undermine the credibility of the financial statements and the auditor’s report.

df_Folio:276
P

276 Advanced Audit and Assurance

4.4 COMMUNICATION AND REPORTING
RESPONSIBILITIES
Communication with those charged with governance, with management, and with third parties, when
applicable, is covered in several auditing standards. For example, if auditors have identified a fraud, or
have information that indicates the existence of a fraud, they are required to communicate these matters to
an appropriate level of management by ISA 240 (discussed earlier in this section). Similarly, when auditors
have identified material non-compliance with laws and regulations, they are required to communicate their
findings to those charged with governance in accordance with ISA 250 (Revised) (discussed earlier in this
module) (Johnson & Wiley 2019).
In this section, we discuss the auditor’s responsibilities in relation to communicating with the entity. This
will be followed by a discussion on the auditor’s reporting responsibilities to both internal and external
parties.

COMMUNICATING WITH THE ENTITY

Communication with the entity is an important part of the audit. It highlights the problems found, suggests
improvements in the client’s system, and gives some evidence on the extent of work performed. ISA 260
(Revised) discusses the requirement for the auditor to communicate with those charged with governance.
According to the definition in ISA 260 (Revised), ‘those charged with governance’ refers to the persons
or organisations entrusted with responsibility for overseeing the strategic direction of the entity and
obligations related to the accountability of the entity. The auditor determines the relevant people who are
charged with governance. Usually the audit committee or governing board is responsible for the oversight
function, and senior executives are responsible for the management function (Leung et al. 2019).

Matters Pertaining to the Conduct of the Audit

Throughout the entire audit, auditors communicate often with management and other client personnel in
the process of gathering audit evidence. For example, auditors make many enquiries of management during
risk assessment, testing of internal controls, and performance of substantive procedures. The responses to
these enquiries are documented in the auditor’s working papers. As supplemental evidence to the enquiries,
auditors are required to obtain a written representation as a final piece of audit evidence (Johnson &
Wiley 2019).
A management representation letter is a letter from management to the auditor acknowledging manage-
ment’s responsibility for the preparation of the financial statements and details of any verbal representations
made by management during the course of the audit. However, the management representation letter is not
a substitute for obtaining sufficient, appropriate evidence regarding the financial statements through other
audit procedures (Johnson & Wiley 2019).

Management Letter
A further written communication between the auditor and management is the management letter, which
is normally issued at the conclusion of every audit engagement. This letter outlines significant issues
identified by the auditor during the course of the audit, especially from their assessment of the entity’s
business and inherent risk, and any recommended improvements in risk identification and internal control.
With regard to internal control, the communications that are required under ISA 265 Communicating
Deficiencies in Internal Control to Those Charged with Governance and Management may be com-
municated in the management letter, or they may be communicated at an earlier time orally, to allow
management to remedy the identified deficiency. If communicated orally, they should also be later
documented in writing, usually in the management letter. Upon completion, the management letter is
normally reviewed first by operational management, and then by the audit committee or governing body.
A primary concern of the audit committee is operational management’s response and follow-up actions to
issues raised in the management letter.
There are a few issues that the auditor should communicate on a timely basis to those charged with
governance — usually before the management letter is written. As outlined in module 2, if the auditor
has identified a fraud or obtained information that indicates a fraud may exist, they should communicate
these matters on a timely basis (immediately) to the appropriate level of management (ISA 240,
para. 41). The auditor shall also communicate on a timely basis to those charged with governance events or
Pdf_Folio:277

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 277
conditions identified that may cast significant doubt on the entity’s ability to continue as a going concern.
The communication should include:
(a) Whether the events or conditions constitute a material uncertainty;
(b) Whether management’s use of the going concern basis of accounting is appropriate in the preparation
of the financial statements;
(c) The adequacy of related disclosures in the financial statements; and
(d) Where applicable, the implications for the auditor’s report (ISA 570 (Revised), para. 25).

ISA 570 (Revised), paragraph 24 requires that the auditor communication also consider the implications
for the auditor’s report when management is unwilling to make or extend its period of assessment of the
going concern basis of accounting.
The communication requirement of ISA 570 (Revised) is consistent with the requirements in ISA 260
(Revised) and the discussion in module 2 about the communication of audit matters with those charged
with governance.

Internal Control Matters

In an audit of a financial statement, the auditor is required to obtain an understanding of internal
controls when assessing the risks of material misstatements (ISA 315 (Revised)). The consideration of
internal control is done in order to design appropriate audit procedures, not to give an opinion on the
effectiveness of internal control. The auditor may, however, identify deficiencies in internal control during
the risk assessment and throughout the audit. The question is which of these deficiencies (if any) need
to be communicated to management and those charged with governance. These issues are addressed in
ISA 265. They require the auditor to:
• determine whether any deficiencies in internal control have been identified
• determine whether, individually or in combination, they constitute significant deficiencies
• communicate those significant deficiencies to those charged with governance
• communicate those significant deficiencies to management unless that would be inappropriate
(e.g. indications of management fraud)
• communicate (not necessarily in writing) other deficiencies in internal control identified during the audit
that are of sufficient importance to merit management’s attention.
These requirements are outlined in ISA 265, paragraphs 7–11. Two particular difficulties relate to
determining what constitutes ‘significant’ deficiencies (ISA 265, paras A5–A11) and then communicating
those deficiencies (ISA 265, paras A12–A30). Examples of significant deficiencies would include:
• management fraud not prevented by internal control
• a failure by management to rectify previously communicated deficiencies in internal control
• material misstatements identified by the auditor that were not prevented or detected by internal controls
• the absence of a risk assessment process, ineffective risk assessment processes or ineffective responses
to identified risks (ISA 265, para. A7).
Many factors can impact on the detail of the communications made. They include the:
• nature of the entity — public interest versus non-public interest
• size and complexity of the entity
• experience and knowledge of those charged with governance.

Identified or Suspected Fraud

If the auditor has identified a fraud or has obtained information that indicates that a fraud may exist,
the auditor should communicate these matters, unless prohibited by law or regulation, on a timely basis
with the appropriate level of management (ISA 240, para. 41). If management, employees with significant
roles in internal control, or any others are identified or suspected by the auditor as being involved in
fraud, resulting in a material misstatement of the financial statements, the auditor should communicate
this with those charged with governance, unless prohibited by law or regulation, and ‘discuss with them
the nature, timing and extent of audit procedures necessary to complete the audit’ (ISA 240, para. 42). This
is consistent with the requirements in ISA 260 (Revised) as well as section 360 of the Code.
In addition to communicating identified or suspected fraud to management and with those charged
with governance, the auditor also has the responsibility to determine whether they are required, or it
may be appropriate in the circumstances, to report fraud to an appropriate authority outside the entity
(ISA 240, para. 44). ISA 250 (Revised) and corresponding amendments to other standards made a
fundamental change in the approach to confidentiality when communicating with an authority outside
Pdf_Folio:278

278 Advanced Audit and Assurance

the entity. The Code of Ethics explains that when disclosure of identified or suspected non-compliance
with laws and regulations (NOCLAR) to an appropriate authority is an appropriate course of action in the
circumstances, this is not considered a breach of the duty of confidentiality (the Code, para. R360.26).
Withdrawing from the Engagement
The auditor should investigate any failure by management, or by those charged with governance, to
take appropriate action in response to findings or suspicions of financial statement misstatement due to
fraud. The auditor should seek legal advice as to whether the circumstances warrant disclosure of the
information to regulatory or enforcement authorities. In exceptional circumstances, the auditor may have to
withdraw from the audit engagement where they are permitted under applicable law or regulation (ISA 240,
para. 39).
In relation to continuing the audit, ISA 240, para. 39, states:

If, as a result of a misstatement resulting from fraud or suspected fraud, the auditor encounters exceptional
circumstances that bring into question the auditor’s ability to continue performing the audit, the auditor
shall:
(a) Determine the professional and legal responsibilities applicable in the circumstances, including whether
there is a requirement for the auditor to report to the person or persons who made the audit appointment
or, in some cases, to regulatory authorities;
(b) Consider whether it is appropriate to withdraw from the engagement, where withdrawal is possible
under applicable law or regulation; and
(c) If the auditor withdraws:
(i) Discuss with the appropriate level of management and those charged with governance the auditor’s
withdrawal from the engagement and the reasons for the withdrawal; and
(ii) Determine whether there is a professional or legal requirement to report to the person or persons
who made the audit appointment or, in some cases, to regulatory authorities, the auditor’s
withdrawal from the engagement and the reasons for the withdrawal (ISA 240, para. 39).

Given the potential for a legal or regulatory response to corporate failures, scandals or disputes
with management, ISA 240, paragraphs 45–48 provide guidance on documentation to be prepared and
maintained by the auditor.
In Australia and many other jurisdictions, a change in auditor is constrained by a regulatory policy
(e.g. by ASIC in Australia) that it should generally take place only after a shareholders’ vote at the annual
general meeting.

QUESTION 4.16

ISA 240 states that the auditor ordinarily recognises that audit procedures that are effective for
detecting error may not be appropriate in the context of an identified risk of material misstatement
due to fraud.
What implications does this statement have for the auditor’s evidence gathering procedures?

Communicating with the Audit Committee

There is an increasing emphasis on a company having an effective audit committee, and this committee
having a much stronger relationship with both the external and internal auditors. As outlined previously,
if the entity has an audit committee, the appropriate persons with whom to communicate will commonly
be the members of the audit committee. Effective audit committees could be expected to enquire of the
auditor the extent to which executive management has been aggressive in its choice of accounting policies,
and may ask the auditor to inform them of any circumstances that may affect independence, such as the
provision by the audit firm of non-audit services for that client.
In the case of listed entities, the auditor is required to communicate with those charged with governance:

(a) A statement that the engagement team and others in the firm … have complied with relevant ethical
requirements regarding independence; and
(i) All relationships and other matters between the firm … and the entity that, in the auditor’s
Pdf_Folio:279
professional judgment, may reasonably be thought to bear on independence. This shall include

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 279
 total fees charged during the period covered by the financial statements for audit and non-audit
services provided by the firm …; and
(ii) The related safeguards that have been applied to eliminate identified threats to independence or
reduce them to an acceptable level (ISA 260 (Revised), para. 17).

These requirements operationalise the conceptual framework threats and safeguards approach to
independence that was discussed in module 1.
Even if the auditor communicates with the audit committee or any other subcommittee of the governing
body, they still need to determine whether they need to communicate to the full governing board (ISA 260
(Revised), para. 12).

REPORTING RESPONSIBILITIES
The auditor has a broad range of reporting responsibilities. In most countries, the auditor’s reporting
responsibility is to the members, or shareholders, of the entity. Additionally, the auditor’s reporting
responsibilities have extended in certain areas to regulatory bodies that are charged with overseeing the
financial market, including the roles and responsibilities of the auditors, as well as to those charged
with governance and the management of the audited entity. This section reviews the auditor’s reporting
responsibilities.
In this section, we discuss the auditor’s reporting responsibilities first to those charged with governance
and management, then to shareholders and lastly to regulatory bodies.

Reporting to Those Charged with Governance and Management

During the audit of a financial statement, there are many matters that need to be communicated by the
auditor to management and those charged with governance. ISA 260 (Revised) establishes mandatory
requirements and explanatory guidance on such communication.
‘Those charged with governance’ refers to the governing body of the entity (i.e. the board of directors
for a listed company) and other persons having responsibility for planning and directing activities for an
entity. They are distinguished from ‘management’, which has responsibility for supervising the day-to-
day operations of the entity. Even if the auditor communicates with the audit committee or any other
subcommittee of the governing body, they still should consider the need to communicate to the full
governing board.
‘Governance’ is the term used to describe the role of people entrusted with oversight, control and
direction of the entity. The auditor determines the relevant people who are charged with governance and
with whom audit matters of governance interest are communicated (ISA 260 (Revised), para. 11).
There are potential difficulties in identifying the persons charged with governance, and auditors need
to exercise professional judgment in making this determination based on the governance structure of the
entity, the circumstances of the engagement and relevant legislation. Where there is an audit committee,
they are the likely body to report to, but the auditor may decide to communicate with the whole board
depending on the importance of the matters of interest.
The matters to be communicated to those charged with governance are:
• auditors’ responsibilities in relation to the financial statement audit
• planned scope and timing of the audit
• significant findings from the audit
• auditor independence.
These are discussed in ISA 260 (Revised), paragraphs 14–17. What is included under significant findings
is discussed in some detail in ISA 260 (Revised), paragraphs A17–A28.
The auditor needs to consider the adequacy of the communication (ISA 260 (Revised), para. 22) and
to take appropriate action if the auditor considers the communication is not adequate (ISA 260 (Revised),
paras A51–A53).
IAASB (2015) asked whether there were opportunities to strengthen auditing standards in relation to
the communications among those involved in an audit. In particular, it suggested that interactions between
engagement partners, audit team members and communications with audit committees play an important
role. Others have also suggested that the role of the audit committee in monitoring the financial reporting
process has expanded considerably in recent years with an emphasis on the role of the audit committee in
exercising professional scepticism and supporting investor interests (Lajoux & Martel 2013; Deloitte LLP
2014a).
Pdf_Folio:280

280 Advanced Audit and Assurance

 Accounting firms are placing greater emphasis on soft skills in both their employment and promotion
of staff. These soft skills include communication skills, the use of logical reasoning, relationship and
personal skills, and negotiation skills. Auditors work in teams and continually interact with clients, and
thus, communication skills become particularly important.
The suggested increase in communication between auditors and audit committees also requires an
increase in communication skills by auditors. The enhanced auditor reporting requirements will involve
writing less standardised audit reports and communicating key audit matters (KAMs) relating to particular
engagements (described in more detail earlier in this module). This will mean that auditors will be
expected to have excellent communication skills to work with those charged with governance to meet
the requirements of the audit.
As outlined in module 2, the responsibility of the auditor is to report to those charged with gover-
nance (e.g. the board of directors for a listed company) and not to management (those with executive
responsibility for the conduct of the day-to-day activities of the entity). This responsibility was further
considered in Australia in AWA Ltd v. Daniels t/a Deloitte Haskins & Sells (1995) 16 ACSR 644, where it
was held that the auditor was responsible for failing to appropriately bring a weakness in internal control to
the attention of the governing body even though it had already been brought to the attention of management.
For issues considered as significant during the audit, the auditor needs to identify the appropriate
persons who are charged with governance and with whom audit matters are to be communicated
(ISA 260 (Revised), para. 11). The auditor needs to take into account the governance structure of the
entity and the information to be communicated. For example, if the entity has an audit committee, the
members of the audit committee will commonly be the appropriate persons (see following discussion).
As mentioned previously, if the matter concerns a significant deficiency in internal control, the auditor
should communicate in writing such deficiencies to those charged with governance (ISA 265, para. 9). This
communication should be done on a timely basis. The auditor should also communicate these significant
deficiencies to management at the appropriate level of responsibility, as well as other deficiencies identified
during the audit that are deemed to be sufficiently important to merit management’s attention (ISA 265,
para. 10).
The appropriate level of management is that which has the responsibility and authority to evaluate the
deficiencies in internal control and take the necessary remedial action. For significant deficiencies, this is
likely to be the chief executive officer or the chief financial officer. For other deficiencies, the appropriate
level may be operational management who have direct involvement in the control area identified and have
the authority to take appropriate remedial action (ISA 265, para. A19).
Review example 4.19, which requires critical evaluation of a draft management letter.

EXAMPLE 4.19

Communicating Matters to Management

You have completed your audit of Egral Ltd, a large listed company. Your main day-to-day contact during
the audit was Ms Poon, the accountant, although you also had some dealings with the finance director,
Mr Sullivan, and the audit committee.
As part of completion procedures, your assistant has prepared the following draft management letter
for your consideration.
Ms Poon, Accountant
Egral Ltd
333 Any Street
Erehwon NSW 2314
Dear Ms Poon
Re: Statutory audit of Egral Ltd
As stated in our engagement letter dated 2 February 2020, the purpose of our audit is to provide reasonable
assurance as to whether the financial statements are free of material misstatement. In carrying out this
work, we agreed to report to you any major weaknesses in the internal control structure that came to our
attention. We note that it is not our responsibility to perform detailed tests of internal controls and that the
responsibility for maintaining the internal control system lies with management.
During our testing on trade debtors, we noted that the ledger reconciliation was often performed up to
a fortnight past close-off, making it difficult for audit staff to meet the auditor’s reporting deadline. Also,
some reconciling items appeared for up to 3 months before they were cleared.

P df_Folio:281

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 281
 In relation to cash payments, we noted that two cheques for transfers to the company’s payroll account
were signed by only one signatory, Mr Sullivan. Apparently, other signatories were not available on those
days and so the payments were processed in order to meet wage obligations.
During our petty cash count at the Parramatta branch, we noted that there were no supporting vouchers
for $927.56 of expenditure. This may place the related tax deductions at risk as the expenses are
unsubstantiated. Also, it casts suspicion on the petty cash officer who may be taking money from petty
cash.
Would you please respond in writing regarding the action you intend to take regarding the above
matters? We remind you that these are only the matters we found during our testing; there could be
many other undiscovered weaknesses in the internal control structure. Also, we remind you that this letter
is solely for the use of Egral Ltd and should not be disclosed to third parties without our permission.
ABC Accountants
............................................................................................................................................................................
(a) Critically analyse the draft management letter and outline your suggestions for improvement.
(b) Assume you found some minor errors during the audit (such as an accrual not taken up) that were rectified
by the time the financial statements were issued. Would you include these in the management letter? Why
or why not?
Check your response against the suggested answer at the end of the book.

QUESTION 4.17

What action should an auditor take if they believe their communication with those charged with
governance has not been adequate?

Reporting to Shareholders
In most countries, the primary group for whom the audit is undertaken is the members, or shareholders,
of the entity. The auditor’s report is usually addressed to this group, and for many of the audits of
general purpose financial statements using this group as the addressee is supported by the relevant national
legislation.

An Australian Perspective
In Australia, in the context of statutory reporting responsibilities for a single company, the auditor has the
following reporting responsibilities imposed on them.
• An auditor must form an opinion concerning whether:
– the financial report is in accordance with the Corporations Act, including whether the report complies
with Australian Accounting Standards (s. 307(a)(i)) and whether it gives a true and fair view of the
financial position and performance of the entity (s. 307(a)(ii))
– the auditor has been provided with all the information, explanations and assistance required to
undertake the audit (s. 307(b))
– the entity has kept financial records sufficient to enable the preparation and auditing of a financial
report (s. 307(c)).
– the entity has kept all other registers and records required by the Corporations Act (s. 307(d)).
• The auditor must report to members whether the financial report is, in the auditor’s opinion, properly
drawn up:
– in compliance with Australian Accounting Standards
– to give a true and fair view (s. 308(1)).
• If the auditor is not of that opinion, they must state why.
• If, in the auditor’s opinion, the financial report has not been drawn up in accordance with a particular
accounting standard, the auditor’s report must give particulars of the quantified financial effect on the
financial report of failing to draw it up in accordance with that accounting standard (s. 308(2)).
• The auditor’s report must also describe any defect or irregularity in the financial report (s. 308(3)(a)) in
regard to a deficiency, failure or shortcoming for matters contained in section 307, on which there is no
reporting requirement under section 308(1). Thus, on an exception basis (meaning they will only report
df_Folio:282
P

282 Advanced Audit and Assurance

 such matters if there is a deficiency, failure or shortcoming), they will include in their report any defects
or irregularities for the matters covered in section 307(b)–(d) (s. 308(3)(b)).
As mentioned previously, the information included in the financial report should be true and fair. ‘Truth
and fairness’ or ‘presented fairly’ refers to the consistent and faithful application of accounting standards
or an applicable framework when preparing the financial report Moroney et al. 2017.
It is the responsibility of the auditor to form an opinion on the truth and fairness or fair presentation
of the financial report. In doing so, the auditor will assess the accounting policies selected by those
charged with governance of the entity. Specifically, the auditor will evaluate whether those accounting
policies are consistent with the financial reporting framework used by the entity. The auditor will also
consider the accounting estimates made by those charged with governance and management to determine
whether the estimates are reasonable. The auditor will assess the relevance, reliability, comparability and
understandability of the information presented in the financial report (Moroney et al. 2017).
If a company’s financial report for a financial year, as prepared in accordance with Australian
Accounting Standards under section 296 of the Corporations Act, would not otherwise give a true and
fair view, the directors must provide further information and explanations to give a true and fair view
(s. 297). This means that financial report preparers must adhere to the Australian Accounting Standards
and cannot justify a departure on the basis that adherence to a specific accounting standard would result
in misleading financial information.
In the case of a general purpose financial report, an unmodified opinion shall only be expressed when the
auditor is satisfied that the report is presented fairly in accordance with Australian Accounting Standards.
The wording used to express the auditor’s opinion is either of the phrases ‘gives a true and fair view’ or
‘presents fairly, in all material respects’. These phrases are regarded as being equivalent (ISA/ASA 700
(Revised), para. 25), and their use is determined by the law or regulation governing the audit of financial
statements in a particular jurisdiction. In accordance with the requirements of the Corporations Act, the
phrase ‘true and fair’ is used in the auditor’s report issued in Australia.
In many countries there are exemptions available for SMEs that are incorporated under similar legislation
to the Australian Corporations Act from complying with all of the requirements in a general purpose
financial reporting framework. For example, in Australia, a small proprietary company’s financial report
does not have to comply with particular Australian Accounting Standards if the report is prepared
in accordance with a shareholder direction under section 293 of the Corporations Act. Also, under
the Reduced Disclosures Requirement (RDR) initiative of the Australian Accounting Standards Board
(AASB), what are called Tier 2 requirements are designed to substantially reduce the disclosure burden of
many Australian entities that previously applied Australian Accounting Standards.
The RDR is available to a wide range of entities in both the private and public sectors in preparing general
purpose financial statements:
(a) for-profit private sector entities that do not have public accountability;
(b) all not-for-profit private sector entities; and
(c) public sector entities other than the Australian Government and State, Territory and Local Governments
(AASB 2010).

These RDRs are evidenced by a shading of the paragraphs in the standards for the specific requirements
that these entities do not need to apply.
Further, as outlined in module 5, certain types of companies limited by guarantee may be exempted from
needing to prepare a general purpose financial report, while others may have their general purpose financial
report reviewed rather than audited. Further, the Australian Securities and Investments Commission
may grant relief from compliance with a particular accounting standard under section 340 of the
Corporations Act.

Reporting to a Regulatory Body

In many countries, the auditor commonly has reporting responsibilities to a regulatory body in addition to
their other reporting responsibilities already mentioned. For example, in the United States, the regulatory
body with public company oversight is the Public Company Accounting Oversight Board (PCAOB), in
the United Kingdom it is the Financial Reporting Council (FRC), while in Singapore it is the Accounting
and Corporate Regulatory Authority (ACRA).

Pdf_Folio:283

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 283
An Australian Perspective
In Australia, the regulatory body with public company oversight is the Australian Securities & Investments
Commission (ASIC). The auditor has an obligation to report in writing to ASIC under section 311 of the
Corporations Act if, in the course of the performance of their duties as an auditor of a company, they:
• have reasonable grounds to suspect that there has been a contravention of, or a failure to comply with,
any of the provisions of the Corporations Act
• believe that the matter will not be adequately dealt with by:
– comment in the auditor’s report, or
– notifying the directors.
Section 311 does not require that the auditor be satisfied beyond reasonable doubt that a breach has
occurred before being required to report to ASIC. This means that the auditor need not conduct exhaustive
and conclusive investigations, nor rely exclusively on evidence that would be admissible in criminal
proceedings. Rather, section 311 requires an auditor to take action where the auditor has ‘reasonable
grounds’ to suspect a contravention of the Corporations Act. This requires that there must be some facts
or some evidence that would lead a reasonable auditor to hold that suspicion.
It should also be pointed out that under section 311, an auditor’s duty is limited to reporting contra-
ventions or breaches of the Corporations Act of which the auditor becomes aware in the course of the
performance of the audit. ASIC does not expect the auditor to actively search for contraventions but
requires auditors to show vigilance and follow up where breaches are suspected. ASIC believes that
the vigilance for section 311 responsibilities should be noted in the audit plan. The ASIC Regulatory
Guide 34 (2013) explains to auditors their reporting obligations under section 311 of the Corporations
Act, such as when reporting suspected insolvent trading.
Before reporting suspected contraventions of the Corporations Act to ASIC, auditors must be able to
demonstrate that they have asked questions of directors or considered the impact of any comment that
might be made in the auditor’s report. The auditor’s belief that the contravention could not be ‘adequately
dealt with’ in the auditor’s report or by raising the matter with directors must be based on more than just
the auditor’s personal feelings. It should be capable of withstanding subsequent scrutiny.
The auditor’s duty to maintain the confidentiality of client information may prevent them from reporting
fraud to third parties. However, the law may override the duty of confidentiality. The auditor of a financial
institution may have a duty to report fraud to supervisory authorities. Also, the auditor may have a duty to
report misstatements to authorities where those charged with governance fail to take corrective action.
The auditor should obtain legal advice to determine the appropriate course of action in these circum-
stances.
The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

4.1 Explain the auditor’s reporting responsibilities in relation to the auditor’s report and opinion.
• The auditor needs to consider the adequacy of the communication with those charged with
governance and management. If the auditor considers the communication is not adequate
appropriate action needs to be taken as it is likely to impact on the auditor’s ability to obtain
sufficient appropriate evidence which is required to support an audit opinion.
4.2 Evaluate the key issues involved in the final review and completion of an audit.
• The auditor obtains a letter from management acknowledging management’s responsibility for the
preparation of the financial statements. The letter also details any verbal representations made by
management during the course of the audit to provide corroborative evidence of audit findings
prior to forming an opinion.
• When the auditor identifies deficiencies in internal control during the audit, the auditor needs to
determine which (if any) of these deficiencies need to be communicated to management and those
charged with governance.
4.3 Evaluate the indicators of potential fraud and recommend a course of action.
• If the auditor has identified a fraud or has obtained information that indicates that a fraud may
exist, the auditor should communicate these matters, unless prohibited by law or regulation, on a
timely basis with the appropriate level of management.
• The auditor also has the responsibility to determine whether they are required, or it may be
appropriate in the circumstances, to report fraud to an appropriate authority outside the entity.

df_Folio:284
P

284 Advanced Audit and Assurance

 • The auditor should investigate any failure by management, or by those charged with governance, to
take appropriate action in response to findings or suspicions of financial statement misstatement
due to fraud.
• If, as a result of a misstatement resulting from fraud or suspected fraud, the auditor encounters
exceptional circumstances that bring into question the auditor’s ability to continue performing the
audit, the auditor shall consider whether it is appropriate to withdraw from the engagement —
where withdrawal is possible under applicable law or regulation.
4.5 Apply the appropriate standards that relate to a range of engagement circumstances that
impact the auditor’s report and the auditor’s opinion.
• ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
provides guidance to auditors in considering whether it is appropriate to withdraw from the
engagement — where withdrawal is possible under applicable law or regulation when exceptional
circumstances exist.
• ISA 260 (Revised) Communication with Those Charged with Governance discusses the require-
ment for the auditor to communicate with those charged with governance.
• ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management addresses the auditor’s responsibilities when deficiencies in internal control have
been identified throughout the audit.
• Under section 311 of the Corporations Act 2001 (Cwlth), an auditor has a duty to report
contraventions or breaches of the Corporations Act of which the auditor becomes aware in the
course of the performance of the audit.

REVIEW
It is important that the auditor’s report is an effective communication device as it is the principal means of
communication between the auditor and the financial statement users. There have been significant steps
undertaken to enhance the communication effectiveness of the auditor’s report.
This module first outlined the auditor’s responsibilities involved in completing the fieldwork. This
entailed discussing the auditor’s responsibilities for evaluating significant areas related to management’s
accounting estimates, related party transactions and fraud.
This was followed by a discussion on litigation and claims including outlining when a solicitors’ repre-
sentation letter is warranted. Next, going concern issues were discussed including mitigating circumstances
and the availability of financial support to mitigate these risks.
Obtaining a management representation letter was then discussed, before outlining the applicable audit
procedures performed to identify subsequent events and the evaluation of management’s treatment thereof.
To complete the fieldwork, the auditor performs analytical procedures on the final financial statements
to form an overall conclusion as to whether the financial statements are consistent with the auditor’s
understanding of the entity.
Auditors then make a final review of all the evidence before reaching conclusions as to the truth and
fairness of the financial statements. First, a final evaluation of materiality and audit risk is made before
undertaking a final review of the financial statements to ensure sufficient appropriate audit evidence has
been obtained to support an audit opinion. The engagement quality control review was also explained. The
final task after evaluating the findings is to form an opinion on the financial statements.
Next, the expanded auditor’s reporting requirements that apply to audits of financial statements,
including a discussion of the auditor’s report structure, the identification and disclosure of KAMs, audit
implications of comparative information and extended requirements for matters that do not affect the
audit opinion (Emphasis of Matter, Other Matter and Material Uncertainty Related to Going Concern
paragraphs) were discussed. The types of auditor’s reports that are issued, and the circumstances in which
they are issued were also considered.
The final section covered a discussion of the auditor’s communication and reporting responsibilities to
shareholders, regulatory bodies and those charged with governance and management.

Pdf_Folio:285

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 285
 WESTERWAYS CASE STUDY ACTIVITY

Conclusions and Reporting Responsibilities

The audit findings below are what the auditors found as a result of their audit testing at Westerways.
1. Damaged Inventory
The auditors found in talking to sales staff that in November there had been a roof leak. They wondered
whether this had caused any damage to perishable inventory such as fertilisers or cement and they
therefore asked for a re-examination of any inventory that might have been damaged. This revealed that the
contents of some bags of garden fertiliser had formed into small chunks and would need to be crushed by
the buyer before use. The Valentis immediately resolved that the selling price would have to be discounted
for sale. The loss would not be covered under Westerways’ insurance policy.
The auditors found that the cost of this inventory was about $12 000. They discussed it with the Valentis,
who said that they would discount the selling price from $18 000 to $9000. They admitted to the auditors
that if the items did not sell at that price, they would have to be discounted further. Nonetheless, they
considered that this would be very unlikely and on discussion of the application of the accounting rule,
expressed the view that the value should be reduced from cost to the expected realisable value of $9000
and that there would not be any costs of sale.
2. Injury to Customer
In the Minutes of a Meeting of the Board of Directors in May, the auditors found reference to a complaint
from a customer that a box had fallen on her from a shelf in the Tannam store and that she had been
hurt and profoundly shocked. On inquiry, they were told by Joy Valenti that a case had indeed fallen on a
customer while she tried to pull something out from under it. She should have asked for assistance but had
not done so. She had seemed unhurt when she left and was slightly shocked, but had not complained, it
seemed because she realised that it was her fault. The auditors were also given a copy of a letter from the
customer’s lawyer saying that she claimed compensation of $15 000. If the claim was not paid, the lawyer
said that she would take legal action against Westerways Pty Ltd. The auditors were shown a letter also
from Westerways’ own lawyers stating that it was difficult to assess the chance of the claim succeeding,
but that the cost of defending the case was likely to be about $5000. They advised negotiating with the
customer for a settlement of about that amount.
The auditors found that Joy and Mark Valenti had decided that they would for the moment do nothing,
in the hope that the lady would not proceed in view of the legal costs she would incur and the doubt
about recovery of damages. As to the accounting treatment of the claim by the customer for damages,
Joy stated her firm belief that the lady would not proceed with her action and that therefore Westerways
would not incur any costs and so no liability need be recorded.
3. Unsold inventory
The auditors had noted during their observation of the inventory count that there was a new line in the gift
shop, men’s tie hangers. These had been ordered from Greece for delivery early in November, but they
had not arrived till the week before Christmas and this meant that few had been sold in the festive season.
The audit assistant, Bruce Banks, had particularly admired them and had suggested to his wife that they
would make nice presents for those men in the family for whom she had not bought presents so far.
On returning to their inventory audit work late in January, to satisfy themselves that all inventory was
valued at the lower of cost and net realisable value, the auditors examined sales records by inventory class
for the period from balance date to the date of the audit. They also made inquiries about slow moving
inventory. These inquiries revealed that of the total cost of the tie hangers of $6500, a total of only $500
worth had been sold so far.
They therefore discussed sales of this line with Joy Valenti. She was quite unconcerned by the lack of
sales, asserting that these holders would be a winner over the next few months. For example, she said,
St Valentine’s Day should see some ladies buying them for their husbands and boyfriends. She refused to
contemplate a reduction in accounting value from cost to net realisable value. Bruce Banks was inclined
to agree with her that they would sell well to men or as presents for men, but also realised that the auditors
had limited evidence to support their inclusion at cost.
Go to the Westerways case study at the end of the Study Guide and complete the following tasks.
............................................................................................................................................................................
CASE STUDY TASKS
1. Explain which audit test or tests detected the above findings.
2. Discuss the audit issue and arrive at a decision on what you believe should be put to the directors for
changes and/or disclosure in their financial statements and what as a consequence you consider should
be the appropriate audit opinion.
Note: Working papers are available in Appendix 9 at the end of the case study information provided in the
Study Guide.

df_Folio:286
P

286 Advanced Audit and Assurance

REFERENCES
Australian Accounting Standards Board (AASB) 2010, ‘Tier 2 requirements’, accessed July 2019, http://www.aasb.gov.au/
Work-In-Progress/Reduced-Disclosure-Requirements/Tier-2-Requirements.aspx
Australian Securities and Investments Commission (ASIC) 2013, Regulatory Guide RG 34 Auditor’s Obligations: Reporting to
ASIC, accessed July 2019, http://download.asic.gov.au/ media/1238083/rg34-published-31-may-2013.pdf
Carson, E, Zhang, Y & Fargher, N 2016, ’Audit reports in Australia 2005–2015: Preliminary findings: An updated analysis’, CPA
Australia Report.
Ernst & Young 2018, ‘Experience with key audit matters’, Presented at the 5th Annual Financial Reporting Insights Conference,
December, accessed July 2019, https://www.ey.com/gr/en/ issues/governance-and-reporting/ey-five-annual-financial-reporting-
insights
Fargher, N 2019, ‘Benefits and costs of the enhanced auditor’s report: evidence from Australia’, Melbourne Accounting Research
Seminar, 12 April, accessed August 2019, https://fbe.unimelb.edu.au/accounting/events/2019/melbourne-accounting-research-
seminar-professor-neil-fargher
International Auditing and Assurance Standards Board (IAASB) 2015, Auditor Reporting: Illustrative Key Audit Matters, accessed
July 2019, http://www.ifac.org/system /files/publications/files/IAASB-Auditor-Reporting-Toolkit-Illustrative-Key-Audit-
Matters.pdf
International Federation of Accountants (IFAC) 2018a, Handbook of International Quality Control, Auditing, Review, Other
Assurance, and Related Services Pronouncements, IFAC, New York, accessed July 2019, https://www.ifac.org/publications-
resources/2018-handbook-international-quality-control-auditing-review-other-assurance
International Federation of Accountants (IFAC) 2018b, Guide to Quality Control for Small- and Medium-Sized Practices, 4th edn,
Book 1, accessed May 2019, https://www.ifac.org/publications-resources/guide-using-international-standards-auditing-audits-
small-and-medium-sized-en
Johnson, R & Wiley, L 2019, Auditing: A Practical Approach with Data Analytics, 1st edn, Wiley.
Leung, P, Coram, P, Cooper, BJ & Richardson, P 2018, Audit and assurance, 1st edn, John Wiley & Sons Australia, Milton.
Qantas 2018, Annual Report, accessed July 2019, https://investor.qantas.com/investors/?page =annual-reports
Thomson, G, Fikkers, R & Stott, M 2019 ‘Climate-related and other emerging risks’, Straight-away Alert, IFRS Bulletin, from
PwC, May, accessed July 2019, https://www.pwc. com.au/assurance/ifrs/assets/straight-away-alert-20190521.pdf

Pdf_Folio:287

MODULE 4 Conclusions and Reporting Responsibilities for an Audit of Historical Financial Information 287
MODULE 5

OTHER ASSURANCE
ENGAGEMENTS
Module 1
Auditing and Assurance Framework

Audits of historical financial Module 5

information Other assurance engagements

Module 2 Module 3 Module 4

Planning the audit Performing the audit Conclusions and
reporting responsibilities

• Special purpose financial statements

• Single financial statements
Audits of specialised • Specific financial statement components
areas • Summary financial statements
• Concise financial statements

• Other historical financial information

Review engagements • Interim financial information
• SME financial information

• Non-financial information
• Future-orientated information
Other assurance
engagements • Pro forma financial information
• Assurance on behaviour
• Systems and processes

Performance
Performance engagements
engagements

• Agreed-upon procedures
Non-assurance services • Comfort letter engagements
dPf_Folio:288

• Compilation engagements
LEARNING OBJECTIVES
After completing this module, you should be able to:
5.1 explain the types of assurance engagements, other than the audit of historical financial information
5.2 apply the appropriate standard that relates to assurance engagements, other than the audit of historical
financial information
5.3 describe non-assurance and other engagements services provided by professional accountants.
RELEVANT STANDARDS AND GUIDANCE MATERIALS
International standards
International Framework for Assurance Engagements
(The Framework)
ISA 700 (Revised) Forming an Opinion and Reporting
on Financial Statements
ISA 800 (Revised) Special Considerations — Audits
of Financial Statements Prepared in Accordance with
Special Purpose Frameworks
ISA 805 (Revised) Special Considerations — Audits of
Single Financial Statements and Specific Elements,
Accounts or Items of a Financial Statement
ISA 810 (Revised) Engagements to Report on Summary
Financial Statements
ISRE 2400 (Revised) Engagements to Review Historical
Financial Statements
ISRE 2410 Review of Interim Financial Information
Performed by the Independent Auditor of the Entity
n/a
ISAE 3000 (Revised) Assurance Engagements
Other than Audits or Reviews of Historical Financial
Information
n/a
n/a
ISAE 3400 The Examination of Prospective Financial
Information
ISAE 3402 Assurance Reports on Controls at a Service
Organization
ISAE 3410 Assurance Engagements on Greenhouse
Gas Statements
ISAE 3420 Assurance Engagements to Report on
the Compilation of Pro Forma Financial Information
Included in a Prospectus
n/a
P df_Folio:289
Australian standards
Framework for Assurance Engagements
ASA 700 Forming an Opinion and Reporting on a
Financial Report (Compiled)
ASA 800 Special Considerations — Audits of Financial
Reports Prepared in Accordance with Special Purpose
Frameworks (Compiled)
ASA 805 (Revised) Special Considerations — Audits
of Single Financial Statements and Specific Elements,
Accounts or Items of a Financial Statement (Compiled)
ASA 810 Engagements to Report on Summary
Financial Statements
ASRE 2400 Review of a Financial Report Performed
by an Assurance Practitioner Who is Not the Auditor of
the Entity
ASRE 2405 Review of Historical Financial Information
Other than a Financial Report
ASRE 2410 Review of a Financial Report Performed by
the Independent Auditor of the Entity (Compiled)
ASRE 2415 Review of a Financial Report: Company
Limited by Guarantee or an Entity Reporting under
the ACNC Act or Other Applicable Legislation or
Regulation (Compiled)
ASAE 3000 Assurance Engagements Other than Audits
or Reviews of Historical Financial Information (Revised)
ASAE 3100 Compliance Engagements
ASAE 3150 Assurance Engagements on Controls
n/a
ASAE 3402 Assurance Reports on Controls at a Service
Organisation
ASAE 3410 Assurance Engagements on Greenhouse
Gas Statements (Revised)
ASAE 3420 Assurance Engagements to Report on
the Compilation of Pro Forma Historical Financial
Information Included in a Prospectus or other
Document
ASAE 3450 Assurance Engagements involving
Corporate Fundraisings and/or Prospective Financial
Information
(continued)
MODULE 5 Other Assurance Engagements 289
 (continued)
International standards Australian standards

n/a ASAE 3500 Performance Engagements

n/a ASAE 3610/AWAS 2 Assurance Engagements on

General Purpose Water Accounting Reports

ISRS 4400 Engagements to Perform Agreed-Upon ASRS 4400 Agreed-Upon Procedures Engagements to
Procedures Regarding Financial Information Report Factual Findings

n/a APES 310 Client Monies

ISRS 4410 (Revised) Compilation Engagements APES 315 Compilation of Financial Information

n/a ASRS 4450 Comfort Letter Engagements

ISSAI 3000 Standards for Performance Auditing n/a

dPf_Folio:290

290 Advanced Audit and Assurance

PREVIEW
In module 1, we noted that assurance engagements can be categorised as:
1. audits and reviews of historical financial information, or
2. assurance engagements other than audits or reviews of historical financial information.
While modules 2 to 4 have focused on audits of historical financial information, this module dis-
cusses audits of specialised areas, review engagements, other assurance engagements and non-assurance
engagements.
Many of the areas that this module focuses on are other assurance engagements such as:
• assurance of historical non-financial information
• assurance of future-orientated information
• assurance on systems and processes
• assurance of aspects of behaviour, such as compliance engagements and corporate governance assurance
• public sector performance engagements.
Other assurance services are evolving, particularly in the area of sustainability reporting. In 2017, 41 of
the ASX200 companies assured their sustainability data (Australian Council of Superannuation Investors
2018).
This module also considers the assurance implications of integrated reporting. Integrated reporting
presents some challenges for the assurance profession with respect to such issues as:
• the assurance team requiring a broad range of subject matter expertise
• the implementation of appropriate assurance techniques for non-financial and non-quantitative
information
• the implementation of appropriate assurance techniques for future-oriented information.
Assurance of internal controls is also becoming more important. US companies are now required under
the Sarbanes–Oxley Act 2002 (US) to provide management assessments of internal control procedures,
and the auditor is required to attest and report on management’s assertions. Any Australian firm that audits
a subsidiary of a US-listed company comes under the jurisdiction of this legislation. As a result, internal
control assurance is likely to become more common, whether legislated in Australia or not.
This module includes a discussion of the role of internal audits carried out by accountants who are
employed by the reporting entity and also by external firms. Performance audits are a subset of other
assurance engagements and this module examines public sector performance audits in detail. This module
concludes with a discussion of non-assurance services, including agreed-upon procedures, comfort letter
engagements and compilation engagements.

5.1 AUDITS OF SPECIALISED AREAS

Audits of specialised areas cover audits of historical financial information other than general purpose finan-
cial statements. This includes audits of special purpose financial statements, single financial statements or
components thereof, and summary financial statements.
There are three international auditing standards in the 800 series covering audits of specialised areas.
They are:
• ISA 800 (Revised) Special Considerations — Audits of Financial Statements Prepared in Accordance
with Special Purpose Frameworks
• ISA 805 (Revised) Special Considerations — Audits of Single Financial Statements and Specific
Elements, Accounts or Items of a Financial Statement
• ISA 810 (Revised) Engagements to Report on Summary Financial Statements.

SPECIAL PURPOSE FINANCIAL STATEMENTS

Financial statements that are not prepared to meet the common information needs of a wide range of
users (i.e. general purpose financial statements) may be prepared to meet the financial needs of specific
users. While accounts prepared in accordance with International Financial Reporting Standards or national
accounting standards such as the Australian Accounting Standards are designed to meet the common
Pdf_Folio:291

MODULE 5 Other Assurance Engagements 291

information needs of primary users (i.e. providers of capital), examples of special purpose frameworks
include:
1. a tax basis of accounting for a set of financial statements that accompany an entity’s tax return;
2. the cash receipts and disbursements basis of accounting for cash flow information …;
3. the financial reporting provisions established by a regulator to meet the requirements of that regulator;
or
4. the financial reporting provisions of a contract, such as a bond indenture, a loan agreement, or a project
grant (ISA 800 (Revised), para. A1).

Financial statements prepared in accordance with such frameworks may be the only financial statements
prepared by an entity when general purpose financial statements are not required and, therefore, may be
relied upon by a broader group than those for whom the framework was designed. Despite this potentially
broad distribution, such financial statements are regarded as special purpose as they are designed to meet
the needs of specific users (ISA 800 (Revised), para. A4) rather than general purpose financial statements,
which meet the needs of primary users.
In determining whether to accept an engagement involving an audit of special purpose financial
statements, the auditor is required to obtain an understanding of:
(a) the purpose for which the financial statements are prepared;
(b) the intended users; and
(c) the steps taken by management to determine that the applicable financial reporting framework is
acceptable in the circumstances (ISA 800 (Revised), para. 8).

A key factor in this determination is the financial information needs of the intended users (ISA 800
(Revised), para. A5).
In planning and performing a special purpose audit, the auditor is required to comply with:
(a) relevant ethical requirements, including those pertaining to independence …; and
(b) all ISAs relevant to the audit (ISA 800 (Revised), para. A9).

When performing an audit of special purpose financial statements, the requirements of the ISAs
that apply to general purpose financial statements are applicable. However, the ‘application of some of
the requirements of the ISAs in an audit of special purpose financial statements may require special
consideration by the auditor. For example, in ISA 320, judgments about matters that are material to users
of the financial statements are based on a consideration of the common financial information needs of
users as a group’, while these ‘judgments are based on a consideration of the financial information needs
of the intended users’ for an audit of special purpose financial statements (ISA 800 (Revised), para. A10).
When forming an opinion and reporting on special purpose financial statements, the auditor applies the
requirements of ISA 700 (Revised) (ISA 800 (Revised), para. 11). The auditor’s report also describes either
the purpose for which the financial statements are prepared and identifies the intended users, or refers to
a note in the special purpose financial statements that describes these circumstances (ISA 800 (Revised),
para. 13). It also includes ‘an Emphasis of Matter paragraph alerting users … that the financial statements
are prepared in accordance with a special purpose framework and may not be suitable for another purpose’
(ISA 800 (Revised), para. 14).
Examples of auditor’s reports on special purpose financial statements are contained as illustrations
to ISA 800 (Revised). You should read this now.
Please note ISA 800 (Revised) Illustration 2, which is an auditor’s report for special purpose financial
statements prepared by management in accordance with the tax basis of accounting. Compare and
contrast this example auditor’s report with the auditor’s reports issued for general purpose financial
statements under ISA 700 (Revised). Work through this exercise before proceeding.

Australia — Pending Changes

In February 2019, the AASB decided to proceed with proposals to remove the ability of for-profit
entities that have a statutory requirement to prepare financial statements in accordance with AASs to
use special purpose financial statements. Instead, these entities may need to prepare general purpose
financial statements under Tier 2 Reduced Disclosure Requirements or similar. Further consultation is
underway. These changes have become necessary due to the adoption of IAASB’s new Conceptual
Framework which resulted in inconsistencies between the IAASB’s reporting entity definition and that
Pdf_Folio:292

292 Advanced Audit and Assurance

currently used in Australia. You can review the status of this project by looking on the AASB website:
https://www.aasb.gov.au/Work-In-Progress/Open-for-comment.aspx.

SINGLE FINANCIAL STATEMENTS AND SPECIFIC FINANCIAL

STATEMENT COMPONENTS
The auditor may be asked to express an opinion on a single financial statement, such as a statement of
financial position, an income statement or a cash flow statement. It is also possible to express an opinion
on components of a financial statement (the most commonly specified accounts for which assurance is
requested are accounts receivable, investments, inventory and accounts payable). Guidance on audits of
single financial statements and specific elements of a financial statement is contained in ISA 805 (Revised).
It is often appropriate for engagements of this type to be performed on the basis of agreed-upon procedures
(discussed later in this module) rather than as an audit, due to scope restrictions.
Audits of single financial statements and components thereof are performed in accordance with ISAs
as outlined in modules 2–4 apart from the modifications noted in ISA 805.
In accepting these types of engagements, an important consideration is whether the auditor is also
engaged to audit the entity’s complete set of financial statements. If they are not, then they need to
determine whether it is practicable to undertake an audit of a single financial statement or a specific
element. The auditor will also need to consider whether the expected presentation of the financial statement
or element will provide adequate disclosure to allow the intended users to appropriately understand the
information conveyed. The auditor should also consider whether the expected form of audit opinion is
appropriate in the circumstances (ISA 805 (Revised), paras 7–9).
The auditor also needs to consider the concept of materiality in relation to ‘other’ financial information.
This is especially the case when auditing components of a financial statement, such as a particular account
balance, as components provide a smaller base against which to measure materiality compared to the
financial statements taken as a whole.
ISA 805 (Revised), paragraphs 11–17, outline reporting considerations for such engagements. These
are also demonstrated in the illustrations that accompany ISA 805 (Revised).
Read ISA 805 (Revised), paragraphs 11–17 and the accompanying illustrations (Illustrations 1–3 in
Appendix 2) of the auditor’s reports of a single financial statement or a specific element now.

SUMMARY FINANCIAL STATEMENTS

An entity may sometimes prepare a summary from audited financial statements to inform users of the
highlights of the entity’s performance and financial position, or provide them with financial information
that is believed to be more beneficial for their needs. The summary financial statements provide members
with the information relevant to evaluating the business without the detailed accounting disclosures. This
reduced level of information is expected to be sufficient to meet the needs of users to understand the
financial performance, financial position and financing and investing activities of the entity.
The auditor’s responsibilities relating to an engagement to report on summary financial statements
derived from the audited financial statements are covered by ISA 810 (Revised). The auditor would need
to determine whether the information in the summary is consistent with the full financial statements that
they have audited.
The auditor should not accept such an engagement unless they also have audited or will audit the
financial statements from which the summary was derived (ISA 810 (Revised), para. 5).
Before accepting such an engagement, the auditor is required to:
(a) determine whether the applied criteria are acceptable;
(b) obtain the agreement from management that it acknowledges and understands its responsibility:
(i) for the preparation of the summary financial statements in accordance with the applied criteria;
(ii) to make the audited financial statements available to the intended users of the summary financial
statements without undue difficulty …; and
(iii) to include the auditor’s report on the summary financial statements in any document that contains
the summary financial statements and that indicates that the auditor has reported on them.
(c) agree with management the form of opinion to be expressed on the summary financial statements (ISA
810 (Revised), para. 6).

The auditor’s report on summary financial statements gives an opinion as to whether the information in
the summary is consistent with the full financial statements. The auditor should ensure that the summary
Pdf_Folio:293

MODULE 5 Other Assurance Engagements 293

financial statement is clearly described as such to prevent this report being mistaken as the auditor’s report
on the full financial statements.
Please now read ISA 810 (Revised), paragraphs 9–26 and the Appendix. The Appendix contains
accompanying illustrations of auditor’s reports on summary financial statements.

An Australian Perspective
Listed entities in Australia can elect to prepare summary financial statements in the form of a concise
financial report to send to their shareholders instead of the full annual report that includes the financial
statements for the year. However, this will not alter the entity’s requirement to prepare a full set of
general purpose financial statements. Concise financial reports are prepared in accordance with Australian
Accounting Standard AASB 1039 Concise Financial Reports as required by the Corporations Act 2001
(Cwlth) (Corporations Act). Guidance for auditors reporting on a concise financial report is contained in
Guidance Statement GS 001 Concise Financial Reports under the Corporations Act issued by the AUASB.
The audit of concise financial reports should be treated as a separate engagement from the audit of the
annual general purpose financial reports. Additional audit procedures will be required when undertaking
the audit of the concise financial report as AASB 1039 requires the inclusion of a discussion and analysis of
the principal factors that affect the financial performance, financial position and financing and investment
activities of an entity. Although AASB 1039 does not mandate specific discussion and analysis disclosures,
it does illustrate the types of disclosures that may be made in the concise report.
The additional audit procedures required when conducting the audit of a concise financial report will
enable the auditor to reach a conclusion on the discussion and analysis when forming an opinion whether,
in all material respects, the concise financial report complies with the requirements of AASB 1039. For
example, the auditor may need to recalculate ratios and trend analyses which are included in the discussion
and analysis section and ensure these disclosures are consistent with the information in the financial report
for the year.
If the auditor considers that the discussion and analysis is overly subjective and/or prospective and that
it cannot be quantified or verified, then the auditor will issue a modified auditor’s report in accordance
with ASA 705 Modifications to the Opinion in the Independent Auditor’s Report (ISA 705 (Revised)),
qualifying the auditor’s opinion as a result of a disagreement with management over the adequacy or
appropriateness of disclosures in the concise financial report.
Review example 5.1 now.

EXAMPLE 5.1

Diabetes Victoria
Access the Independent auditor’s report on the 2018 Concise Financial Report prepared for the members
of Diabetes Victoria. On the Diabetes Victoria website: https://www.diabetesvic.org.au, in About us —
Financial reports, select the ‘2018 Concise Financial Report’ from the list and scroll to page 9. Study the
independent auditor’s report and then consider the following questions.
............................................................................................................................................................................
(a) On what basis has the audit been conducted?
(b) What audit procedures have been performed?
(c) How is the opinion worded?
(d) Is the auditor’s report issued under a fair presentation framework or a compliance framework? Why?
Check your response against the suggested answer at the end of the book.

The key points covered in this section, and the learning objectives they align to, are shown below.

KEY POINTS

5.3 Describe non-assurance and other engagements services provided by professional

accountants.
• Special purpose financial statements are designed to meet the needs of specific users and cover a
range of purposes, such as tax basis, regulator and contract provisions (ISA 800 (Revised) Special

dP f_Folio:294

294 Advanced Audit and Assurance

 Considerations — Audits of Financial Statements Prepared in Accordance with Special Purpose
Frameworks).
• Auditors may conduct audits of single financial statements and specific elements of a financial
statement in accordance with ISA 805 (Revised) Special Considerations — Audits of Single Financial
Statements and Specific Elements, Accounts or Items of a Financial Statement.
• Auditors may be engaged to report on summary financial statements that have been derived from
financial statements that they audited. This audit is conducted in accordance with ISA 810 (Revised)
Engagements to Report on Summary Financial Statements. The auditor’s report on summary financial
statements gives an opinion as to whether the information in the summary is consistent with the
full financial statements. Summary financial statements are sometimes used to inform users of the
highlights of the entity’s performance and financial position or to highlight financial information that
is believed to be more beneficial for their needs.
• A concise financial report prepared under the Corporations Act in Australia is an example of
summary financial statements. Concise financial reports are prepared in accordance with Australian
Accounting Standard AASB 1039 Concise Financial Reports as required by the Corporations Act.

5.2 REVIEW ENGAGEMENTS

A number of assurance services provided by the auditor may provide limited assurance to users as opposed
to reasonable assurance. The level of assurance that can be provided depends in part on the extent of
the audit evidence gathered during the assurance engagement. An audit examination provides reasonable
assurance. If all the stages of an audit are not undertaken to allow reasonable assurance to be attained, this
will only permit the auditor to provide limited assurance.
As discussed in module 1, limited assurance engagements on financial information are commonly
referred to as ‘reviews’. To be able to give their conclusion in a review, the assurance practitioner will
undertake procedures to get a high level of understanding of the entity’s business and how that business is
reflected in the financial statements.
While an audit (as discussed in modules 2–4) gives a high level of assurance that the financial statements
are free of material misstatements, the purpose of a review engagement is to determine whether the
financial statements are believable or plausible. That is, a review provides only limited assurance whether
the financial statements conform to generally accepted accounting principles.
Internationally, there are two primary standards that cover the basic principles and essential procedures
governing review engagements on historical financial information. These are:
• ISRE 2410 — covers reviews of interim and other financial information performed by the independent
auditor of the entity (such as reviewing quarterly or half-yearly interim financial statements)
• ISRE 2400 (Revised) — covers engagements to review financial statements performed by an assurance
practitioner who is not the auditor of the entity. An example of this is where an entity that is not required
to have its annual financial statements audited decides to have these reviewed as stakeholders, such as
banks or shareholders, want to ensure the amounts shown on the financial statements are believable.
Reviews are also undertaken when there are multiple owners and each requests assurance that the
financial statements have been objectively reviewed and assessed by an auditor.
In Australia, the corresponding standards are ASRE 2400 and ASRE 2410. In addition, the AUASB has
issued ASRE 2405, which covers reviews of historical financial information that are not in the form of a
financial report (financial reports are covered by ASRE 2400 and ASRE 2410) and ASRE 2415, which
covers reviews of a financial report for companies limited by guarantee. ASRE 2405 and ASRE 2415 are
discussed later in this module.
Requiring a review rather than an audit is becoming a more common assurance approach for small-
and medium-sized entities as the cost of having a review performed is less expensive than an audit, and a
review often meets the needs of their owners and lenders.
Review standards require the reviewer to consider the risk that a fraud could have occurred, although a
review does not always uncover fraud if it has occurred. The reviewer’s report explains their assessment
of the subject matter and gives their independent conclusion.
The following sections cover the performance of review engagements in four different situations:
• a review of interim financial information performed by the auditor of the entity
• a review where the assurance practitioner is not the auditor of the entity
P df_Folio:295

MODULE 5 Other Assurance Engagements 295

• a review of financial information for SMEs
• a review of other historical financial information.

REVIEW OF INTERIM FINANCIAL INFORMATION PERFORMED

BY THE AUDITOR OF THE ENTITY
As outlined in the previous section, ISRE 2410 Review of Interim Financial Information Performed by
the Independent Auditor of the Entity covers reviews of interim financial information that are performed
by the independent auditor of the entity. The important issue is that given it is the independent auditor of
the entity undertaking these reviews, they are required to bring to these reviews the knowledge that they
have acquired when undertaking the annual audit. In planning such a review, an auditor should, therefore,
obtain or update their knowledge of the business, including considerations of the client’s organisation,
accounting system, operating characteristics, and the nature of its assets, liabilities, equity, revenues and
expenses (ISRE 2410, paras 12–18). This knowledge and understanding would have been acquired by an
auditor who had previously undertaken audits or reviews for that client. It allows the auditor to develop
a greater sense of where risks of material misstatements are likely to occur and to plan their response to
these assessed risks appropriately.
The limited procedures that are undertaken for all types of review engagements outlined here are
composed principally of enquiries of company personnel, observing, reading and evaluating material, and
analytical procedures. The enquiries will normally concern:
• the entity’s accounting principles and practices
• management’s identification of events requiring adjustment or disclosure
• whether there has been any change in the assessment by those charged with governance of the entity’s
ability to continue as a going concern
• the entity’s procedures for recording, classifying and summarising transactions, accumulating informa-
tion for disclosure in the financial statements and preparing the financial statements
• all material assertions in the financial statements (ISRE 2410, paras 19–29).
The analytical procedures will be designed to identify relationships and individual items that appear
unusual and will normally include:
• comparison of the financial statements with statements from prior periods
• comparison of the financial statements with anticipated results and financial position
• studies of any relationships of financial information that would be expected to conform to a predictable
pattern based on the entity’s experience or industry norm (ISRE 2410, Appendix 2).
The review report is similar in structure to, but differentiated from, the auditor’s report on a general
purpose financial statement. It should be appropriately titled, using a title such as ‘Report on Review of
Interim Financial Information’, and contain an identification of the interim financial information reviewed.
It should also clearly indicate the limited evidence-gathering procedures that were undertaken, and that
only limited assurance is provided. A statement should be included that a ‘review is substantially less in
scope than an audit conducted in accordance with [auditing standards] and consequently does not enable
the auditor to obtain assurance that the auditor would become aware of all significant matters that might
be identified in an audit and that accordingly no audit opinion is expressed’. The opinion should state
whether anything has come to the auditor’s attention that causes them to believe that the interim financial
information does not present fairly, in all material respects, in accordance with the applicable financial
reporting framework (ISRE 2410, para. 43).
If matters do come to the auditor’s attention that the financial statements are not, or may not be, fairly
presented, then the auditor may modify the review report by expressing a qualified or adverse conclusion
in accordance with the framework outlined in ISA 705 (Revised) (ISRE 2410, para. 45). A limitation on
scope usually prevents the auditor from completing the review and therefore issuing a disclaimer. In these
situations, the auditor should communicate with those charged with governance the reason why the review
cannot be completed and consider whether it is appropriate to issue a report (ISRE 2410, paras 48–49).
The auditor may use Emphasis of Matter paragraphs in accordance with the circumstances detailed in
ISA 706 (Revised) (ISRE 2410, paras 55–58).
There are differences in the requirements in ISRE 2410 and ASRE 2410 that are outlined in
ASRE 2410. This explains differences in the form and content of the review report, among other things.

Pdf_Folio:296

296 Advanced Audit and Assurance

Proposed Changes to ASRE 2410
In May 2019, the AUASB issued an exposure draft to propose further changes to ASRE 2410. The proposed
changes are deemed necessary due to the inconsistency in the review reports being issued by Australian
auditors because the clarity format of audit reports incorporated into ISA 700 series (ASA 700) has not
been incorporated into either ISRE 2410 or ASRE 2410. Some auditors have been following the guidance
provided in the AUASB’s Bulletin dated July 2017 on this matter, whereas others have been following
ASRE 2410. The AUASB Bulletin clarified how auditors may treat these issues covered by the clarity
format and still be in compliance with ASRE 2410. Figure 5.1 outlines their guidance on the relevant
issues.

FIGURE 5.1 AUASB guidance on format of auditor’s review report

Issue AUASB guidance

Review reports must continue to comply with ASRE 2410.

How have the clarity
format requirements in ASRE 2410 has not been updated for the clarity format
the ASA 700 series requirements.
impacted on review
reports?

Following the ASA 700 format is optional.

Can a review report Whether following the ASA 700 format or not, review
format follow ASA 700? reports must comply with ASRE 2410.

The review report should include an ‘Emphasis of matter

How can an uncertainty —material uncertainty related to going concern’
related to going paragraph.
concern be treated in a
review report? This satisfies the requirement of ASRE 2410 for the review
report to include an ‘Emphasis of matter’ paragraph to
bring attention to a material uncertainty related to going
concern that is adequately disclosed in the financial report
and reflects the requirement of ASA 570 for the audit
report to include a ‘Material uncertainty related to going
concern’ paragraph, which is consistent with ASA 700.

No.
Must a review report
ASA 701 does not cover review engagements, so key audit
include key audit
matters are not required in a review report.
matters?
If key audit matters are included in a review report, the
treatment should be consistent with ASA 701, which could
be problematic.

No.
Must a review report ASA 720 does not cover review engagements, so an
include an ‘Other ‘Other information’ section is not required in a review report.
information’ section?

Source: Adapted from AUASB 2017.

Pdf_Folio:297

MODULE 5 Other Assurance Engagements 297

 The proposed changes to ASRE 2410 will provide consistency in practice by incorporating the changes
to the review standard resulting from the enhanced auditor’s report in accordance with the ASA 700 series.
The proposed changes include:
• reordering of the contents in the auditor’s review report so that the conclusion comes first, followed by
a basis for conclusion as per ASA 700
• aligning the format and content of the auditor’s review report to that of the auditor’s report in ASA 700,
ASA 705 and ASA 706
• adding a description of the auditor’s and management/those charged with governance responsibilities
in relation to going concern as per ASA 700
• adding a statement about the auditor’s independence and fulfilling relevant ethical requirements
• changing the reporting of a material uncertainty related to going concern from an ‘Emphasis of Matter’
paragraph as per ASRE 2410 to a ‘Material Uncertainty Related to Going Concern’ paragraph in
accordance with ASA 570 Going Concern (AUASB 2019).
The proposed changes related to a material uncertainty related to going concern is to avoid confusion
to users when reading a review report and an auditor’s report of a financial report.
Note that the IAASB has no plans to update ISRE 2410 even though it is not in clarity format.
However, the New Zealand AuASB is also working on changing their standard on review engagements,
NZ SRE 2410 Review of Financial Statements Performed by the Independent Auditor of the Entity, to
incorporate the clarity changes previously made to the auditing standards.

REVIEW WHERE THE ASSURANCE PRACTITIONER IS NOT

THE AUDITOR OF THE ENTITY
The main distinction between a review under ISRE 2400 (Revised) Engagements to Review Historical
Financial Statements and a review of interim financial information under ISRE 2410 (Revised) is that
for an ISRE 2400 (Revised) review, the auditor has not undertaken an annual audit and would therefore
not have the detailed knowledge of the client that is acquired during the audit. However, it could
reasonably be expected that both types of review engagements provide similar levels of assurance even
though the assurance practitioner starts off from a different knowledge base about the entity. Therefore,
it is appropriate that the auditing standards applicable to the review of financial statements where the
assurance practitioner is not the auditor of the entity (ISRE 2400 (Revised)) consist of similar mandatory
requirements as the standard governing reviews performed by the auditor of the entity (ISRE 2410)
discussed above.
An example of an engagement letter for an engagement to review historical financial statements is
included in Appendix 1 of ISRE 2400 (Revised). In addition, Appendix 2 of ISRE 2400 (Revised) contains
seven examples of practitioner’s review reports covering both general purpose and special purpose financial
statements and includes a range of unmodified and modified conclusions for financial statements prepared
using compliance and fair presentation frameworks.
Read Appendix 1 and 2 of ISRE 2400 (Revised) now, taking note of the wording used for each of the
opinions expressed in the illustrations.

QUESTION 5.1

What is a financial report review? Why would a review be appropriate for a set of half-yearly financial
reports?

REVIEW OF FINANCIAL INFORMATION FOR SMEs

The demand for ISRE 2400 (Revised) type review engagements has significantly increased in recent years
(in particular for SMEs). Many countries have introduced exemptions from mandatory audits based on, for
example, the type of entity or its size. These changes in the regulatory environment are seen as a significant
driver of demand for this type of service, which is seen to cost-effectively enhance the credibility of an
SME’s financial statements. This is particularly important when the entity is seeking either debt or equity
financing.
As an example of the movement to reduce the regulatory burden for small businesses, in June 2010,
the AUASB released ASRE 2415 Review of a Financial Report: Company Limited by Guarantee or
dP f_Folio:298

298 Advanced Audit and Assurance

an Entity Reporting under the ACNC Act or Other Applicable Legislation or Regulation. Previously, all
companies limited by guarantee were required to prepare an audited financial report in accordance with
Australian accounting standards. Under the Corporations Amendment (Corporate Reporting Reform) Act
2010 (Cwlth), a three-tiered differential reporting framework has been introduced for companies limited
by guarantee.
These tiers are outlined in module 1, with small companies limited by guarantee in Tier 1 being given
an exemption from preparing financial statements in accordance with the Corporations Act (and therefore
there are no assurance requirements), while companies in Tier 3 continue to be required to present an
audited financial report.
Under Tier 2, companies are required to prepare a financial report that they can elect to have reviewed
rather than audited. Under ASRE 2415, when a company limited by guarantee elects to have its financial
statements reviewed instead of audited, an auditor who has not conducted an audit of the previous
statements should undertake the review in accordance with ASRE 2400. However, where that auditor
has conducted an audit of the company’s previous financial statements, that auditor will have obtained an
understanding of the company and its environment, including the company’s internal control, and should
conduct the review in accordance with ASRE 2410.

QUESTION 5.2

DDD Motor Sales Ltd is privately owned. It wants to expand its business and has approached its
bank for a loan. DDD wants the funds to purchase additional inventory and will be able to provide
excellent security to the bank. The bank has agreed that, since DDD can provide good security
for the loan, an external audit will not be required. The bank manager has insisted that DDD hire
a firm of professional accountants to examine DDD’s financial records and provide some level of
assurance.
1. What type of engagement is required? Explain your answer.
2. Assume that DDD contracts with Cicak & Jones, CPAs, to perform the required services. What
is the title of the report or communication that Cicak & Jones will prepare?
3. Identify the types of procedures Cicak & Jones will be required to conduct.

REVIEW OF OTHER HISTORICAL FINANCIAL

INFORMATION — AN AUSTRALIAN PERSPECTIVE
The main distinction between a review undertaken in accordance with ASRE 2405 and the two review
standards ASRE 2400 and ASRE 2410 is that ASRE 2405 covers reviews of historical financial information
that are other than a complete financial report. This covers specific components, elements, accounts or
items of a financial report, other information or schedules that can be derived from financial records,
or financial statements that are prepared in accordance with a financial reporting framework that is not
designed to achieve fair presentation, such as condensed financial statements and an entity’s internal
management accounts (ASRE 2405, para. 5). With regards to evidence-gathering procedures, the assurance
practitioner will ‘make enquiries and perform analytical and other review procedures [similar to those
procedures required under ASRE 2400 and ASRE 2410] in order to reduce to a limited level the risk of
expressing an inappropriate conclusion when the historical financial information, other than a financial
report, is materially misstated’ (ASRE 2405, para. 16).
In the next section, assurance engagements other than audits or reviews of historical financial informa-
tion will be discussed.
The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

5.1 Explain the types of assurance engagements, other than the audit of historical financial
information.
• A review provides only limited assurance regarding whether the financial statements conform to
generally accepted accounting principles.

P d f_Folio:299

MODULE 5 Other Assurance Engagements 299

 • When a review is performed by an independent auditor who also performed the audit of general pur-
pose financial statements, the auditor brings the knowledge that they acquired when undertaking
the annual audit to the review engagement.
• Even though a review conducted by an auditor other than the auditor who performed the audit
of the general purpose financial statements starts off from a different knowledge based about the
entity, both review engagements should provide a similar level of assurance.
• Reviews of historical financial information that are other than a complete financial report includes
reviews of specific components, elements, accounts or items of a financial report, other information
or schedules that can be derived from financial records, or financial statements that are prepared in
accordance with a financial reporting framework that is not designed to achieve fair presentation,
such as condensed financial statements and an entity’s internal management accounts.
5.2 Apply the appropriate standard that relates to assurance engagements, other than the audit of
historical financial information.
• ISRE 2410 Review of Interim Financial Information Performed by the Independent Auditor of the
Entity covers reviews of interim and other financial information performed by the independent
auditor of the entity (such as reviewing quarterly or half-yearly interim financial statements).
• ISRE 2400 (Revised) Engagements to Review Historical Financial Statements covers engagements
to review financial statements performed by an assurance practitioner who is not the auditor of
the entity. An example of this is where an entity that is not required to have its annual financial
statements audited decides to have these reviewed. Requiring a review rather than an audit is
becoming a more common assurance approach for SMEs.
• ASRE 2405 Review of Historical Financial Information Other than a Financial Report covers reviews
of historical financial information that are other than a complete financial report.

5.3 OTHER ASSURANCE ENGAGEMENTS — PART 1

Five core types of other assurance engagements can be conducted, either as reasonable or limited assurance
engagements. The overarching standard to be applied to all of these engagements is ISAE 3000 (Revised)
Assurance Engagements Other than Audits or Reviews of Historical Financial Information or the national
equivalent, such as ASAE 3000 and ISAE (NZ) 3000. Figure 5.2 provides an overview of the five types
with their additional specific standards and examples.
The subject matters that can be assured under these types of engagements range widely. Some are
required by regulation and others are reported on a voluntary basis.
Each of these types of assurance engagements will be discussed in this module, but first we will provide
an overview of the application of ISAE 3000 (Revised).

OVERARCHING STANDARD
ISAE 3000 (Revised) is an umbrella standard for ‘other’ assurance engagements. The conditions for
accepting or continuing other assurance engagements) are set out in ISAE 3000 (Revised), paragraph 22.
These conditions include the general requirements that the practitioner (signing partner) believes that the
engagement team satisfies relevant ethical requirements, including independence. The practitioner should
also be satisfied that the engagement team, collectively, has the appropriate competence and capabilities.
Further, the practitioner should be satisfied that the preconditions of an assurance engagement, as discussed
in ISAE 3000 (Revised), paragraph 24, are present. These preconditions include:
• an appropriate underlying subject matter
• suitable criteria that will be available to the intended users
• evidence to support the practitioner’s conclusion
• a written report that presents the practitioner’s conclusion
• a rational purpose for undertaking the engagement, including (in the case of a limited assurance
engagement) that the practitioner expects to be able to obtain a meaningful level of assurance.
The practitioner shall plan the engagement so that it will be performed in an effective manner
(ISAE 3000 (Revised), para. 40). This includes determining the nature, timing and extent of planned
procedures that are required to be carried out in order to achieve the objective of the practitioner.

dP f_Folio:300

300 Advanced Audit and Assurance

 FIGURE 5.2 Overview of other assurance engagements
Historical non-financial reports
Standards
ISAE 3410 Assurance Engagements on Greenhouse
Gas Statements
ISAE 3610/AWAS 2 Assurance Engagements on
General Purpose Water Accounting Reports
Future-oriented information
Standards
ISAE 3420 Assurance Engagements to Report on the
Compilation of Pro Forma Financial Information
Included in a Prospectus
ASAE 3450 Assurance Engagements involving
Corporate Fundraisings and/or Prospective Financial
Information
Systems and processes
Standards
ASAE 3150 Assurance Engagements on Controls
ISAE 3402 Assurance Reports on Controls at a
Service Organisation
P df_Folio:301
Examples
Performance engagements on use of resources or
value for money, such as:
• greenhouse gas statements
• sustainability reports
• key performance indicators
• statements on effective use of resources
• statement on value for money
• corporate social responsibility reporting
• integrated reports.
Examples
Performance engagements, such as:
• forecast/projected cash flows.
Position engagements, such as:
• forecast/projected financial position.
Performance engagements on use of resources or
value for money, such as:
• expected emissions reductions attributable to a
new technology
• greenhouse gases to be captured by planting trees
• a statement that a proposed action will provide
value for money.
Examples
Description engagements, such as:
• the description of a system of internal control.
Design engagements, such as:
• the design of controls at a service organisation
• the design of proposed controls for a forthcoming
production process.
Operation/performance engagements, such as:
• the operating effectiveness of procedures for
hiring and training staff.
MODULE 5 Other Assurance Engagements 301
 Aspects of behaviour

Standards Examples
ASAE 3100 Compliance Engagements Compliance engagements, human behaviour,
such as:
• evaluation of audit committee effectiveness.
Compliance engagements, other, such as:
• fitness for purpose of a software package
(International Framework for Assurance
Engagements, Appendix 4).

Performance of activity

Standards Examples
ASAE 3500 Performance Engagements Performance engagements, such as:
• performance of public sector activity.

Other assurance engagements may be either reasonable or limited assurance engagements. In regard to
the underlying subject matter and other engagement circumstances, ISAE 3000 (Revised), paragraph 46
outlines that:
• for a reasonable assurance engagement, ‘the practitioner shall obtain an understanding of the underlying
subject matter and other engagement circumstances. [This should be] sufficient to … identify and assess
the risks of material misstatement in the subject matter information. [It should also] provide a basis for
designing and performing procedures to respond to the assessed risks and to obtain reasonable assurance
to support the practitioner’s conclusion’.
• for a limited assurance engagement, ‘the practitioner shall obtain an understanding of the underlying
subject matter and other engagement circumstances sufficient to enable the practitioner to identify areas
where a material misstatement of the subject matter information is likely to arise. [It should therefore]
provide a basis for designing and performing procedures to obtain limited assurance to support the
practitioner’s conclusion’.
In regard to obtaining sufficient appropriate evidence for an assurance engagement, ISAE 3000
(Revised), paragraph. 48, outlines that:
For a reasonable assurance engagement, the practitioner shall:
(a) identify and assess the risks of material misstatement in the subject matter information; and
(b) design and perform procedures to respond to the assessed risks and to obtain reasonable assurance to
support the practitioner’s conclusion.
For a limited assurance engagement, the practitioner shall:
(a) identify areas where a material misstatement of the subject matter information is likely to arise; and
(b) design and perform procedures to address the areas identified in (a) and to obtain limited assurance to
support the practitioner’s conclusion.
The assurance report shall be in writing and shall contain a clear expression of the practitioner’s
conclusion about the subject matter information (ISAE 3000 (Revised), para. 67).

The importance of the intended users should also be considered, as environmental reports have a wide
variety of users and their needs can be quite different. For example, companies may provide information
on their water usage and carbon emissions, but this information may be used differently by investors,
environmentalists and local community groups (such as farmers).

Pdf_Folio:302

302 Advanced Audit and Assurance

 The practitioner must prepare engagement documentation that provides a record of the basis for the
assurance report that is sufficient and appropriate to enable an experienced practitioner (with no previous
connection of the engagement) to understand:
(a) the nature, timing and extent of the procedures performed …;
(b) the results of the procedures performed, and the evidence obtained; and
(c) significant matters arising during the engagement, the conclusions reached thereon, and significant
professional judgments made in reaching those conclusions (ISAE 3000 (Revised), para. 79).

ISAE 3000 (Revised) also contains requirements relating to the use of the work of experts. When the
work of a practitioner’s expert is to be used, the practitioner shall also:
(a) evaluate whether the practitioner’s expert has the necessary competence, capabilities and objectivity for
the practitioner’s purposes. In the case of a practitioner’s external expert, the evaluation of objectivity
shall include inquiry regarding interests and relationships that may create a threat to that expert’s
objectivity;
(b) obtain a sufficient understanding of the field of expertise of the practitioner’s expert;
(c) agree with the practitioner’s expert on the nature, scope and objectives of that expert’s work; and
(d) evaluate the adequacy of the practitioner’s expert’s work for the practitioner’s purposes (ISAE 3000
(Revised), para. 52).

Given the importance of using experts in sustainability assurance engagements, these requirements are
of particular significance for such engagements.
The IAASB is in the process of developing draft guidance relating to its extended external reporting
(EER) assurance project (IAASB 2019a). The key objective of the project is to enable more consistent and
appropriate application of ISAE 3000 (Revised) to emerging forms of external reporting and greater trust
in the resulting assurance reports by users of EER.
EER includes many different types of reporting, from integrated reporting, sustainability reporting and
other reporting about environmental, social and governance matters. The outcome of this project is aimed
at providing a non-authoritative guidance document for practitioners applying ISAE 3000 (Revised).
We will now turn our attention to a detailed discussion of each of the five core types of other assurance
engagements, beginning with assurance on historical non-financial reports.

HISTORICAL NON-FINANCIAL REPORTS

Historical non-financial reports include performance reports on the use of resources or value for money.
Many of the specific assurance engagements in this area were mentioned earlier in this module. In this
section, we expand on the assurance of corporate social responsibility (CSR) reports, greenhouse gas
statements, sustainability reports, water accounting reports, business performance measurement reports
and integrated reports.

Assurance on Corporate Social Responsibility (CSR) Reports

CSR is an ‘evolving business practice that incorporates sustainable development into a company’s business
model. It has a positive impact on social, economic and environmental factors’ (Schooley 2019, p. 1).
CSR reporting is voluntary and is becoming more widespread. CSR disclosures include environmental,
employee and social reporting. Some organisations choose to have their CSR disclosures assured by an
independent assurance practitioner. The assurance of CSR disclosures is currently carried out by either
auditors or specialist consulting firms. As these disclosures include non-financial as well as financial
information, the skill set required to conduct these assurance services is quite broad (Moroney et al. 2017).
ISAE 3000 (Revised) provides some guidance for auditors when assuring CSR and similar reports.
ISAE 3000 (Revised) provides guidance on the client acceptance decision, quality control, the role of
professional scepticism and professional judgment, planning and performing the assurance engagement,
steps in evidence gathering, and forming an opinion based on conclusions drawn from the evidence
gathered (Moroney et al. 2017).
Companies disclose CSR information in their annual reports, on their websites and in separate stand-
alone reports. This trend of increased disclosures has been in response to stakeholder (shareholder,
lender, employee, customer, supplier, community, interest groups, advocates and regulators) demand that
companies be more accountable for their impact on the environment and on society. Stakeholders are
concerned about more than just profits and returns on shareholder funds. For example, they want to know
what actions are being taken by companies to reduce impacts (Moroney et al. 2017).
Pdf_Folio:303

MODULE 5 Other Assurance Engagements 303

 Stakeholders are concerned about the reliability of CSR disclosures. Just as the provision of these
disclosures is voluntary, so is the assurance. Companies are not required to have their CSR disclosures
assured. Yet, a number of companies do. Assurance is provided to meet user demands for high-quality,
reliable information and to also demonstrate a high level of corporate responsibility (Moroney et al. 2017).

QUESTION 5.3

Providers of corporate sustainability assurance reports often state that the work was performed in
accordance with ISAE 3000 and/or ASRE 2405. Obtain a copy of each of these documents.
Explain why ISAE 3000 and ASRE 2405 would be useful in CSR assurance.

Assurance on Greenhouse Gas Statements

There have been significant widespread concerns, both in Australia and internationally, about the economic
and environmental effects of climate change. In 2017, KPMG found that 48% of the world’s largest
companies acknowledged climate change as a financial risk in their financial reporting (p. 30). However,
most of these companies provided narrative description of the potential impacts without quantifying these
risks as recommended by the Task Force on Climate-related Financial Disclosures (TCFD). Climate risk
was discussed in module 2.
Disclosure of carbon emission levels by companies is required to support actions aimed at reducing
these emissions, including:
• monitoring regulatory compliance
• facilitating emission tracking systems
• assisting investor decision making.
In a greenhouse gas statement, the main focus will be on the quantities of greenhouse gas emissions
(carbon dioxide (CO2 )) and how this information is presented and disclosed. The main issue a practitioner
must consider in accepting an engagement is what specialist skills they need to successfully carry out the
engagement. In particular, the assertions made in a greenhouse gas report may be of a technical, chemical
or physical nature and, whilst a practitioner has extensive assurance skills, this may not be enough when
dealing with specialised subject matter (Leung et al 2019).
Assurance services on disclosures of greenhouse gas emissions in Australia increase the credibility
of these disclosures (Huggins & Green et al. 2011). Further, as carbon emissions trading schemes and
taxes become more common around the world, well-established reporting and assurance frameworks help
organisations to meet their obligations.
Greenhouse gas (GHG) statements take different forms, including disclosures that are:
• required by regulation
• related to emissions trading schemes
• voluntary.
The assurance approach for these statements varies depending on the reporting entity’s level of
precision in its monitoring and disclosure of GHG emissions. For example, one approach is to report
coal consumption by using a generic factor that reflects the carbon content of coal used within the relevant
jurisdiction; this could then be applied to approximate the amount of GHGs emitted by consuming that
amount of coal. Here, the assurer’s role is ‘to test the measured level of coal consumption and consider the
appropriateness of the factor and the accuracy of its application’ (Simnett & Nugent et al. 2009, p. 354).
A more direct and sophisticated approach is to place measuring instruments on the chimneys and
furnaces of any outlets through which GHG escape. Here, the assurer’s role would be to test whether
all outlets are monitored and the instrumentation is working appropriately, and to examine the accuracy of
the calculations (Simnett & Nugent et al. 2009, p. 354).
ISAE 3410 Assurance Engagements on Greenhouse Gas Statements covers the assurer’s responsibilities
for identifying, assessing and responding to risks of material misstatement on GHG statements. The
standard also recognises that most engagements will be undertaken by a multi-disciplinary team (including,
for example, engineers or environmental scientists) and thus addresses the need to integrate such experts
at various stages of the engagement.
The assurance standard can be applied to a broad range of circumstances, including those organisations
that are directly emitting GHGs into the atmosphere as well as those organisations that are indirectly adding
to GHG emissions (e.g. by consuming electricity). This is in line with providing assurance of the reports
that are required by regulators as they instigate emissions trading schemes (such as the EU scheme) or taxes
dP f_Folio:304

304 Advanced Audit and Assurance

 on GHG emissions. The standard covers both reasonable assurance and limited assurance engagements,
both of which are increasingly in demand in the marketplace. With the issue of GHG emissions firmly on
the agenda of many regulators and other interested parties around the world, this assurance area is expected
to increase over the next few years.

QUESTION 5.4

List at least five reasons why accountants are well placed to provide assurance on carbon
emissions.

Schemes Regulated by Australia’s Clean Energy Regulator

Schemes legislated by the Australian government for measuring, managing, reducing or offsetting
Australia’s carbon emissions is administered by the Clean Energy Regulator (CER). The CER have
administrative responsibilities for the:
• Renewable Energy Target under the Renewable Energy (Electricity) Act 2000
• National Greenhouse and Energy Reporting Scheme (NGERS) and the safeguard mechanism under the
National Greenhouse and Energy Reporting Act 2007
• Australian National Registry of Emissions Units under the Australian National Registry of Emissions
Units Act 2011
• Emissions Reduction Fund under the Carbon Credits (Carbon Farming Initiative) Act 2011 (CPA 2019).
The assurance requirements for each scheme are underpinned by the NGERS audit framework. The
assurance practitioner must be a registered greenhouse and energy auditor (RGEA) to be eligible to conduct
assurance engagements (NGERS audits) under any of these schemes.

Assurance on Sustainability Reports

Currently, one of the most common types of publicly available non-financial reports is a ‘sustainability
report’. A sustainability report provides information about the organisation’s economic, environmental
and social impacts and ‘demonstrates the link between its strategy and its commitment to a sustainable
global economy’ (GRI 2019a). Organisations are being increasingly held accountable on issues related to
human rights, climate change, waste management, and the use of scarce resources such as water. In some
countries, including Australia, varying degrees of reporting of sustainability information is mandatory.
With increased disclosure, there are increased expectations of assurance on this information in order to
increase its credibility.
As the above issues are more frequently incorporated as a central part of strategy and included in
performance evaluations and reward systems, accountants will take an increasingly important role in both
the development of sustainability measurement and reporting systems, and the related assurance activities.
Boards faced with these issues are increasingly likely to require assurance on measures and disclosures
important to their decision-making role. Investors are increasingly likely to want firms to demonstrate that
CSR and sustainability issues are included as an important part of the strategic planning process, and to
want assurance on related disclosures.
Sustainability reporting is becoming a ‘mainstream’ practice in the largest corporations globally. KPMG
(2017) identified that most large and mid-cap companies around the world now produce a sustainability
report. Despite this, the IAASB has not developed a specific assurance standard for these engagements.
The most common reporting framework for sustainability reports is the GRI Standards, devised by
an institution whose mission is to develop, and disseminate globally, applicable sustainability reporting
standards in order to establish a common reporting practice for sustainability reporting across a range of
economic, environmental and social impacts. The current GRI Standards were released on 19 October
2016 and have superseded the GRI G4 Guidelines. All sustainability reports and other related materials
published on or after 1 July 2018 are required to use the GRI Standards. After this date, any reports prepared
based on the GRI G4 guidelines will not be considered as a GRI-based report.
Why Assurance on Sustainability Information is Important
The GRI notes that stakeholders expect to be able to trust an organisation’s sustainability report.
To benefit from the process of sustainability reporting, organisations take steps to enhance the credibility
of their reports, including having their reports externally assured. This is believed to contribute to building
stakeholder trust and to continually improve the quality of reporting systems and processes. The number
P df_Folio:305

MODULE 5 Other Assurance Engagements 305

 of companies having their corporate responsibility reports assured continues to grow. A report by KPMG
shows that 67% of the world’s largest companies had their reports assured in 2017 compared to 30% in
2005 and 46% in 2011 (see figure 5.3).

FIGURE 5.3 Assurance of corporate responsibility information

Growth in independent assurance of CR information

63% 67%
59%
46%
40%
30%

2005 2008 2011 2013 2015 2017

33%
39% 38% 38% 42% 45%
N100 G250

Source: KPMG 2017, p. 26.

GRI also recognises that assurance of sustainability reports is at an early stage in its evolution. It
therefore encourages the development and use of principles and guidelines for assurance practices.
Moreover, the GRI recommends that external assurance should:
• be conducted by groups or individuals external to the reporting organisation, who are demonstrably
competent in the subject matter and assurance practices
• utilise groups or individuals who are not limited by their relationship with the organisation to publish
an independent conclusion on the report
• be implemented in a manner that is systematic, documented, evidence-based and characterised by
defined procedures
• assess whether the report provides a reasonable and balanced presentation of performance
• assess the extent to which the report preparer has applied the GRI Reporting Framework
• result in an opinion or set of conclusions that is publicly available in written form, including a statement
from the assurance practitioner on their relationship to the report preparer.
The GRI does not make recommendations on what type of assurance practitioner to use. It is expected
that the reporting organisation will select the assurance practitioner on the basis of these six key qualities.

QUESTION 5.5

How does providing assurance on environmental information differ from auditing financial
statements?

QUESTION 5.6

Climate Balance Pty Ltd is a consulting firm specialising in sustainability and climate change
issues. It offers sustainability report assurance services to a variety of organisations, including
listed companies. It is not a registered company auditor and does not provide company audits.
Why would a listed company obtain sustainability assurance services from a consulting firm and
its company audits from an accounting firm?

dP f_Folio:306

306 Advanced Audit and Assurance

 QUESTION 5.7

A sustainability report makes the following claims.

1. ‘We implemented our Code of Conduct in the current year.’
2. ‘Our sulfur dioxide emissions have gone down by 20% during the year.’
What evidence could be collected in a reasonable assurance engagement to support these
assertions?

SME Perspective
The previous examples refer to large companies. It is important to also realise that SMEs can benefit by
having the sustainability information they provide assured.
CPA Australia has developed A Guide for Assurance on SME Sustainability Reports. This document
notes that ‘a sustainability report provides financial and non-financial information that helps readers to
understand how a business has performed from broad economical, social and environmental perspectives’
(CPA Australia 2012, p. 5). Importantly, the document sets out the business pressure and opportunities
that are inducing SMEs to consider sustainability reporting, and the consequent importance of CPAs being
capable of discussing these issues with clients and providing opportunities for clients.
CPA Australia (2012) lists four opportunities for SMEs related to sustainability reports.
• Large organisations often require their supply chains to demonstrate sustainability (e.g. through
tender processes or the need for sustainability reports, sometimes with assurance). By demonstrating
sustainability in practices and products, SMEs can differentiate themselves from competitors.
• The reports provide a credible way to present sustainability performance to stakeholders.
• A greater range of finances are available to organisations that can demonstrate sustainability.
• Sustainability reporting can unlock internal advantages such as staff support, risk management and
process improvements.
Furthermore, Global Reporting Initiative (GRI) and the International Organization of Employers (IOE)
published a joint report in 2016 outlining how small businesses can have a big impact by reporting on
sustainability issues. Even though SMEs individually have relatively small environmental and social
impacts, as a group their impact is much larger as they account for about 90% of all businesses and
contribute up to 45% of total employment (GRI & IOE 2016, p. 7). As such, they have a crucial role
to play in building a sustainable future through responsible business practices.
Next, we turn our focus to the assurance on water accounting reports.

Assurance on Water Accounting Reports

New assurance services continue to emerge, including assurance on water accounting reports. Water is
an extremely important resource in Australia and many other countries. Australia has a comprehensive
strategy to improve water management. In particular, the Australian government claims to enhance ‘the
sustainable, efficient and productive management and use of water resources in the Murray-Darling
Basin and across Australia’ (Department of Agriculture and Water Resources 2018, p. 1). The Australian
government’s strategies include the following.
• $2.5 billion to build water infrastructure for the 21st century (e.g. dams, weirs, irrigation schemes,
pipelines and winter storage solutions).
• Murray-Darling Basin Plan to restore the Basin’s rivers and wetlands to health while supporting
sustainable food production and strong regional communities.
• National leadership in water policy and legislation reform by working with the states and territories to
support agricultural and other industries, environments and communities.
• Leadership and coordination of national action for reform of urban water management — water supply,
sewerage and drainage services (Department of Agriculture and Water Resources 2018).
Water accounting is a central part of Australia’s strategy to improve water management. Water
accounting is ‘a systematic process of identifying, measuring, monitoring and communicating information
about water-related transactions, transformations and events to allow informed judgements and decisions
about the allocation of scarce resources’ (Chalmers & Godfrey 2007).
The Water Accounting Standards Board (WASB) is an independent advisory board to the Bureau
of Meteorology (BOM) and works with the water industry to develop consistent standards for water
accounting (AWAS 1 (WASB 2012)) and assurance (ASAE 3610/AWAS 2 (WASB 2014)).
Pdf_Folio:307

MODULE 5 Other Assurance Engagements 307

 The BOM released the Australian Water Accounting Standard (AWAS) 1 Preparation and Presentation
of General Purpose Water Accounting Reports in 2012. It prescribes how to prepare and present a General
Purpose Water Accounting Report. It is accompanied by examples of water accounting reports.
The AUASB and the BOM have jointly issued the Standard on Assurance Engagements ASAE 3610
and AWAS 2 Assurance Engagements on General Purpose Water Accounting Reports. This assurance
standard establishes requirements for assurance engagements in the emerging area of water accounting. It
guides assurance practitioners on accepting, conducting and reporting on engagements so they can provide
reasonable or limited assurance on a general purpose water accounting report (WASB 2014).
Water accounting enables entities to collect, record, measure and disclose information about water in
order for users of this information to make informed decisions on the economic, social and environmental
effects of water transactions, transformations and events.
It is critical that users of the water accounting reports have confidence in the credibility of these
reports — hence the need for an assurance engagement. The idea is that water accounting reports should
contain independent attestation that they have been prepared in accordance with approved water accounting
standards (i.e. those developed by WASB).
It is clear that, in many countries, water usage is a major issue and, increasingly, this issue will be
incorporated as part of strategic planning. Rio Tinto (2019), for example, notes that access to water is
critical to its operations. It uses water at every stage of its business — exploration, mining, processing,
smelting, refining and rehabilitation. Rio Tinto notes that operations that reduce its demand through
efficiency, technology, and the use of lower quality and recycled water, are more likely to have a
competitive, economic and reputational advantage.
The company has developed a number of programs to manage water responsibly across all aspects of
their operations, from mine processing to managing dust and supplying drinking water and wastewater
services to their operations (Rio Tinto 2019).
A description of Rio Tinto’s responsible water management plan is available in Pioneering Progress:
2018 Sustainable Development Report (pp. 18–19): https://www.riotinto.com/ourcommitment/
downloads-24768.aspx

Assurance on Business Performance Measurement

Organisations are increasingly using performance measurement systems to help realise their strategic
objectives and goals and to report their performance on a broader range of performance indicators, such as
non-financial performance. Some organisations are providing a list of agreed financial and non-financial
performance measures on areas such as staff performance, customer satisfaction, and a range of other
effectiveness and efficiency measures. Others are using a balanced scorecard approach, which reports
information on a number of dimensions, including financial performance, customer satisfaction, product
and service quality, and growth initiatives. Both quantitative and qualitative measures are used.
In other cases, society is starting to expect non-financial performance measurement for certain types
of organisations. In the not-for-profit sector, for example, an entity’s primary objective is not to make a
profit but to provide goods and/or services to help the community achieve a social objective. Therefore,
non-financial information about a not-for-profit entity’s achievement in delivery of those goods or services
is essential for users to assess its performance. The Australian Accounting Standards Board has recently
proposed a framework, in the form of a draft Standard, for reporting service performance information.
The objective of the proposal is to establish principles and requirements for an entity to report service
performance information that helps users assess whether a not-for-profit entity has met its service
performance objectives.
Three types of potential assurance services in relation to performance measurement systems are as
follows.
1. Assessing the reliability of information being reported from the organisation’s performance measure-
ment systems.
2. Assessing the relevance of the performance measures (i.e. how well they inform users about perfor-
mance).
3. Assessing the criteria used for performance measurement.

Reliability of Performance Measures

When an organisation’s performance measurement system reports actual results, an assurance practitioner
can provide assurance on the reliability of information in that performance report. For example, an
organisation may measure factors such as the cost of a department and the timeliness of reports from that
Pdf_Folio:308

308 Advanced Audit and Assurance

department. Comparisons can then be made about the quality of information received from that department
against internal goals and the results of other organisations that are comparable in size and operate in
similar industries. Two issues the organisation may require assurance on are the relevance of performance
measures used and the criteria for performance measurement assurance.
Relevance of Performance Measures
When an organisation requires assurance on the relevance of their performance measures (i.e. are they
measuring the right things?), one approach is to examine the organisation’s strategic objectives and assess
whether the performance measures used are consistent with those objectives. The assurance practitioner
can also provide value to the organisation by providing independent insights about whether the strategic
objectives are reasonable, achievable, clearly defined and understood by the organisation’s employees.
They can also assess whether the organisation has appropriate financial and non-financial measures.
Management will be a key user of such information, for example, to assist in performance evaluation
or to help identify activities that need improvement. This assurance service will also benefit investors
and creditors as it provides credible information on the entity’s systems for measuring performance and
information on how well management is performing in a variety of areas.
Criteria Used for Performance Measurement
In carrying out a performance measurement assurance engagement, it is often necessary to either develop
appropriate measures as criteria or to assess whether the performance measures being used are suitable
criteria for measuring the right things from the organisation’s perspective.
Performance indicators should be:
• relevant — relate to the user’s needs and to clearly define objectives that communicate what is to be
measured
• quantifiable — illustrate the extent to which objectives have been achieved in absolute and proportional
measures (i.e. subjective and judgmental statements should be avoided)
• verifiable — should result in similar conclusions when an independent assessment is conducted
• free from bias — report information impartially, using information that is gathered and analysed in a
way that is free from built-in bias
• balanced — provide a complete picture of what is being done, covering all significant areas
• cost-effective — balance the benefits of the information against the costs of preparing them
• time-based and timely — cover a defined time period to determine whether the performer has achieved
the target and be produced on a timely basis so that corrective action can be taken.
Review examples 5.2 and 5.3 now.

EXAMPLE 5.2

Key Performance Measures

A suburban hospital of a large Australian city has an objective of improving the quality of service to
emergency patients. It has developed the following key performance measures and will report back to
management on progress every six months.
• Time taken to treat the patient as measured by the time of arrival at the hospital to the time of their
discharge from emergency (i.e. discharged from the hospital or moved into a ward).
• Number of patients assessed within 30 minutes of arriving at the hospital.
• Customer satisfaction with their treatment.
– Was the quality of the treatment satisfactory? Yes/No
– Were staff friendly and attentive? Yes/No
• Average life expectancy of heart-attack patients in the vicinity of the hospital.
• All measures are to be recorded at least two days per week.
............................................................................................................................................................................
Evaluate these performance measures using the above criteria. Justify your responses.
Check your response against the suggested answer at the end of the book.

P d f_Folio:309

MODULE 5 Other Assurance Engagements 309

 EXAMPLE 5.3

Divisional Scorecard Performance

Your firm was asked to complete an assurance engagement and report to the management of RST Ltd
(RST) on the relevance and reliability of their divisional scorecard performance (including targets and
actuals) for six divisions of RST for the year ended 30 June 20X9. You decided to use criteria set up
by International Performance Management Ltd. (Assume this is a well-known set of criteria that can be
referred to and of which readers will be aware.) Your work included:
• obtaining an understanding of the strategic objectives and goals of RST and its divisions
• assessing the selected performance measures related to the chosen strategy for each division
• assessing the procedure used for producing the results
• selecting a sample of reported results to test
• performing other relevant procedures.
Your firm has agreed to provide reasonable assurance in accordance with ISAE 3000 (Revised) on the
relevance and reliability of the divisional scorecard performance measures and results.
............................................................................................................................................................................
Prepare an unmodified assurance report in accordance with ISAE 3000 (Revised) (para. 69) for presentation
to the management of RST.
Check your response against the suggested answer at the end of the book.

QUESTION 5.8

Upper Crust Pizza Ltd is a profitable business that has been run for many years. The chairman
of the board of directors is Simon Strange, who built the company from nothing to the successful
public company it now is. As he gets close to retirement, Simon wants to ensure his legacy includes
social and environmental success as well as the financial success that he has enjoyed.
Simon is considering how the organisation can improve the welfare of the staff, better look after
customers, and improve how it interacts with the wider community and the environment.
Considering staff, customers, the wider community and the environment, suggest key perfor-
mance indicators that might be used to improve social and environmental performance.
Source: Leung et al. 2018.

Assurance on Integrated Reports

Integrated Reporting connects different functions to form a holistic view of the business. It recognises the
value, risks and opportunities represented in a long-term and wider view of the six ‘capitals’ with which
it operates. It also links the reporting to the entity’s core business model and strategy. The capitals are
natural, human, manufactured, social and relationship, intellectual, and financial.
Conventional annual reports, including the financial statements, are often seen as being too complex for
many users, thereby being more suited for reporting to regulators. On the other hand, integrated reports
help the business to think about their strategy and plans, make more informed decisions and manage key
risks and opportunities to build investor and stakeholder confidence, thereby improving future performance
(Majmudar & Rana 2017). Stakeholders, especially investors, can use integrated reports to make more
informed decisions about capital allocation and long-term investment.
The International Integrated Reporting Council (IIRC) has issued a framework for integrated reporting
(<IR>). In the IIRC framework, integrated reporting is defined as a ‘process founded on integrated thinking
that results in a periodic integrated report by an organisation about value creation over time and related
communications regarding aspects of value creation’ (IIRC 2019). Within the framework, and at present,
no assurance of integrated reports is required.
To follow up on the assurance issues outstanding after the approval of the Framework, the IIRC released
two discussion papers in July 2014 (IIRC, 2014a, b). This was an attempt by the IIRC to promote robust
assurance, along with other mechanisms that build the credibility of integrated reports. Assurance is seen
to play a vitally important role in ensuring that integrated reports are seen to be credible.
Assurance is an essential component of developing relevant and reliable integrated reports. Some of the
main challenges identified by the IIRC (2014a, b) and the IAASB (2016) are described here.
dP f_Folio:310

310 Advanced Audit and Assurance

• Diversity of subject matter information. Integrated reports include a diverse range of subject matter,
thereby requiring auditors to be knowledgeable of, and comfortable with, a range of subject matter.
Auditors, with only financial accounting expertise, may have a deficiency in other subject matter
information assured under an integrated report.
• Stage of development of non-financial indicators. Many environmental, social and governance indicators
remain less established and accepted than financial indicators and may suffer from limited availability
of data.
• Time-frame and prospective nature of the information. <IR> captures both retrospective and
prospective information because of their usefulness to decision makers. In addition, many social and
environmental effects are measured over longer time frames. Forward-looking and long-term
information is more difficult to assure.
• Discursive nature of the information. Much of the information disclosed will be qualitative in nature.
Assurance techniques are less developed for qualitative disclosures. For example, how does an assurance
practitioner determine if a qualitative disclosure is material, and on what basis do they determine that
such disclosures may contain a material misstatement?
• Intersection of a variety of regulations and guidance. Assurance of integrated reporting may require
assurance practitioners to be familiar with a range of mandatory and non-mandatory approaches to
reporting on financial, environmental, social and governance issues, which may include the International
Financial Reporting Standards (IFRS), ISAs, International Organization for Standardization (ISOs), the
GRI, the Carbon Disclosure Project and others.
The IIRC continues to call for action to strengthen the overall credibility of, and trust in, <IR>
(IIRC 2015).
It is recognised that, in practice, organisations use a range of mechanisms to enhance credibility and
trust, of which assurance is one and corporate governance, internal audit and internal control are others.
As <IR> is relatively new and still evolving, assurance and other credibility-enhancing mechanisms on the
integrated report will need to evolve alongside the reporting itself.

FUTURE-ORIENTATED INFORMATION
As mentioned earlier in this section, assurance of future-oriented information includes assurance engage-
ments involving corporate fundraisings and forecast financial information such as projected cash flow
statements and projected statements of financial position. In this section we will focus our discussion on
the assurance of prospective financial information and the compilation of pro forma financial statements.
Assurance on Prospective Financial Information
The relevant standard is ISAE 3400. Prospective financial information is one of the few subject matters,
other than historical financial information, for which the profession provides specific guidance. In practice,
these assurance engagements are commonly performed by the ‘Big Four’ accounting firms and have
become one of the most common assurance services provided, other than assurance on historical financial
information. This is largely due to a general demand for assurance on forecasts — and similar types of
information — that management may be providing to the market where an entity is raising equity from
the public.
Australia does not have an equivalent standard to ISAE 3400, but does have a standard, ASAE 3450
Assurance Engagements involving Corporate Fundraisings and/or Prospective Financial Information that
applies to reporting on:
(a) historical financial information, pro forma historical financial information, prospective financial
information and/or pro forma forecast prepared in connection with a corporate fundraising, and
included in, or to be included in, a public or non-public document; and
(b) prospective financial information, including a pro forma forecast or a projection, prepared for any other
purpose (ASAE 3450, para. 1).
Definition
ISAE 3400 defines prospective financial information as:
financial information based on assumptions about events that may occur in the future and possible actions by
an entity … Prospective financial information can be in the form of a forecast, or projection or a combination
of both, for example, a one year forecast plus a five year projection (ISAE 3400, para. 3).

Pdf_Folio:311

MODULE 5 Other Assurance Engagements 311

 A ‘forecast’ is defined as:
prospective financial information prepared on the basis of assumptions as to future events which manage-
ment expects to take place and the actions management expects to take as of the date the information is
prepared (best estimate assumptions) (ISAE 3400, para. 4).

A ‘projection’ is defined as:

prospective financial information prepared on the basis of … hypothetical assumptions [or a mixture of
best-estimate and hypothetical assumptions] about future events and management actions which are not
necessarily expected to take place, such as when some entities are in a start-up phase or are considering a
major change in the nature of operations (ISAE 3400, para. 5).

Thus, a forecast is the entity’s best estimate of what is expected to occur, while a projection is an entity’s
estimate of what will occur if a specific course of action is undertaken.

Auditor’s Objective
ISAE 3400 states that the auditor’s objective in providing assurance on prospective financial information
is to obtain sufficient appropriate audit evidence as to whether:
(a) Management’s best-estimate assumptions on which the prospective financial information is based are
not unreasonable and, in the case of hypothetical assumptions, such assumptions are consistent with
the purpose of the information;
(b) The prospective financial information is properly prepared on the basis of the assumptions;
(c) The prospective financial information is properly presented and all material assumptions are adequately
disclosed, including a clear indication as to whether they are best-estimate assumptions or hypothetical
assumptions; and
(d) The prospective financial information is prepared on a consistent basis with historical financial reports,
using appropriate accounting principles (ISAE 3400, para. 2).

Procedures
ISAE 3400 offers guidance on the general procedures to be performed in an engagement that provides
assurance on prospective financial information, as well as on the form and content of the report that the
auditor issues in connection with such an engagement.
More specifically, ISAE 3400 provides the auditor with considerable guidance about:
• the auditor’s assurance regarding prospective financial information
• acceptance of the engagement
• knowledge of the entity’s business, which may have a significant effect on the prospective financial
information, including knowledge of the entity’s process for preparing prospective financial information
• the period of coverage of the prospective financial information and its impact on underlying assumptions
• the assurance procedures to be adopted, particularly in relation to management’s hypothetical and best-
estimate assumptions
• the presentation and disclosure of the prospective financial information
• the form and content of the auditor’s report, including the expression of an opinion, as well as the nature
of the prospective financial information and its limitations.
The procedure for collecting evidence varies between management’s best-estimate assumptions
(i.e. assumptions regarding future events that management expects to occur and actions management
expects to take) and their hypothetical assumptions (i.e. future events and management actions that are
not necessarily expected to take place). In particular:
• sufficient appropriate audit evidence needs to be obtained for best-estimate assumptions (‘forecast’)
(ISAE 3400, para. 18)
• supporting evidence need not be obtained for hypothetical assumptions (‘projection’), but the auditor
would need to:
– consider whether all significant implications of the assumptions have been taken into consideration
– be satisfied that they are consistent with the purpose of the prospective financial information and that
there is no reason to believe they are clearly unrealistic (ISAE 3400, paras 19–20).
In relation to the auditor’s assurance on prospective financial information, a number of key points are
important.
• While evidence may be available to support the underlying assumptions, such evidence is generally
future-oriented and, therefore, speculative in nature.
Pdf_Folio:312

312 Advanced Audit and Assurance

• The auditor is not in a position to express an opinion as to whether the results shown in the prospective
financial information will be achieved.
• It may be difficult for the auditor to obtain a level of comfort sufficient to express a positive opinion that
the assumptions are free of material misstatement.
• When reporting on the reasonableness of management’s assumptions, the auditor ordinarily provides
only a moderate level of assurance.
• The auditor is not precluded from providing a reasonable level of assurance regarding the assumptions
when the appropriate level of satisfaction has been obtained.
Reporting
ISAE 3400, paragraphs 27–32, outlines the procedures and reporting requirements in an assurance of
prospective financial information, including the following warnings that need to be given to users:
1. Actual results are likely to be different from the prospective financial information since anticipated
events frequently do not occur as expected and the variation may be material …; (ISAE 3400,
para. 27(m)).
2. In the case of a projection, the prospective financial information has been prepared for (state purpose),
using a set of assumptions that include hypothetical assumptions about future events and management’s
actions that are not necessarily expected to occur. Consequently, readers are cautioned that the
prospective financial information is not used for purposes other than that described; (ISAE 3400,
para. 27(m)).
3. Even if events anticipated under the hypothetical assumptions described … occur, actual results are still
likely to be different from projection since other anticipated events frequently do not occur as expected
… (ISAE 3400, para. 29).

You should now read ISAE 3400 to clarify your understanding of the procedures and reporting
requirements in an assurance of prospective financial information.
For an example of a 2019 assurance report on prospective financial information, refer to the
Independent Reporting Accountant’s Assurance Report on the prospective financial information of
Augusta Kedron Partnership, New Zealand for inclusion in the Offer Register of Augusta Funds
Management. The assurance report is available at: https://smartinvestor.sorted.org.nz/assets/disclose-
documents/13/6a/8d/10a44786f4/Independent-Limited-Assurance-Report-on-the-Prospective-
Financial-Information.pdf

QUESTION 5.9

You are part of an assurance team examining the financial forecasts of a client. The forecasts
include an assumption that sales turnover will increase next year, assuming regulatory approval for
a new product.
What information should the client disclose in order for the user to be able to make judgments
about the uncertainties attached to the estimated increase in turnover?

Assurance on Compilation of Pro Forma Financial Information

Included in a Prospectus
When the issuer of a prospectus wants to illustrate the effect of a planned acquisition or divestment, it
is common to demonstrate this by presenting adjusted past financial statements. The adjusted financial
statements demonstrate the financial effect of that transaction by showing what the financial statements
would be if that transaction had taken place in the prior period.
The pro forma financial information should be presented in the following columns:
• the unadjusted financial information
• the pro forma adjustments
• the resulting pro forma financial information (ISAE 3420 Assurance Engagements to Report on the
Compilation of Pro Forma Financial Information Included in a Prospectus, para. 11(c)).
To have an entity’s securities trading on any of the major stock exchanges around the world generally
requires the issue of a prospectus approved by a relevant securities regulator. The prospectus content is
normally determined by statutory or regulatory requirements but usually contains details of the offering
entity and the securities being offered.
dPf_Folio:313

MODULE 5 Other Assurance Engagements 313

 In a number of jurisdictions — the European Union (EU), for example — issuers who have a
prospectus approved by an appropriate regulator in their own jurisdiction can also offer securities into
other jurisdictions (such as other EU member states) without the need for any additional approval. This
has led to an increase in the number of cross-jurisdictional offerings in the EU. This positive outcome
has, however, highlighted differences in reporting practices within the EU and the corresponding need
for a common assurance standard in relation to pro forma financial information included in a prospectus.
Representatives from China and Hong Kong SAR also stressed the need for common standards that can
be consistently applied internationally (IFAC 2010).
In a number of jurisdictions, assurers obtain and convey reasonable assurance on the process for
compiling prospective financial information, not on the information itself. It also should be noted that
the assurer is not involved in the compilation of the information (compilation engagements are discussed
later in this module).
The existence of suitable criteria is a prerequisite for any assurance engagement. For an assurance
engagement to report on the process for compiling prospective financial information, suitable criteria are
required for evaluating whether that process has, in all material respects, been appropriately applied by the
responsible party.
To ensure an appropriate level of consistency in the application of ISAE 3420 in relation to the
suitability of criteria, the International Auditing and Assurance Standards Board (IAASB) requires that
the practitioner determine that:
• financial information is extracted from an appropriate source, which in most cases is expected to be
published financial information such as annual or interim financial statements
• any pro forma adjustments are directly attributable to transactions or events, factually supportable, and
consistent with the reporting entity’s financial reporting framework and associated accounting policies.
You should now read ISAE 3420 to clarify your understanding of the procedures and reporting
requirements in an assurance of pro forma financial information included in a prospectus.
For an example of a 2018 assurance report on pro forma historical financial information included
in a prospectus, refer to the Independent Reporting Accountant’s Assurance Report on the pro forma
historical financial information of Wilson Asset Management (WAM) Global Limited. The assurance
report is available at: wilsonassetmanagement.com.au/files/WAM_Global Prospectus.pdf
The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

5.1 Explain the types of assurance engagements, other than the audit of historical financial
information.
• Assurance engagements on historical non-financial reports include performance reports on the
use of resources or value for money, such as assurance of corporate social responsibility (CSR)
reports, greenhouse gas statements, sustainability reports, water accounting reports, business
performance measurement reports, and integrated reports.
• CSR Assurance is provided to meet user demands for high-quality, reliable information, and to also
demonstrate a high level of corporate responsibility.
• The assurance approach for GHG statements varies depending on the reporting entity’s level of
precision in its monitoring and disclosure of GHG emissions.
• The assurance requirements for each scheme legislated by the Australian government for mea-
suring, managing, reducing or offsetting Australia’s carbon emissions is administered by the Clean
Energy Regulator (CER) and are underpinned by the NGERS audit framework.
• Organisations are being increasingly held accountable on sustainability issues related to human
rights, climate change, waste management, and the use of scarce resources such as water. With
increased disclosure on sustainability issues, there are increased expectations of assurance on this
information in order to increase its credibility.
• It is critical that users of the water accounting reports have confidence in the credibility of these
reports, therefore, water accounting reports should contain independent attestation that they have
been prepared in accordance with approved water accounting standards (i.e. those developed by
WASB).
• In carrying out a performance measurement assurance engagement, it is often necessary to either
develop appropriate measures as criteria, or assess whether the performance measures being used
are suitable criteria for measuring the right things from the organisation’s perspective.

dP f_Folio:314

314 Advanced Audit and Assurance

 • As integrated reporting <IR> is relatively new and still evolving, assurance and other credibility-
enhancing mechanisms on the integrated report will need to evolve alongside the reporting itself.
• Assurance of future-oriented information includes assurance engagements involving corporate
fundraisings and forecast financial information, such as projected cash flow statements, and
projected statements of financial position.
5.2 Apply the appropriate standard that relates to assurance engagements, other than the audit of
historical financial information.
• The overarching standard to be applied to other assurance engagements is ISAE 3000 (Revised)
Assurance Engagements Other than Audits or Reviews of Historical Financial Information.
• ISAE 3410 Assurance Engagements on Greenhouse Gas Statements covers the assurer’s respon-
sibilities for identifying, assessing and responding to risks of material misstatement on GHG
statements.
• ASAE 3610/AWAS 2 Assurance Engagements on General Purpose Water Accounting Reports
covers guidance on the assurance of water accounting reports when attesting that they have been
prepared in accordance with approved water accounting standards.
• The assurance of adjusted financial statements that demonstrate the financial effect of a transaction
by showing what the financial statements would be if that transaction had taken place in the prior
period (pro forma financial information) is covered by ISAE 3420 Assurance Engagements to Report
on the Compilation of Pro Forma Financial Information Included in a Prospectus.
• ASAE 3450 Assurance Engagements involving Corporate Fundraisings and/or Prospective Financial
Information provides guidance on the assurance of historical financial information, pro forma
historical financial information, prospective financial information and/or pro forma forecast prepared
in connection with a corporate fundraising and prospective financial information, including a pro
forma forecast or a projection.

5.4 OTHER ASSURANCE ENGAGEMENTS — PART 2

In this second part of our discussion of other assurance engagements, we cover assurance engagements on
systems and processes and on aspects of behaviour.

SYSTEMS AND PROCESSES

One of the categorisations of underlying subject matter for other assurance services is ‘systems and
processes’ (International Framework for Assurance Engagements, Appendix 4). In practice, the most
common of these assurance services relate to the internal audit function which is discussed in the following
section.

Internal Audit
The IAASB ‘Glossary of terms’ defines the internal audit function as a ‘function of an entity that
performs assurance and consulting activities designed to evaluate and improve the effectiveness of the
entity’s governance, risk management and control processes’ (IAASB 2018b, p. 24). Its functions include
monitoring the adequacy and effectiveness of internal control.
This traditional definition of internal auditing is consistent with the view that the role of the internal
auditor is concerned primarily with:
• review of the reliability and integrity of financial and operating information
• review of systems established to ensure compliance with policies, procedures, plans, laws and regula-
tions impacting on operations and reports
• review of the means of safeguarding assets
• appraisal of economy and efficiency of any aspect or functional area of an organisation
• review of operations and programs.
While this definition of internal auditing takes into account the traditional role and objectives of internal
auditing, internal auditing is increasingly being perceived as integral to the risk management, control and
governance processes of an entity.
The Role of the Institute of Internal Auditors
The Institute of Internal Auditors (IIA) is an international professional association dedicated to enhancing
the status of internal auditing. Internal auditors have a unique position within their organisations and
provide audit committee members with objective assurance on governance, risk management and control
Pdf_Folio:315

MODULE 5 Other Assurance Engagements 315

processes. IIA argues that, in order to do this, the internal audit group must be adequately resourced
and professionally staffed and follow the internationally recognised framework for internal auditing. This
framework is provided by IIA and includes the International Standards for the Professional Practice of
Internal Auditing, Code of Ethics and Practice Advisory Statements.
The IIA has more than 194 000 members in more than 165 countries. The aim of the IIA is to present,
promote and develop the professional practice of internal auditing. IIA members are required to adhere
to both auditing standards and the Code of Ethics. In most of these countries, there is a separate internal
auditors’ chapter with its own website. For example, the Hong Kong SAR chapter was established in 1979
and the Malaysian chapter in 1977.
Check the website for your country now.
The IIA has developed the globally accepted definition of internal auditing as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes (IIA 2019a).

This definition emphasises some important points that deserve further elaboration.
• Internal auditors should be independent of those managers whose work they are evaluating.
• Internal auditors add value by adopting an objective approach to each of the areas subject to audit
examination. This objectivity is achieved by an appropriate mindset by the auditors.
Institute of Internal Auditors Standards
The International Standards for the Professional Practice of Internal Auditing (Standards) (IIA 2017)
describe the nature of internal auditing, the characteristics of those who perform internal audit services,
and the quality criteria against which the performance of internal auditing can be evaluated.
The IIA (2017) standards have the following purposes:
1. Guide adherence with the mandatory elements of the International Professional Practices Framework.
2. Provide a framework for performing and promoting a broad range of value-added internal auditing
services.
3. Establish the basis for the evaluation of internal audit performance.
4. Foster improved organizational processes and operations (IIA 2017, p. 1).

The standards include basic requirements and interpretations. These standards use the word ‘must’
to specify an unconditional requirement and ‘should’ where conformance is expected except where
circumstances justify direction.
The standards apply to both assurance services and consulting services by internal auditors. Assurance
services involve:
An objective examination of evidence for the purpose of providing an independent assessment on
governance, risk management, and control processes for the organization. Examples may include financial,
performance, compliance, system security, and due diligence engagements (IIA 2017, p. 21).

Consulting services are:

Advisory and related client service activities, the nature and scope of which are agreed with the client, are
intended to add value and improve an organization’s governance, risk management, and control processes
without the internal auditor assuming management responsibility. Examples include counsel, advice,
facilitation, and training (IIA 2017, p. 22).

The standards consist of attribute standards regarding the auditor and performance standards regarding
the auditor’s work. Some key issues covered in the attribute standards include the following.
• The mandatory nature of the standards must be recognised in an internal audit charter.
– Internal audit activity must be independent and internal auditors must be objective. Any threats to
objectivity must be handled at the individual auditor, engagement and organisational levels.
– The chief audit executive (CAE) must confirm to the board, at least annually, the independence of
internal audit activity.
• The CAE reports to the board. The board:
– approves the internal audit charter
– approves the risk-based internal audit plan
– approves the internal audit budget and resource plan
Pdf_Folio:316

316 Advanced Audit and Assurance

 – receives communications from the chief audit executive on the internal audit activity’s performance
relative to its plan and other matters
– approves decisions regarding the appointment and removal of the chief audit executive
– makes appropriate enquiries of management and the chief audit executive to determine whether there
are inappropriate scope or resource limitations.
• Internal auditors must be impartial, unbiased and interact directly with the board.
• Engagements must be performed with proficiency and due professional care.
• The CAE must develop and maintain a quality assurance and improvement program that covers all
aspects of internal audit and involves both internal and external assessment.
Nature of Internal Audit Work
The Standards (IIA 2017) outline three main types of internal audit work. These involve evaluating and
contributing to the improvement of:
• governance
• risk management
• control.
Governance
Governance internal audit activities assess the governance process and suggest improvements where
necessary including:
1. making strategic and operational decisions;
2. overseeing risk management and control;
3. promoting appropriate ethics and values within the organization;
4. ensuring effective organizational performance management and accountability;
5. communicating risk and control information to appropriate areas of the organization; and
6. coordinating the activities of and communicating information among the board, external and internal
auditors, other assurance practitioners and management (IIA 2017, p. 13, para. 2110).

For example, the internal audit activity could evaluate the design, implementation and effectiveness of
various ethics-related programs and activities, such as an ethics hotline. It would include activities that
assess whether information technology governance supports the organisation’s strategies and objectives
(IIA 2017).
Risk Management
Risk-management processes include evaluating risk exposures related to governance, operations and
information systems. It also involves evaluating the potential for the occurrence of fraud and how the
organisation manages fraud risk.
Internal risk-management audits are aimed at helping the organisation identify and evaluate significant
exposure to risks and contribute to the improvement of risk management. This includes monitoring and
evaluating the organisation’s risk-management system. A particular internal audit assignment might relate
to part of that system. For example:
• the board of directors may be concerned about exposure to foreign exchange fluctuations
• a bank may be concerned about the unusually high profits in a particular area of trading
• management may ask for large inventory thefts at a particular location to be investigated.
The internal audit activity must evaluate the effectiveness of risk-management processes and contribute
to their improvement. This involves assessing whether:
1. Organizational objectives support and align with the organization’s mission;
2. Significant risks are identified and assessed;
3. Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
4. Relevant risk information is captured and communicated in a timely manner across the organiza-
tion, enabling staff, management, and the board to carry out their responsibilities (IIA 2017, p. 13,
para. 2120).

Control
Internal control audits are aimed at helping the organisation maintain effective controls by evaluating
effectiveness and efficiency and by promoting the continuous improvement of those controls. Internal
auditors can evaluate controls on a rotational basis or based on the results of risk assessments. Internal
auditors might also review operations and programs to determine the extent to which operating goals have

Pdf_Folio:317

MODULE 5 Other Assurance Engagements 317

been established and whether results are consistent with the established goals. For example, actual versus
budget performance could be compared across programs and locations. The evaluation of the:
… adequacy and effectiveness of controls in responding to risks within the organization’s governance,
operations, and information systems regarding the:
1. Achievement of the organization’s strategic objectives;
2. Reliability and integrity of financial and operational information;
3. Effectiveness and efficiency of operations and programs;
4. Safeguarding of assets; and
5. Compliance with laws, regulations, policies, procedures, and contracts (IIA 2017, p. 14, para. 2130.A1).

The Purpose of Internal Audit

As we have seen, the internal audit function provides assurance to management of the effectiveness
of internal controls, risk-management processes and operational processes. Internal audit also provides
consulting services to management, including improving controls and risk-management practices, and
developing and evaluating performance measurements systems.
In addition, audit committees rely on assurance from internal auditors regarding compliance, controls,
risk management and corporate governance issues. It should be noted that much of this work relates to
many of the services described earlier in this module, including internal control and risk management. In
particular, the internal audit function makes extensive use of the Committee of Sponsoring Organizations
of the Treadway Commission (COSO) framework (to be described later in this module).
Recent changes in the regulatory environment related to sustainability reports, and in particular to GHG
emissions, have led to new roles for internal auditors. A study conducted by Trotman and Trotman (2015)
found that participants in the study considered internal audit as having a role to play in the assurance
of GHG and energy reporting. In particular, participants believed that internal auditors could improve
the reliability of the data reported by developing and checking processes, ensuring the accuracy and
completeness of data, and performing auditing procedures.

QUESTION 5.10

What function does internal audit play in risk management?

Internal Auditing as an Assurance Service

Internal auditing is an assurance service consistent with the definition of assurance services as outlined in
module 1 (and earlier in this module). The notion of internal auditing as a consulting service emphasises the
shift of internal auditing from compliance to value-adding, working with management to identify solutions,
not just problems. The use of the words ‘a systematic, disciplined approach’ (IIA 2019) highlights
the unbiased and objective evidence-gathering process with standards to determine the sufficiency and
competence of audit evidence.
The next part of the definition, ‘evaluate and improve the effectiveness of risk management, control
and governance processes’ (IIA2019), emphasises the need for the auditor to understand risks as well
as management’s methods for managing or mitigating such risks. Controls exist to help management by
mitigating risk exposure and, therefore, are part of the risk-management process. Governance is the process
by which entities and stakeholders gain assurance that broad organisational policies are implemented and
adhered to and that accountability relationships are established.
The practice of internal auditing has been affected by the globalisation of entities, the outsourcing of
internal audit functions and the performance of traditional internal audit functions by others within the
organisation. The new definition of internal auditing highlights a strategic risk analysis approach to the
internal audit function, rather than the compliance approach that characterised traditional internal auditing.
The evaluation of risk exposure includes the following:
1. achievement of the organization’s strategic objectives;
2. reliability and integrity of financial and operational information;
3. effectiveness and efficiency of operations and programs;
4. safeguarding of assets; and
5. compliance with laws, regulations, policies, procedures, and contracts (IIA 2017, p. 13, para. 2120.A1).
dP f_Folio:318

318 Advanced Audit and Assurance

 For each of these areas, the internal auditors evaluate the adequacy and effectiveness of how the risks
are identified and managed. Where appropriate, they provide recommendations for improvements.
Internal Audit Engagement Planning
IIA (2017) auditing standards require internal auditors to develop and document a plan for each engage-
ment. Similar to planning for an external audit engagement, this plan includes objectives, scope, timing and
resource allocations. Prior to commencing the engagement, the internal auditor prepares an engagement
program that considers:
• the objectives of each engagement
• the scope of the engagement, which must be sufficient to satisfy the objectives of the engagement
• the engagement resource allocation, which would determine if sufficient resources are available
• a work program, which states the nature and extent of testing required
• procedures for collecting, analysing, interpreting and documenting information during the engagement.
The internal auditor also determines the period covered, estimated completion dates and final engage-
ment communication format.
As noted above, one key aspect of planning the engagement is determining audit objectives. The internal
audit management team identify high-risk areas for internal audit consideration. Senior management and
the board of directors also have input into that process. For example, the board may have identified the
need to look at foreign currency transactions.
When the individual internal audits to be carried out are chosen, the audit objectives of each of these must
be defined and documented in more detail. These objectives will be reviewed with management and those
requesting the audit. For example, the objective may be to investigate the increasing level of uncollectible
accounts. Specific objectives may relate to assessing the internal controls in place and the operation of the
controls. It may be decided to make comparisons across locations.
The scope of the internal audit also needs to be determined; for example, only trade debtors above a
certain level, or limiting the audit to locations with higher-than-normal write downs. In determining the
scope, it will be necessary to consider the resources and timing of engagement work, key factors affecting
business conditions and operations in the areas being reviewed (including changes in the environment),
and requests from management.
Carrying Out the Engagement
Internal auditors generally start the audit with some form of field survey in order to familiarise themselves
with organisational charts and systems and to evaluate the control systems and the control risk for systems
that come within the audit. This field survey usually involves accessing relevant policy and procedure
manuals, management reports, and undertaking a ‘walk-through’ of the relevant operations (e.g. storage
of inventory). This also involves discussion with relevant management to obtain information about known
problems and recent and forthcoming changes. At this point, it may be necessary to reconsider the
objectives, scope and planned audit procedures.
The internal auditor must collect audit evidence that is sufficient, reliable, relevant and useful:
Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach
the same conclusions as the auditor. Reliable information is the best attainable information through the
use of appropriate engagement techniques. Relevant information supports engagement observations and
recommendations and is consistent with the objectives for the engagement. Useful information helps the
organization meet its goals (IIA 2017, p. 17, para. 2310).

The nature of evidence will vary greatly depending on the nature of the internal audit. For example,
an internal audit related to slow collection of trade debtors may require circularisation of trade debtors
and testing of internal controls related to trade debtors. On the other hand, reviewing warehouse storage
operations will involve extensive interviews with management, observation and examination of supporting
documents.
Documentation is also important to internal auditors who need to document all relevant information to
support the conclusion and engagement results.

Pdf_Folio:319

MODULE 5 Other Assurance Engagements 319

 QUESTION 5.11

As the new chief internal auditor, you have been asked by the board of directors to make a
presentation on the role you believe your internal audit team should play in the prevention and
detection of fraud.
Outline some of the key points you would make in this presentation.

Internal Audit Reporting

There have been a number of references in the previous sections to internal audit reports. An important
skill for the internal auditor is to communicate their findings to busy executives and board members.
‘Communications must include the engagement’s objectives and scope and results’ (IIA 2017, p. 18,
para. 2410).
Some essential elements of internal audit reports include the following.
• An executive summary — the purpose of the summary document is to alert the recipient to the key
findings. It should encourage the reader to want to read the full report, and should generally include:
– a summary of key findings
– the audit objectives and coverage
– an overall conclusion.
• An introduction, incorporating:
– the reason for conducting the audit
– the objectives of the audit
– the audit approach
– the audit coverage
– the criteria used.
• A section on each of the areas audited — these sections could be split up by issues addressed, parts of
organisation audited, and so on. These sections would include a description of the work done, results
and specific recommendations.
• A list of recommendations with the auditee’s responses.
• A conclusion.
Providing a report on internal controls enables management to discharge its accountability obligation to
establish an effective internal control structure. The investing public has a legitimate interest in the state
of an entity’s internal controls. Also, a requirement for management to report on the adequacy of internal
controls may cause them to be more effective in maintaining internal control systems.
Review example 5.4 now.

EXAMPLE 5.4

Internal Audit Reporting

As a newly appointed internal audit manager at XYZ Ltd (XYZ), you have been provided with the draft
report prepared by one of your team members. The report has been prepared for the audit committee on
the company’s procurement procedures. It is a 60-page document with a table of contents. Each section
outlines current procedures and recommendations for improvement. The conclusion notes that adoption
of the recommendations of the internal audit group has the potential to reduce procurement costs by 10%
to 40% of present costs.
The table of contents of the report, including page numbers, is as follows.

Introduction
Present procurement policies 1
Cost of procurement broken down by geographic area 8
Procurement costs of largest companies in the industry 16

dP f_Folio:320

320 Advanced Audit and Assurance

 Planning procurement activities
Annual procurement plans 22
Procurements method selection 24

Conducting procurement
Tender processes 27
Ensuring non-discrimination 31
Procurement support 34
Record keeping 38
Monitoring and review 42
Examples of best practice in procurement 47
Conclusions 58

............................................................................................................................................................................
Outline some potential improvements you could make to the structure of the report.
Check your response against the suggested answer at the end of the book.

Internal Controls Audit

There has been a growing emphasis on the reporting of internal controls worldwide. For example, the US
Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013) provides guidelines
for the voluntary reporting by management to external parties on the adequacy of internal controls over
financial reporting.
Following the enactment of the Sarbanes–Oxley Act 2002 (US), there are now requirements for
management reports on internal controls and subsequent requirements for these assessments to be audited.
Given that these requirements are seen by many regulators as best practice, they are likely to lead to greater
reporting and assurance on internal controls in other jurisdictions as well.
In Australia, the AUASB issued a new Standard on Assurance Engagements in 2015, ASAE 3150
Assurance Engagements on Controls. This new standard sets out mandatory requirements for assurance
practitioners to apply, in conjunction with the requirements in ASAE 3000, when accepting, planning,
performing and reporting on controls. ASAE 3150 requires that either limited or reasonable assurance is
provided about whether, in all material respects and based on suitable criteria, either:
(i) as at a specified date, the controls were suitably designed, to achieve the identified control objectives
… or
(ii) throughout the period, the controls were suitably designed to achieve the identified control objectives,
and the controls operated effectively as designed (ASAE 3150, para. 15).

An important issue for any assurance engagement on internal controls is the identification of suitable
criteria against which the controls can be evaluated. These criteria are a key aspect for engagement
acceptance. The most widely used in practice is the Internal Control — Integrated Framework (COSO
2013).
COSO’s Internal Control — Integrated Framework (2013) has created a greater awareness and
understanding of internal control, particularly with respect to legislators and regulators. It has highlighted
the significance of internal control as part of the overall management process encompassing the entity’s
operational, financial reporting and compliance activities. It has created a foundation of mutual under-
standing — a consensus among diverse parties as to the nature and significance of internal control. The
COSO framework has developed and established standards against which all organisations can measure
the effectiveness of their internal controls. It has clearly delineated the role and responsibilities of all
individuals in an organisation in maintaining and evaluating internal control.
The COSO framework also offers a word of caution — internal control is not a cure-all for an entity’s
problems. There are inherent limitations to internal control in that it is only as good as the people involved.
It cannot overcome human error, faulty judgment or deliberate collusion and circumvention of controls. It
cannot guarantee anything. An effective internal control system can only provide a reasonable assurance
that the entity will achieve its operational, financial reporting and compliance objectives.

Pdf_Folio:321

MODULE 5 Other Assurance Engagements 321

 As will be described in this section, Internal Control — Integrated Framework (2013) is continually
evolving and new support systems are being developed (such as compliance frameworks, and question-
naires on the control environment, fraud, monitoring and general controls). Potential use of the COSO
framework is discussed in the next section.
Using the Internal Control — Integrated Framework
The COSO (2013) framework is the most commonly used criteria for assurance reports on internal controls.
It has been adopted by most US firms carrying out engagements under section 404 of the Sarbanes–Oxley
Act, which requires:
• the annual report to include management’s assessment of the effectiveness of internal controls over
financial reporting
• the auditor to attest to and report on management’s internal control assessment.
The executive summary of the COSO (2013, p. 3) framework defines internal control as:
a process, effected by an entity’s board of directors, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and
compliance.

The primary responsibility for defining internal control — and its related objectives in pursuing an
entity’s strategic mission — rests with the chief executive officer, who is answerable to the board of
directors. The audit committee of the board of directors, in turn, oversees the structure and functioning
of the internal control system as part of its governance role.
COSO’s internal control framework (shown as figure 5.4) consists of five interrelated components:
1. control environment
2. risk assessment
3. control activities
4. information and communication
5. monitoring activities.
COSO sets out 17 principles associated with the five components. Because these principles are drawn
directly from the components, an entity can achieve effective internal control by applying all 17 principles.
All principles apply to operations, reporting, and compliance objectives.
Auditors can assess the entity’s system of internal control in relation to the COSO framework, focusing
on how it has selected, developed and deployed controls that affect the principles within the components of
internal control. Auditors, like management, may use COSO’s illustrative tools as part of this evaluation of
the overall effectiveness of the entity’s system of internal control. The illustrative tools assist users when
assessing whether a system of internal control meets the requirements set forth in the updated framework.
The 17 principles are listed next.
Principles
Control environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the
development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities
and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in
alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit
of objectives.
Risk assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment
of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks
as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal
control.

Pdf_Folio:322

322 Advanced Audit and Assurance

Control activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achieve-
ment of objectives.
12. The organization deploys control activities through policies that establish what is expected and
procedures that put policies into action.
Information and communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning
of internal control.
14. The organization internally communicates information, including objectives and responsibilities for
internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of
internal control.
Monitoring activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain
whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those
parties responsible for taking corrective action, including senior management and the board of directors,
as appropriate.
Source: Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013, Internal Control—
Integrated Framework: Executive Summary, pp. 6–7, accessed July 2019, https://www.coso.org/Documents/990025P-Executive-
Summary-final-may20.pdf. © Committee of Sponsoring Organizations of the Treadway Commission 2013. Reprinted with
permission.
In figure 5.4 the three categories of objectives — operations, reporting and compliance — are
represented by the vertical columns; the five interrelated components and principles are represented by
horizontal rows; and an entity’s organisational structure is represented by the third dimension. When
judging whether an entity’s enterprise risk management is ‘effective’, it is necessary to determine if the
five components are present and functioning effectively. The benefit of this depiction is that it shows that
one can focus on the entirety of an entity’s risk management or just on a subset by objective, component
and entity unit. Any of these subsets can be the subject matter of an assurance report.

FIGURE 5.4 Relationship between objectives and components

ns g ce
io rtin ian
at po pl
er
Op Re Co
m

Control Environment
Operating Unit
Function

Risk Assessment
Division
Entity Level

Control Activities

Information and Communication

Monitoring Activities

Source: Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013, Internal Control — Integrated
Framework: Executive Summary, p. 6, accessed July 2019, https://www.coso.org/Documents/990025P-Executive-Summary-final-
may20.pdf. © Committee of Sponsoring Organizations of the Treadway Commission 2013. Reprinted with permission.

Pdf_Folio:323

MODULE 5 Other Assurance Engagements 323

 A range of groups are likely to benefit from the conduct of assurance services on risk assessments.
• Owners of small businesses and management of larger organisations will be more effective if they are
aware of important risks and have an evaluation of the potential magnitude and likely impact on the
organisation.
• Directors will benefit in carrying out their fiduciary duties and oversight responsibilities.
• Shareholders should benefit from knowledge that management is aware of the important risks and has
implemented controls related to managing those risks.
• Outsiders, including trading partners, creditors and regulators, should benefit indirectly from assurance
services on risk management provided to management or directors.

QUESTION 5.12

Consider each of the following activities with respect to an internal control system. Categorise each
activity under the five COSO (2013) components. Justify your responses.
(a) Management’s commitment to competence.
(b) Separation of duties.
(c) Expanded foreign operation.
(d) Management’s questioning of reports that are different from their knowledge of operations.
(e) Corporate restructuring involving staff reductions.
(f) Establishment of a compliance register for improprieties.
(g) The role of the internal auditor.
(h) How authority and responsibility for operating activities are assessed.
(i) Gatekeeper at a factory.
(j) Communication channels with customers.

Review example 5.5 now.

EXAMPLE 5.5

Internal Control System

You are undertaking an assurance engagement for a university accommodation trust whose recent
performance has been negatively affected by a drop in demand for accommodation by overseas students.
............................................................................................................................................................................
Consider the following scenarios, then identify the key risk for each scenario and provide a suggested
improvement for that risk.
(a) Revenue is generated from management fees related to managing the buildings and from rental fees
related to leasing out the student accommodation. The trust has grown over the past three years by
building new accommodation and has financed this growth by taking on debt. Typical of companies that
have grown quickly, the systems have not kept pace with the growth.
(b) Management of the buildings is outsourced to a separate entity. No management agreement is currently
in place to manage this arrangement.
(c) Many complaints have been received from students renting the accommodation. However, you note
that poor performance, as evidenced by accommodation practitioners’ lack of responding to student
complaints, is currently an industry-wide problem. Current KPIs for your assurance client do not address
complaints and, as such, management tends to ignore them.
Check your response against the suggested answer at the end of the book.

Using the Risk Management, Control and Governance Processes Framework

A further framework for risk management, control and governance processes is contained in ISO 31000
Risk Management — Guidelines. This framework is promoted by the ISO, and AS/NZS ISO 31000 is
widely used in Australia and New Zealand as an alternative to the COSO (2013) framework. The main
elements of AS/NZS ISO 31000 are as follows.
• Establish the context. Establish the strategic, organisational and risk management context in which the
rest of the process will take place.
• Identify risks. Identify which risks can arise (and why and how) as the basis for further analysis.
dP f_Folio:324

324 Advanced Audit and Assurance

• Analyse risk. Determine the existing controls. Analyse risks in terms of consequence and likelihood in
the context of those controls. The analysis should consider the range of potential consequences and the
likelihood of those consequences occurring.
• Evaluate risk. Compare estimated levels of risk against the established criteria. This enables risks to be
ranked in order to identify management priorities.
• Treat risk. Accept and monitor low-priority risks. For other risks, develop and implement a specific
management plan.
• Monitor and review. Monitor and review the performance of the risk-management system and any
changes that might affect it.
• Record. The risk management activities of the entity should be appropriately recorded so that they
are traceable. For each stage of the process, adequate records should be kept, sufficient to satisfy
independent audit.

QUESTION 5.13

You are engaged to write an internal control checklist for Cyber-Sell, a company that buys and sells
products over the Internet as a key secondhand market.
Identify the controls and the risks they could address in the Cyber-Sell sales systems in
relation to:
(a) confidentiality of information
(b) transaction integrity
(c) authorisation of payments
(d) assurance of business credibility.
Source: Leung et al. 2018.

Continuous Auditing
Continuous auditing involves the use of embedded modules in a client’s computer system to perform
auditing activities, such as control and risk assessments, on a more frequent basis. The key to continuous
auditing is that it produces audit results simultaneously with, or a short period of time after, the relevant
events. As continuous auditing can apply to assurance on historical financial information, non-financial
information, systems reliability and behaviour, it is discussed here under a separate heading.
The increased emphasis on continuous auditing derives from the rapid advances in information
technology over recent years. This has resulted in a large amount of information being available more
quickly to a wide range of users. The advanced audit data analytic techniques that were discussed in
module 2 are equally applicable to subject matter such as sustainability reports, GHG reports, or internal
control effectiveness, where the data is captured electronically. These techniques have the ability to analyse
complete populations of data in order to identify patterns, correlations and deviations from expected results.
As such, they have the potential to provide efficient and reliable audit techniques.
It follows that, if decision makers need continuous information on which to base their decisions, it is
likely that they will also require independent assurance on the reliability of that information. In a continuous
audit, auditors would evaluate, using suitable criteria, the relevant subject matter information as described
above. For a continuous financial statement audit, the suitable criteria would be the IFRSs. However, as
described above, continuous audits can cover a broad range of subject matter information. The auditor
would need to consider how the subject matter information can be evaluated against criteria that have the
characteristics outlined in the International Framework for Assurance Engagements, including relevance
and reliability.
A continuous audit involves traditional methods of obtaining audit evidence, including inspection,
observation, enquiry, recalculation, reperformance and analytical procedures. It also relies heavily on
automated tools and techniques to provide much of the evidence because of the time period within which
reporting is required. For example, management would design controls to prevent, detect and correct errors
so that the likelihood of a material error is reduced to an appropriate level. These controls would include
alarm triggers, which are automated warnings to management and auditors that:
• controls are functioning as intended and have identified an error that requires investigation and, if
necessary, correction by management
• controls do not appear to be functioning as intended, based on pre-determined indicators or anomalies
in the information being generated.
dPf_Folio:325

MODULE 5 Other Assurance Engagements 325

 A continuous audit engagement can be either:
• an attestation engagement
• a direct engagement.
As described in module 1, an attestation engagement provides an opinion, using suitable criteria, on
management’s written assertion. For example, the auditor can report on the fairness of management’s
written assertion that, in all significant respects, the company maintains effective controls in conformity
with certain criteria.
In a direct engagement for a continuous audit, the auditor’s report provides an opinion on subject matter
for which management is responsible. For example, the auditor’s opinion could state directly whether the
entity maintains effective controls in conformity with certain criteria.

Continuous Assurance by Internal Auditors

A recent trend has been the increased use of the continuous auditing approach, with a large number of
companies stating that they had adopted continuous auditing and others planning to do so in the near
future (Vasarhelyi et al. 2012). Some key reasons for this include changes in regulatory demand, a greater
push towards real-time financial reporting and the move towards automating manual audits.
Recent discussion of continuous auditing refers to it as part of the internal audit process. For example,
KPMG (2019) refers to it as an ‘automated feedback mechanisms used respectively by Internal Audit or
Management to monitor IT systems, transactions and controls on a frequent or continuous basis, throughout
a given period’.
Some advantages of using continuous assurance in the internal audit environment include:
• greater audit coverage at lower cost
• identifying control breakdowns in real time with quicker corrective action
• a continuous rather than cyclical audit process.
Review example 5.6 now.

EXAMPLE 5.6

Continuous Assurance Engagement

OnTrend Appliances Ltd (OnTrend) is an importer of electrical goods and in the last three years has
expanded its business by close to 100%. However, with a recent increase in the exchange rate, it has
found that sales have slowed, there has been a build-up of inventory and cash flow has become a concern.
To address this concern, management has obtained an additional loan from its bank, mostly to finance
working capital, in particular, its inventory. The nature of the business is such that significant amounts of
inventory must be available at all times throughout the year.
The bank has agreed to allow management to pledge only OnTrend’s inventory on hand as collateral for
the loan. Conditions of the loan are as follows.
• The cost of the inventory must not fall below the drawn-down value of the additional loan.
• Inventory is to be costed using the lower of cost and net realisable value. Cost is the actual cost of
inventory calculated in local currency. Net realisable value is to be calculated as the average selling
price of that inventory item for the week.
• Management is to prepare a weekly report to the bank regarding the cost of inventory on hand by major
inventory type, as at 5 pm on the Thursday of that week.
• This report is to be made available to the bank by midday the next day, accompanied by a continuous
assurance report from an independent auditor that provides reasonable assurance that management’s
schedule of the total cost of the inventory, by major inventory type, is, in all material respects, fairly
stated in accordance with the conditions set out in the loan agreement, and that there has been no
breach of the loan covenant agreement.
The management of OnTrend has asked its financial statement auditors to undertake a continuous audit
of the cost of its inventory on hand and to provide the weekly assurance to the bank that there has been
no breach of the loan covenant agreement.
............................................................................................................................................................................
(a) From a control environment perspective, what are the main differences between a traditional financial
statement audit and a continuous audit for OnTrend?
(b) Identify the data that the auditor must have access to in order to provide this continuous assurance
engagement.
Check your response against the suggested answer at the end of the book.

dP f_Folio:326

326 Advanced Audit and Assurance

 QUESTION 5.14

Johnson Brain is a subsidiary in the Franklin Spleen group of companies and is about to implement
a new IT solution to manage an important part of its production process. The Franklin Spleen group
has a broad range of detailed group policies and procedures that all companies in the group must
follow. The policy around major expenditure requires a tender process to take place as follows.
1. Full detailed project specifications should be produced.
2. Invitations to tender must be advertised publicly.
3. The receipt of tenders submitted must be documented and all submissions opened at the same
time.
4. A project team of at least three must review and assess submissions, one of whom must have
appropriate expertise in IT project management.
5. Contracts will be awarded based on an assessment matrix which gives a score weighted across
various factors of functionality, financial stability of the supplier, track record, price, and future
support. You have been asked to provide assurance on Johnson Brain’s new IT solution.
Identify the type of assurance engagement you have been asked to carry out and for each of
the five points above, suggest procedures that might be carried out to satisfy yourself that the
appropriate tender process has been followed.
Source: Leung et al. 2019, PAQ 4.29.

ASPECTS OF BEHAVIOUR
One of the categorisations of underlying subject matter for other assurance services is aspects of
behaviour (International Framework for Assurance Engagements, Appendix 4). In practice, one of the
most common of these assurance services is the compliance engagement, which covers an individual or
entity’s compliance with rules, regulations, policies, or similar responsibility, and is discussed in the next
section. Other examples include the evaluation of audit committee effectiveness and fitness for purpose of
a software package.

Compliance Engagements
A compliance engagement involves gathering evidence to ascertain whether the person or entity under
review has followed the rules, policies, procedures, laws and regulations with which they must conform.
There are a number of examples of compliance engagements. A tax assurance engagement is used to
determine whether an individual or company has completed their tax return in accordance with the Income
Tax Assessment Act 1936 and the Income Tax Assessment Act 1997. Within an organisation, management
may specify that certain processes be followed when completing a function. For example, a company may
have policies and procedures for the hiring of new staff. In that case, the organisation’s internal auditors may
be called upon to check whether employees are following the specified processes appropriately (Moroney
et al. 2017).
An entity may have an obligation to comply with:
• external requirements, such as those established through law and regulation or contractual arrangements,
and/or
• internally established requirements, such as those established through company policies.
When conducting a compliance engagement, the objectives of the assurance practitioner are to obtain
assurance about whether the entity has complied in all material respects with these requirements; and to
communicate through a written assurance report that expresses either a reasonable or limited assurance
conclusion (ASAE 3100 Compliance Engagements, para. 15).
Australia recently revised one of its Standards on Assurance Engagements, ASAE 3100, for which
there is no equivalent International Standard on Assurance Engagements. This standard was revised to
help assurance practitioners promote a high-quality and consistent approach on performing compliance
engagements. The revised ASAE 3100 provides practitioners with:
• clearer objectives and detailed requirements
• additional application material covering planning, performing and reporting
• a comprehensive set of example letters and reports (Michaelides 2017).
Compliance assurance engagements can be either attestation engagements or direct engagements. The
differences between these are shown in figure 5.5.

Pdf_Folio:327

MODULE 5 Other Assurance Engagements 327

 FIGURE 5.5 Comparison of attestation and direct compliance engagements

Attestation engagement Direct engagement

Obtain reasonable or Assurance Obtain reasonable or

limited assurance whether practitioner’s limited assurance whether
the entity’s statement on objective the entity’s compliance
compliance is free from requirements
material misstatement have been met

Conducted by the entity Evaluation Conducted by an

or their representatives assurance practitioner

Report form
Presented in a for conclusion Presented in an
compliance statement assurance conclusion

While these compliance assurance engagements exist in both the public and private sectors, they
are usually discussed in relation to public sector assurance engagements. The reason for this is that
governments and other public sector entities usually operate in accordance with legislation that sets out
directions, conditions and limitations over the source, allocation and use of public resources. Hence,
compliance engagements are an integral part of their accountability process.
Compliance engagements are also common in the private sector. Overall, there is great variety in the
types of compliance engagements conducted, including:
• compliance with corporate governance policies
• veracity of management statements regarding impartiality
• carbon statements for emission trading
• corporate disclosure audits that:
– assess the scope of system design
– review the reliability of systems from which information is collated
– assess compliance with current laws, regulations and industry best practice.
Table 5.1 shows the nature of assurance engagements on compliance. The table sets out the:
• scope or purpose of the engagement
• compliance requirement — the requirements established in law; regulations; other statutory require-
ments; contractual arrangements; industry or professional obligations; or internally via entity policies,
procedures and frameworks
• criteria for evaluating compliance activity — the benchmark, framework or legislation used to evaluate
whether the compliance requirements have been met
• compliance activity — the activity that is undertaken to meet the compliance requirement
• compliance outcome of the evaluation — the outcome of the evaluation of the underlying compliance
activity against the compliance requirements, using the criteria. The compliance outcome is the
statement of the responsible party in an attestation engagement on compliance, or the assurance
practitioner’s conclusion in a direct engagement on compliance
• assurance opinion or conclusion.

Pdf_Folio:328

328 Advanced Audit and Assurance

 TABLE 5.1 Examples: nature of assurance engagements on compliance

Criteria for Subject Compliance

evaluating matter/ outcome of the
Scope of Compliance compliance compliance evaluation (subject Assurance
engagement requirement activity activity matter information) conclusion

Compliance of the s. 407 of the Applicable Trustee Evaluator’s State- Reasonable

Real Estate Trust with Property criteria as Account ment or assurance Assurance —
the requirements of Agents specified procedures: practitioner’s complied in all
s. 407 of the Property and Motor under s. 407 Trustee Bank conclusion whether material respects
Agents and Motor Dealers Act of the Act. As Account and the Trust has with s. 407 of the
dealers Act 2000 (the 2000 an example: cash book complied in all Act.
‘Act’). maintenance procedures. material respects
and controls with s. 407 of the
over the Act.
Trustee Bank
Account.

Compliance of Applicable Example: As an Evaluator’s Reasonable

the Registered sections of: Conditions example: Statement or Assurance —
Superannuation SIS Act; SIS imposed under RSE assurance practi- complied in all
Entity (RSE) with Regulations; C5 of SIS Act: procedures tioner’s conclusion material respects
the applicable Corporations • all assets and controls whether the RSE with Condition C5
provisions of the Act; of RSE, covering: has complied imposed under
Superannuation Corporation including • bank in all material s. 29EA of the
Industry (Supervision) Regulations; all bank accounts respects with the SIS Act . . . and
Act 1993 (SIS Act), FSCODA accounts are • other requirements of the the applicable
Superannuation Reporting ‘custodially assets. applicable SIS Act, provisions of
Industry (Supervision) Standards; held’ as SIS Regulations, the SIS Act, SIS
Regulations, and defined in FSCODA Reporting Regulations,
FSCODA Reporting Conditions trustee’s RSE Standards, FSCODA Reporting
Standards, C1, C5, E1, licence. Corporations Act Standards,
Corporations Act F1 and G1 and Corporations Corporations Act
2001 (Corporations imposed Regulations, and Corporations
Act) and Corporations under conditions imposed Regulations, other
Regulation 2001 s. 29EA of under s. 29EA of the conditions imposed
(Corporation the SIS Act. SIS Act. under s. 29EA of
Regulations). the SIS Act.

Source: Australian Auditing and Assurance Standards Board (AUASB) 2017, ASAE 3100 Compliance Engagements, pp. 40–1,
accessed July 2019 http://www.auasb.gov.au/admin/file/content102/c3/ASAE_3100_Compliance_Engagements.pdf

Where an engagement is conducted to express an opinion on compliance with specified requirements,

the auditor must clearly determine the scope of the engagement. This is done by:
• identifying the entity, or part thereof, being reported on
• specifying the legislation or other regulations that form the criteria against which compliance is being
reported.
Where instances of non-compliance with the requirements are discovered, a modified auditor’s report
will be issued.
The assurance practitioner is required to consider materiality, consistent with the consideration of
materiality as required by ASAE 3000, when determining the nature, timing and extent of procedures
(ASAE 3100, para. 31). Materiality is considered at the planning stage; when determining the nature,
timing and extent of evidence-gathering procedures; and when evaluating the effects of identified
accumulated deficiencies in the compliance framework or identified issues of non-compliance with the
framework. Both quantitative and qualitative factors are considered, including the relative magnitude of
detected or suspected instances of non-compliance; the nature and extent of the effect of these factors
on the evaluation of compliance with the compliance requirements; and the nature of the matters of non-
compliance (whether they are one-off or systematic). Explanatory guidance on this issue is provided in
ASAE 3100 (paras A24–A29).
Please read paragraphs A24–A29 of ASAE 3100 now.
Two other examples of compliance assurance engagements are provided in examples 5.7 and 5.8.

Pdf_Folio:329

MODULE 5 Other Assurance Engagements 329

 EXAMPLE 5.7

Self-Managed Superannuation Fund Audits

A self-managed superannuation fund (SMSF) is a way for individuals to save for their retirement. In SMSFs,
the members are generally the trustees and run the fund for their own benefit. SMSFs are regulated by the
Australian Taxation Office (ATO), which requires that approved auditors carry out financial and compliance
assurance engagements of all SMSFs each year. The compliance aspect of the audits requires the auditors
to assess the SMSFs’ compliance with the superannuation rules. For example, the trustees must run the
SMSFs only to provide retirement benefits to members, and SMSF investments must be kept separate
from the personal and business affairs of members. The relevant legislation is the Superannuation Industry
(Supervision) Act 1993.

EXAMPLE 5.8

Client Money Audits

A client money audit is a form of compliance engagement required when professional accountants (and
other professionals) hold or control client money. The relevant standard is APES 310 Client Monies.
The obligations of APES 310 extends to members operating trust accounts and where a member, or
any of the member’s employees, deals with client monies which include:
• holding, receiving or disbursing of client monies
• reporting on dealing with client monies
• obtaining an assurance engagement on the member’s compliance with APES 310 (APES 310, para. 1.1).
APES 310 is divided into two parts.
• Part A: Obligations of members who deal with client monies
• Part B: Obligations of auditors of a member’s compliance with APES 310.
Part A Obligations
Part A identifies the responsibilities of professional accountants with respect to client monies. As such,
Part A forms the criteria for the compliance engagement referenced in Part B.
Part B Obligations
Part B specifies the obligations of an auditor of a member’s compliance with the standard and includes
an example of an audit report for this type of engagement.
A copy of a modified auditor’s report must be forwarded by the auditor to the applicable Professional
Body (e.g. CPA Australia) within 15 business days of the completion of the assurance engagement
(APES 310, para. 8.8).
An auditor is also required to report any identified deficiency of client monies to CPA Australia (or
auditee’s Professional Body) within five business days (APES 310, para. 8.9).

QUESTION 5.15

Bravo Bags is a luggage retailer that operates out of a shopping mall. As required by the landlord,
Bravo Bags has hired Brad Pope, CPA, to provide a report to the landlord as to whether Bravo Bags
has met the requirements of its lease agreement in terms of reporting the store’s sales information.
Discuss how this engagement meets the requirements of an assurance engagement.

QUESTION 5.16

You are an internal auditor at Big Co., a large public company with 1500 employees. Your boss calls
you into her office to give you your next assignment.
‘I have just received a special audit request from the Audit Committee at Big Co. There seem
to be rumours out there that employees are padding their expense reports and not complying
with the policies and procedures for expense claim reimbursements that the Board of Directors
had approved this year. As you know, these expense claim requests are only to be used when an
employee incurs out of pocket expenses in which reimbursement is allowable under the policy.
dP f_Folio:330

330 Advanced Audit and Assurance

 Rumour is that this is not always the case. The Audit Committee would like us to conduct a compli-
ance audit on the policy and procedures. In addition, they want to make sure the implementation of
the policy was handled properly. Please draft up a plan describing how we can conduct these two
engagements, outlining the control objectives you will be testing for each and the specific tests
you plan to do.’
Source: McDonald, Julie A. Canadian Assurance Cases: Auditing in the Real World, p. 39, John Wiley & Sons (Canada).

Corporate Governance Assurance

Corporate governance has assumed new levels of importance in today’s business world. This is one of the
consequences of the major corporate collapses at the start of this century (e.g. Enron, WorldCom and HIH
Insurance). Corporate governance regulation was increased both overseas and in Australia (e.g. the US
Sarbanes–Oxley Act; CLERP 9 in Australia). All of the Big Four accounting firms provide a substantial
number of assurance services related to best practices in board reporting and whether corporate governance
requirements have been met (refer to the websites of any of the Big Four accounting firms). These assurance
engagements relate to aspects of behaviour of the Board.
In Australia in 2019, the Corporate Governance Council of the Australian Securities Exchange (ASX)
published its revised fourth edition of its corporate governance guidelines, Corporate Governance
Principles and Recommendations (ASX Corporate Governance Council 2019). The heightened demand
for increased reporting of corporate governance practices provides a market opportunity for the profession.
This may be in the form of:
• a general purpose assurance report to the public — giving assurance about the fair presentation of the
corporate governance disclosures
• a special purpose assurance report to the directors, which provides them with increased assurance that
they have properly fulfilled their disclosure responsibilities
• assurance reports on the information provided by management to directors for directors’ meetings.
Directors base their decisions on this information and their decisions affect their own reputations as
well as their legal liability. Consequently, directors may wish to have an assurance report about the
relevance, reliability and completeness of the information provided to them at board meetings.
The ASX Corporate Governance Council (2019) publication incorporates the following eight essential
corporate governance principles:

1. Lay solid foundations for management and oversight …

2. Structure the board to be effective and add value …
3. Instil a culture of acting lawfully, ethically and responsibly …
4. Safeguard the integrity of corporate reports …
5. Make timely and balanced disclosure …
6. Respect the rights of security holders …
7. Recognise and manage risk …
8. Remunerate fairly and responsibly...

Source: ASX Corporate Governance Council 2019, Corporate Governance Principles and Recommendations, 4th edn, p. 2,
accessed July 2019, https://www.asx.com.au/documents/regulation/cgc-principles-and-recommendations-fourth-edn.pdf © 2019
ASX Corporate Governance Council.

For each of these principles, the ASX has a set of recommendations on how to achieve best practice. It
also provides guidelines on what information should be included in the corporate governance section of an
annual report and what material should otherwise be made publicly available (e.g. on the entity’s website
under the corporate governance section). Companies are either required to report against these issues in
their annual reports or explain why they have not done so (the ‘comply or explain’ principle).
The ASX Corporate Governance Council (2019) recommendations can be used as criteria for providing
corporate governance assurance. The assurance could be provided for the contents of the corporate
governance disclosures or on the systems that generate the disclosures.
In some cases, the evidence collection for providing assurance could be relatively straightforward
(e.g. the first principle to ‘lay solid foundations for management and oversight’). However, for other
principles, such as ‘structure the board to add value’, assurance would be much more judgmental.
While the above example considers the guidelines developed by the ASX, similar guidelines exist in
most countries.
Pdf_Folio:331

MODULE 5 Other Assurance Engagements 331

 QUESTION 5.17

(a) What could form the subject matter of an assurance engagement on briefing papers prepared
by management for the purpose of a board of directors’ meetings?
(b) What difficulties may exist in providing such assurance?

QUESTION 5.18

A firm provides the following service for its clients:

1. Preparation of a report giving advice to a client on the introduction of a new system of internal
controls.
2. A report giving an opinion on a school’s responses to a questionnaire required by the auditor-
general.
3. Preparation of the company’s tax returns.
4. A report to management about the success of a marketing campaign.
5. A report to directors in relation to a half-year financial report for a listed company.
6. An audit of a management report into the effectiveness of a company’s internal control system.
7. A statement of findings to management in relation to the completeness and accuracy of its
purchase ledger balances.
For each of the above, identify whether assurance services are being provided and give expla-
nations to justify your answer. For each assurance service, identify what level of assurance will be
provided and what form the opinion will take.

The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

5.1 Explain the types of assurance engagements, other than the audit of historical financial
information.
• An important issue for any assurance engagement on internal controls is the identification of
suitable criteria against which the controls can be evaluated. The most widely used in practice
is COSO’s Internal Control — Integrated Framework.
• Continuous auditing involves the use of embedded modules in a client’s computer system to
perform auditing activities, such as control and risk assessments, on a more frequent basis.
• One of the most common assurance services on aspects of behaviour is the compliance engage-
ment. Other examples include the evaluation of audit committee effectiveness and fitness for
purpose of a software package.
• A compliance audit involves gathering evidence to ascertain whether the person or entity under
review has followed the rules, policies, procedures, laws and regulations with which they must
conform.
• The ASX Corporate Governance Council (2019) recommendations can be used as criteria for
providing corporate governance assurance. The assurance could be provided for the contents of
the corporate governance disclosures or on the systems that generate the disclosures.
5.2 Apply the appropriate standard that relates to assurance engagements, other than the audit of
historical financial information.
• ISAE 3402 Assurance Reports on Controls at a Service Organization provides guidance on the
assurance of the design of controls at a service organisation.
• ASAE 3150 Assurance Engagements on Controls sets out mandatory requirements for assurance
practitioners to apply, in conjunction with the requirements in ASAE 3000, when accepting,
planning, performing and reporting on controls.
• The assurance practitioner’s objectives set out in ASAE 3100 Compliance Engagements are
to obtain assurance about whether the entity has complied in all material respects with the
requirements and to communicate findings through a written assurance report that expresses either
a reasonable or limited assurance conclusion.

dP f_Folio:332

332 Advanced Audit and Assurance

5.5 OTHER ASSURANCE ENGAGEMENTS — PART 3
This final section on other assurance engagements covers assurance related to the performance of activities.
While performance engagements cover many of the areas already discussed in the previous section, this
section focuses on performance engagements performed in the public sector.

PERFORMANCE OF ACTIVITY
While performance auditing is carried out in both the private and public sectors, this section of the module
is concerned with public sector performance auditing only and considers auditing from the perspective of
the public sector auditor, usually the Auditor-General of the Commonwealth, state or territory. Public sector
performance audits are very complex because of the relationships between governments, parliaments and
the public sector.
The public sector auditor never considers the appropriateness of the policy itself. That is, it is a
requirement that the public sector auditor does not question the government’s policy. This reflects
the principle that the merits of the government’s policy are matters for political debate by elected
representatives in parliament and decision by the executive government. Therefore, policy objectives
established by means of, for example, a policy direction by a minister, a policy statement in a budget
paper or a statement of objectives in a corporate plan of an authority approved by a minister, are not valid
subjects of a public sector performance audit. The public sector auditor is not interested in whether those
policies or objectives are appropriate but, rather, whether they are being pursued economically, efficiently
and/or effectively.
In modern democracies, power is shared between the legislature (usually called the parliament) and the
government (the ministers). The legislature usually provides the government with money to enable the
government to implement its policies. Government policies are then implemented by the public sector.
The government’s policies can be related to any aspect of governing the jurisdiction.
The government, in turn, has to be accountable to parliament and the parliament needs to have assurance
regarding the government’s performance in meeting its policy objectives. This assurance is usually
provided by the Auditor-General, who reports to the parliament. This relationship is shown in figure 5.6.

FIGURE 5.6 The public sector audit relationship

Parliament
Provides assurance
to parliament
Provides funding
and authority

Government: Public sector

Ministers auditor

Policy direction
and instructions Audits agencies:
Financial/performance/other
Public sector

Source: CPA Australia 2019.

The Auditor-General usually has personal responsibility for carrying out their role. However, they also
have an office and the resources necessary to undertake their role. Therefore, the Auditor-General and their
office is often referred to as the public sector auditor. For clarity, this term will be used for the remainder
of this section.
The public sector auditor is usually established by legislation created in each jurisdiction. For example,
in Australia there are public sector auditors in each of the nine jurisdictions — Australia is a federation of
six states and two territories. On the other hand, in England, which has only one government, there is only
Pdf_Folio:333

MODULE 5 Other Assurance Engagements 333

one public sector auditor. In the case of Australia, each jurisdiction’s public sector auditor is independent
of the others and reports to their respective parliament in accordance with the laws established by that
parliament.
These laws establish the public sector auditor’s authority and often set key objectives or describe key
activities that the public sector auditor must undertake. The Australian National Audit Office (ANAO)
supports the Auditor-General for Australia (Australia’s federal public sector auditor) to improve public
sector performance and support accountability and transparency in the Australian Government sector
through independent reporting to the parliament, the executive and the public. Established under the
Auditor-General Act 1997 (Cwlth), the ANAO seeks to achieve its purpose through its audit services,
which include:
1. financial statements audits of Australian Government entities (which was discussed in module 1)
2. performance audits of Australian Government programs and entities.
Internationally, there is a similar arrangement in most countries, where the public sector auditor reports
to the legislature. However, while the broad principles are uniform, the specific arrangements can be
significantly different in each jurisdiction, including the services performed by the public sector auditor.
Some parliaments only allow the public sector auditor to perform financial statement audits, while others
including those in Australia, Canada, New Zealand, the United States and the United Kingdom, allow their
public sector auditor to undertake other assurance engagements, including performance audits.
In the United Kingdom, the National Audit Office (NAO) derives its mandate for performance
engagements from the UK National Audit Act 1983. The UK Comptroller and Auditor General can
carry out examinations of the economy, efficiency and effectiveness of resources used by government
departments or other relevant bodies.
In the United States, the conduct of performance auditing in the government sector is undertaken by the
Government Accountability Office (US GAO), which is the audit, evaluation and investigation arm of the
US Congress. The US GAO has the power to investigate all matters relating to the receipt, disbursement
and application of public funds, and makes recommendations related to increased economy or efficiency
in public expenditures. Each state in the United States also has an independent public sector auditor.
In Canada, the Office of the Auditor General of Canada has legislative power to conduct financial
statement audits, special investigations and performance audits. Each province in Canada also has an
independent public sector auditor.
Parliaments, government ministers and the general community are not interested in just the financial
position and performance of the public sector — they are also interested in whether the public sector is
implementing the government’s policies economically and that the policies are achieving the intended
outcomes. In other words, they seek assurance that the public sector is efficiently and effectively
implementing government policy.
The public sector auditor seeks to provide this assurance by undertaking performance audits. Such
audits provide a framework for assessing a number of quantitative and qualitative aspects of public policy
implementation that are not examined during a more familiar financial statement audit.
This module explains the nature, purpose and practices of performance auditing. The principles and
practices outlined here represent generally accepted practice.
Performance audits are concerned with the economy, efficiency and effectiveness of an organisation’s
activities (ASAE 3500 Performance Engagements, para. 23). Before proceeding, these concepts should be
clarified.
According to ASAE 3500, paragraph 16:

(a) Economy — the performance principle relating to the minimisation of the costs of resources, within the
operational requirements of timeliness and availability of required quantity or quality.
(b) Effectiveness — the performance principle relating to the extent to which the intended objectives at a
program or entity level are achieved.
(c) Efficiency — the performance principle relating to the minimisation of inputs employed to deliver the
intended outputs in terms of quality, quantity and timing.

Source: Auditing and Assurance Standards Board (AUASB) 2017, ASAE 3500 Performance Engagements, accessed July 2019,
http://www.auasb.gov.au/Pronouncements/Standards-on-Assurance-Engagements.aspx. © Auditing and Assurance Standards Board
2017.

From an organisation’s perspective, it is important to perform well across all three dimensions and not
allow one to dominate. For example, if buying cheap inputs results in an inefficient production process,
efficiency may be seen to be sacrificed to achieve economic goals.
Pdf_Folio:334

334 Advanced Audit and Assurance

Economy, Efficiency and Effectiveness
Before describing the performance audit further, it is necessary to discuss in more detail the concepts of
economy, efficiency and effectiveness. An understanding of these concepts is essential for undertaking a
performance audit.
Figure 5.7 sets out the relationship between economy, efficiency and effectiveness in terms of input,
processes and output.
In practice, it can be difficult to separate these categories, and, in performance audits, categories may
overlap, particularly those of economy and efficiency, which can sometimes be considered together under
the concept of ‘value for money’. Generally, areas will be identified through a review of input in terms of
costs or resources, which leads to a more detailed review of efficiency and productivity. The auditing
of effectiveness raises certain problems, particularly in the definition of objectives and measurement
of performance, which may take some years or even decades to properly assess, such as with health,
environmental or educational outcomes.
Economy
Economy refers to the acquisition of the appropriate quality and quantity of resources at the appropriate
times and at the lowest cost. Economy audits may, for example, consider whether the organisation has:
• followed sound procurement practices
• followed established protocols for tendering
• acquired the appropriate type, quality and amount of resources, when needed, at the lowest cost.
Examples of economy indicators would be:
• the features required of a new photocopier given a certain level of capacity
• a reduction in costs through better contracting
• lower costs through bulk purchasing.

FIGURE 5.7 Relationship between economy, efficiency and effectiveness

Cost-effectiveness

Efficiency

Objectives Inputs Processes Outputs Outcome

Economy

Effectiveness
Source: CPA Australia 2019.

Efficiency
Efficiency refers to the use of resources; that is, maximising outputs for any given set of resource inputs,
or minimising inputs for any given quantity and quality of service provided. Expressed in another way,
efficiency is the relationship between resource inputs and outputs of goods and services.
Efficiency audits may, for example, consider whether the organisation has:
• avoided duplication of effort by employees
• avoided overstaffing
• used the minimum amount of resources (staff, equipment and facilities) to produce or deliver the
appropriate quantity and quality of goods or services
• employed an adequate system for measuring and reporting performance on efficiency.
Efficiency indicators established by management link resource inputs to resulting outputs. Program
efficiency indicators show the efficiency with which the organisation produces outputs that are directly
related to the primary purpose of the program.
Pdf_Folio:335

MODULE 5 Other Assurance Engagements 335

 Note: Indicators are measurements of the extent to which the criteria have been achieved. For instance,
value for money may be a criterion while the quantity and quality of items purchased may be indicators of
value for money.
Efficiency indicators compare:
• financial resources (cost–output)
• human resources (staff–output)
• physical resources (assets employed for outputs)
• time resources (time–output).
Some examples of efficiency indicators are:
• water treatment (cost per litre treated)
• schools (cost per student per day)
• road maintenance (cost per kilometre of repair)
• public transport (cost per kilometre).
It is easier to measure efficiency where the inputs and outputs are of a repetitive or predictable nature.
For example, it is easier to measure the efficiency of a printing machine than a case worker at a hospital
where every patient may require different levels of care.
Inputs may also be measured against outcomes to measure efficiency. For example, for road main-
tenance, the research might identify an indicator of cost per kilometre of road maintained at some
satisfactory level or condition, or that it achieved a certain minimum improvement in condition. For
public health, indicators could be used that report cost per client where the client achieved a certain
measurable improvement, such as a reduction in blood pressure. Such indicators potentially represent a
major improvement in measuring service efficiency.
Effectiveness
Effectiveness is arguably the most important element of performance auditing. Effectiveness is the
achievement of the objectives or other intended effects of a program, an operation or an activity (i.e.
what was intended to happen actually happened). Goods or services may be provided economically and
efficiently, but if a program does not achieve its objective, the resources it has used largely will be wasted.
Of the three elements, effectiveness is the most difficult to gauge, often because government policies are
aimed at delivering social outcomes that are not easily quantifiable or because they are influenced by
external factors or because program impact may take many years to be realised (e.g. the improved health
of a river system as a result of government initiatives to reduce pollution run-off and increase the amount
of vegetation on river banks).
Effectiveness is an ends-orientated concept rather than a means-orientated concept. It focuses attention
on the outputs or outcomes from the use of resources and organisational operations. A program’s costs may
be compared with its assessed effectiveness to decide on its overall cost effectiveness — that is, whether
the activity represents value for money.
When focusing on effectiveness, it is important to distinguish between intermediate outputs (or products)
and ultimate outcomes.
For example, for a public health education program on the potential health complications of diabetes:
• the output could be the number of pamphlets distributed or the number of people attending an
information session
• the outcome could be the reduced percentage of the population being diagnosed with diabetes over a
particular period.
In another example, a program that allocates more resources to police could have:
• outputs such as more random breath tests and highway patrol cars in operation
• outcomes such as a reduction in the road toll (i.e. number of fatal road accidents) or a decline in the
incidence of crime, or a particular type of crime.
Outcomes demonstrate the effectiveness of programs. They will often be influenced by factors external
to the program and may require long-term rather than short-term assessment. The outcomes of a program
will be more difficult to measure and assess than the inputs and outputs, but they may be of more interest to
stakeholders. Where an audit is conducted before longer-term program outcomes are able to be assessed,
public sector auditors can audit the effectiveness of administrative arrangements to deliver those outcomes,
as an indicator of likely achievement of overall outcomes.
An audit of effectiveness may include all or any of the following:
• an audit of the organisation, a particular program or activity to determine whether it is effective
• an analysis of the appropriateness or relevance of the organisation’s governance structures
Pdf_Folio:336

336 Advanced Audit and Assurance

• a review of the organisational and management arrangements for program planning, implementation
and monitoring and evaluation
• a review of the systems, processes and quality control arrangements for reporting performance.
Effectiveness indicators are concerned with outputs and outcomes. They indicate the extent to which
an authority’s objectives have been achieved. The indicator should, therefore, be clearly related to the key
words of those objectives. Scale or magnitude indicators of effectiveness could include measures such as:
• the level of outcome sought and the level achieved
• the size of a target group and the proportion reached or served
• market size and market share.
In real-life situations, the distinction between the elements of efficiency and effectiveness may be
grey because they often overlap. The greatest problem is effectiveness; therefore, it warrants special
consideration. Often policy issues are involved, and policy, as mentioned earlier, is generally claimed to be
‘off limits’ to the public sector auditor. It also may be specifically prohibited by legislation, as mentioned
previously.
Moreover, while the criteria for efficiency can often be reduced to the dollars required to perform
a certain task, the criteria for effectiveness are often much more complex. Further, objective measures
that could be used to evaluate the organisation’s effectiveness are often lacking. For example, it is much
more difficult to evaluate whether a police department is adequately meeting the needs of the public
(effectiveness) than whether the fleet of police motor vehicles is being properly maintained at a reasonable
cost (efficiency).
Examples of improved effectiveness indicators are shown in table 5.2.

TABLE 5.2 Improved effectiveness examples

Indicators of improved quality

of service Indicators of improved planning, control and management

• Shorter waiting lists • Better defined priorities

• Reduced waiting times
• Better information access
• Broader array of services
• Greater choice of service providers
• Better defined targets
• More appropriately targeted incentives
• More effective control and management of resources and projects
• Tightened controls against fraud
• Higher-quality accounting systems
• Higher-quality financial management information
• Improved security for computers and information technology
systems

QUESTION 5.19

Consider a performance audit of bus services provided as public transport in a metropolitan area.
(a) Outline indicators to measure the economy, efficiency and effectiveness of those services.
(b) Provide criteria that could be used to assess the adequacy of results.

QUESTION 5.20

A state government has allocated extra funding for a 12-month period to increase the number of
random breath tests (RBTs) during the year by 50%. The aim of the program is to reduce the road
toll (i.e. the number of fatal road accidents) in the state by 10%.
(a) List potential indicators to measure the effectiveness of this program.
(b) Outline the issues you would consider in evaluating the effectiveness of the program.

Performance Information and Indicators

As part of the performance auditing process, the public sector auditor collects performance information
about the subject matter relating to economy, efficiency and effectiveness.
Performance information is created by an agency as part of its administrative reporting process.
Performance information includes all information, both quantitative and qualitative, that informs decision
P df_Folio:337

MODULE 5 Other Assurance Engagements 337

makers about how well an activity, a major program, an organisational unit or the organisation as a whole
is performing against a set of policy objectives, targets and priorities.
This information is used by management within the agency to enhance decision making in the
context of their objective of economically, efficiently and effectively pursuing the implementation of the
government’s policies. This information can be developed regularly, intermittently and on an ad hoc basis,
depending on the information requirements of management and the activity being considered.
Most often, performance information is interpreted via a reporting framework that reduces the amount
of performance information to a number of specific indicators that are then able to be quantified, forecast
and assessed for actual performance. These are called performance indicators.
As such, performance information is used to assist an agency in meeting criteria used to normatively
describe its economy, efficiency and effectiveness. Indicators are measures used to communicate the degree
to which the agency has met the performance criteria. A performance audit will include consideration of
the extent and quality of performance information developed relevant to the activity being audited.
This may include examining:
• the types of performance indicators developed
• whether the measures used cover not only activity levels but also efficiency and effectiveness issues,
including the quality of performance
• the validity (accuracy and reliability) of the data used in the measures
• the way in which the information is used in decision making by the agency’s management.
For example, in its performance report, The Bureau of Meteorology’s Delivery of Extreme Weather
Services, the ANAO stated:
The Bureau has established a performance reporting framework which aligns with Australian Government
requirements in most respects. The performance criteria contained in the Bureau’s 2017–18 Corporate Plan
lack baselines or targets, reducing the line of sight between its criteria and reporting of performance in its
Annual Report. The Bureau’s external performance reporting could be expanded to better enable public
visibility of performance in the delivery of extreme weather services (Australian National Audit Office
(ANAO) 2019).

Note: Performance is generally assessed by comparing achievements with some kind of reference point.
Criteria are the normative descriptions of performance while performance indicators are the measure of
the extent to which those particular criteria have been achieved.
To be suitable, therefore, performance indicators should enable those using them to assess the agency’s
performance relative to the following.
• Targets/goals. Does the performance information enable the user to determine whether the agency
attained its goals or, at least, determine how close it got to those goals?
• Previous performance. Does the performance information enable the user to assess whether the agency
is getting better or worse at doing what it set out to do?
• Performance of similar authorities or programs. Does the performance information enable the user to
determine how the agency compares with other agencies that have similar purposes?
The production of performance information costs resources in terms of money and staff time. Accord-
ingly, agency staff seek to reduce the number of types, and frequency of, performance reports by
producing only those that are very relevant and very useful. Performance indicators have become important
management tools in the public sector and a number of jurisdictions have made it compulsory for agencies
to prepare and publicly report them, and for public sector auditors to audit them.
Performance indicators are generally applied on the following basis.
• Ongoing — usually through management information systems that focus on inputs, outputs and
individual processing of transactions of the organisation.
• Periodic when needed — through in-depth studies that focus on the policy environment (i.e. means,
demand, alternatives) and the effects that goods and services have had on clients, or on the community
as a whole.
Generally, the most informative and robust publicly-reported performance indicators are those that are
also used internally by an agency for management purposes, because they are monitored regularly and the
entity will have invested in its systems and processes to produce accurate and reliable information.
Types of Indicators
As discussed earlier, to assist in describing and measuring what a government agency does, an activity
can be broken down into inputs, outputs and outcomes, as described here, with examples from the health
sector.
Pdf_Folio:338

338 Advanced Audit and Assurance

• Inputs are the resources that contribute to production and delivery of products and services. Examples
of inputs in the health sector would include medical equipment, hospital beds, doctors and nurses.
• Outputs are the final products or services provided by the agency. Examples of outputs in the health
sector would include patients treated, standards of care and numbers of various types of operations.
• Outcomes relate to the objectives of the organisation. They are the consequences of government
activities. Examples in the health sector would include less disease, better health and longer life
expectancies.
One approach to measuring performance is to consider the relationships between inputs, outputs and
outcomes, which links back to our earlier consideration of economy, efficiency and effectiveness. This
approach is used by the NAO in the United Kingdom, as illustrated in figure 5.8.
Figure 5.8 shows that resources are provided to the government agency and used to acquire inputs,
which, as a result of processes, lead to outputs. Outcomes are what the agency is trying to achieve. Other
external influences, in addition to outputs, affect outcomes: continuing the hospital example, a sudden
increase in hot weather may affect emergency services due to an increased number of people suffering
from heat stress, which may reduce the response times.
Economy, efficiency and effectiveness are affected by inputs, outputs and outcomes. As shown in
figure 5.8, an economy measure considers the costs of acquiring the inputs. Efficiency measures look
at the relationship between inputs and outputs to see if maximum output is obtained for the inputs used.
For example, given hospital facilities and standards of care, how many patients are being treated?

FIGURE 5.8 Performance information — inputs, outputs and outcomes

Context: Other
external influences

Resources ($) Inputs Outputs Outcomes

Economy Efficiency Effectiveness

Cost effectiveness/value for money

Source: HM Treasury, Cabinet Office, National Audit Office, Audit Commission and Office for National Statistics 2001, Choosing
the Right FABRIC: A Framework for Performance Information, p. 10, accessed July 2019, https://www.nao.org.uk/report/choosing-
the-right-fabric-3/. © Crown Copyright. Used with permission of the National Audit Office.

Effectiveness considers planned versus actual outputs and outcomes. It also considers whether outputs
lead to desired outcomes. For example, measuring the number of people giving up smoking because of
an anti-smoking campaign would give an indication of how effective the campaign is in improving health
standards. Figure 5.8 also shows that cost-effectiveness and value for money describe the relationship
between the outcomes achieved and resources. It is important to see if the agency is getting value for
money; that is, whether outcomes are being achieved at a reasonable cost.
It should be noted that performance measures should not concentrate solely on outcomes. For example,
there may be a delay between outputs and outcomes (extra inputs, such as more medical equipment or a
disease prevention video, may lead to improvements in health that only become apparent in future years).
Therefore, it is important to consider input, output and outcome performance indicators, as discussed next.

Inputs
Input indicators are designed to report the amount of resources, either financial or non-financial, that have
been used for a specific service or program. This type of indicator provides the user with information about
Pdf_Folio:339

MODULE 5 Other Assurance Engagements 339

the expenditure of resources and the types or mix of resources being used. Examples of input indicators
include:
• the number of students per teacher
• dollars spent per pupil
• dollars spent per capita on police or fire services
• the number of police per 100 000 people.
For a hospital, inputs include:
• doctors
• nurses
• equipment.
Input indicators, although used reasonably widely, have been criticised for focusing on the narrow
concern of how much is being spent and not what is being accomplished or produced with the resources
used.
Note: Care should be exercised when costing financial resources. For example, the costs of a government
program or service may or may not include a measure of the cost of use for capital assets. In addition,
support services such as centralised purchasing, and even the cost of employee benefits, may or may not
be allocated to specific services or programs. This may result in inconsistent cost information for services,
which can lead to inaccurate comparisons over time or between agencies.
Outputs
Output indicators list the units produced or services provided by a service or program. Examples of output
indicators include:
• amount of wastewater treated
• number of persons screened for a particular purpose
• number of passenger trips provided by public transport
• number of drivers breathalysed
• number of patients treated in a health clinic
• number of development applications processed by a planning authority
• kilometres of electricity lines constructed by a public utility authority.
Output indicators can be described as service achievement indicators. For a hospital, outputs would
include the number of operations performed and treatments conducted. These could be categorised by
levels of quality and success.
Output measures do not consider whether those outputs lead to successful outcomes as measured by
outcome indicators.
Outcomes
Outcome indicators are designed to report the results (including quality) of the service provided by a
government program. Examples are:
• a decline in the road toll
• a decline in the incidence or level of crime, or a particular type of crime
• an increase in standardised test results for national student testing
• crime clearance rates
• quality of water after it has been treated.
Outcome indicators are usually considered the most significant measure of the results (effectiveness) of
the operation of government programs.
Outcome indicators can also provide a basis for developing cost-effectiveness indicators when compared
with inputs. Relating outcomes, rather than outputs, to resources used can provide important additional
information to government, public sector managers and the public about the cost of the results of program
activities. This enables these groups to consider the value of the service relative to its cost.
Attributes of Meaningful Performance Indicators
Some performance indicators will be valuable to management, others will be valuable to those people
making decisions using the indicators, and yet others will be valuable to more than one group. It is
important for accountability and performance that relevant stakeholders have their information needs met.
Performance indicators should be:
• relevant — relate to the needs of those people using them to make decisions, and clearly defined
objectives that communicate what is to be measured
• quantifiable — capable of illustrating the extent to which objectives have been achieved in absolute or
proportional measures (subjective and judgmental statements should be avoided)
Pdf_Folio:340

340 Advanced Audit and Assurance

• verifiable — an independent assessment should result in similar conclusions
• free from bias — information has been impartially gathered (the techniques used to gather and analyse
the information should be free from built-in bias, and information should be impartially reported)
• appropriate — suitable for the users’ purposes (to enable them to assess performance)
• a fair presentation — represent what they purport to represent, verifiable by independent assessment,
and presented in a manner that is free from bias or distortion
• balanced — provide a complete picture of what is being done, covering all significant areas
• cost-effective — balance the benefits of the information against the costs of preparing them.
Example 5.9 provides further examples of performance indicators.

EXAMPLE 5.9

Further Examples of Performance Indicators Related to Effectiveness

Outcome Indicators
Measure the results achieved against defined objectives, for example:
• percentage reduction in the incidence of a disease through a preventative health program
• improvement in the average standard of housing
• reduction in the number and severity of injuries resulting from a road safety program
• increase in tourist numbers and spending resulting from a tourist promotion program.
Level of Service Indicators (Effectiveness)
Measure some aspects of the standard of services provided, for example:
• percentage of on-time services for public transport
• waiting times in hospital casualty departments
• compliance with prescribed quality standards for urban water supply services
• percentage of errors in payments to social security recipients.
Source: CPA Australia 2019

QUESTION 5.21

You are the public sector auditor for a national park. The park provides camping, hiking and picnic
facilities in a number of locations. It charges an entrance fee for users of the park. Suggest some
possible performance indicators for:
(a) efficiency
(b) effectiveness.
Identify potential sources of data for these indicators.

Example 5.10 focuses on the adequacy of performance reporting by an entity’s departments. Read the
information given and then complete the tasks.

EXAMPLE 5.10

Performance Reporting by Departments

Consider a performance audit with the audit objective of assessing the adequacy of performance reporting
across eight departments. The audit considered the relevance, appropriateness and fair presentation of
performance indicators in those departments. The audit report included the following:

There were 304 performance indicators examined across the eight departments. Of these indicators,
less than 50% (146 performance indicators) were relevant to departmental objectives, of which 74 (or
around 50%) provided appropriate information. This equates to around 25% of the 304 performance
indicators being both relevant and appropriate.

............................................................................................................................................................................
Review the report information regarding performance indicators. What alternative method could be used to
evaluate ‘relevant’ and ‘appropriate’?
Check your response against the suggested answer at the end of the book.
P d f_Folio:341

MODULE 5 Other Assurance Engagements 341

 Now that the concepts of economy, efficiency and effectiveness and the types of performance indicators
have been discussed, we consider the assurance standards and regulation applicable to performance
auditing.

Assurance Standards and Regulation

This section outlines the assurance standards and regulatory environment affecting public sector perfor-
mance auditing. Because of the considerable variance in the legislation that applies to public sector auditors
worldwide, this section focuses on the standards framework at a general level.
As with financial statement auditing, standards have been developed to support performance auditing.
However, public sector auditors do not always have a legal obligation to apply the standards to their work
in the way that audit practitioners are required to apply them in the private sector. It depends on the
jurisdiction. Often legislation in a jurisdiction will require compliance but if not, auditors-general have
the power to choose what standards they will apply. Often they choose to adopt the assurance standards
relevant to their performance audits.
Although the IAASB has not issued any international assurance standards dealing specifically with
performance audits, these engagements are covered in general terms by International Standard on
Assurance Engagements ISAE 3000 (Revised) (see also the equivalent Australian standard, ASAE 3000).
Guidance on performance audits has also been issued by the International Organisation of Supreme
Audit Institutions (INTOSAI). INTOSAI provides an international forum and facilitates collaboration
between public sector auditors on issues of mutual professional interest. It also creates standing committees
and working groups to assist it to create a consensus among member public sector auditors. INTOSAI has
developed standards and guidelines that make up a common framework for professional standards.
The ANAO Auditing Standards established in February 2018 largely adopt the revised ASAE 3500;
however, the reporting requirements of ASAE 3500 are replaced with those contained in INTOSAI
Standard ISSAI 3000 Standards for Performance Auditing (ANAO 2018). The ISSAI 3000 reporting
requirements are consistent with the current practice of the ANAO’s current approach in reporting to the
Parliament and with the ANAO’s purpose.
However, many countries, including Australia, New Zealand, Canada, the United States and the United
Kingdom, prefer to apply their national standards or the IAASB standards rather than the INTOSAI
standards. This makes the IAASB standards globally, and the Australian standards locally, the most
important sources of guidance for performance auditors.
In addition, many national jurisdictions have their own much more specific standards for performance
audits. For example, in Australia ASAE 3500 issued by the AUASB, provides guidance on performance
engagements for both public and private sector engagements. ASAE 3500 is an adjunct to ASAE (ISAE)
3000 and, in order to comply with the standards, public sector auditors must comply with the requirements
of both standards.
As noted, many public sector auditors do apply the standards. They do this for three reasons.
1. The standards provide a framework so that they do not have to establish one themselves.
2. The standards apply generally accepted practice and so their activities are not as able to be questioned
by stakeholders as much as they might otherwise be.
3. Public sector auditors are able to note their compliance in the reports they produce so that users of their
reports are able to trust the quality of the audit and have confidence in the audit conclusions.
Module 1 discussed the importance of professional judgment in financial statement audits. Professional
judgment is also a critical requirement in performance audits. In some ways, performance auditing requires
more experience and judgment than financial statement auditing because the focus of the audit is not
necessarily clear and the method of measuring efficiency and effectiveness is not always obvious. The
public sector auditor also has to prioritise the areas that might be the subject of a performance audit, and
this is also very difficult because there are so many complex and interrelated aspects of modern government
that need consideration.
In Australia, the legislated mandates of the nine public sector auditors include the capacity for the
auditors to conduct performance auditing in addition to traditional financial statement auditing.
Independence and Quality Controls
The importance of independence as a cornerstone of the auditing profession was raised in modules 1
and 2. For performance auditing, the unique relationship of public sector auditors to parliament is the
basis of this independence and increases the credibility of the performance audits undertaken.
Parliaments generally make the ultimate decision on the levels of funding and resources provided to
public sector auditors. This is an important element in supporting the independence of this role, as it
Pdf_Folio:342

342 Advanced Audit and Assurance

removes the issue of fee dependence between the public sector auditor and the public sector agencies that
are subject to performance audit.
This level of audit independence, which is provided in the case of the ANAO under the Auditor-General
Act 1997 (Cwlth), goes beyond the level of independence in the private sector where audit fees are paid
by the auditee.
The independence of the Auditor-General in many jurisdictions is also supported by the legislative
provisions governing the public sector auditor’s appointment. For example, the Australian Auditor-General
is appointed by the Governor-General on the recommendation of the relevant minister and for a term of
ten years. The Australian Auditor-General can only be removed by the Governor-General if both houses
of the Commonwealth Parliament make a recommendation to do so to the Governor-General. Giving the
public sector auditor a long-term tenure increases their independence because the auditee cannot dismiss
the auditor. Placing a limit on the public sector auditor’s term can help reduce the familiarity threat that
may originate from an extended relationship with the auditee.
There are a number of factors that influence the definition and practice of performance auditing both
internationally and within Australia. These factors include:
• professional standards and guidance
• INTOSAI guidance
• individual legislative mandates in the Australian Commonwealth, its states and territories, and in
international jurisdictions.
Performance audits carried out by public sector auditors extend the scope of assurance which they
provide parliament beyond the purely financial reporting of government entities to consider the economy,
efficiency and effectiveness of activities delivered or controlled by the government. Performance audits
can provide an assessment of how well and how economically the public sector is implementing the
government’s policy program.
Structure of a Performance Audit
The public sector is made up of many types of organisations — departments, authorities, commissions
and even commercial entities. Because of this, while assessing their financial performance is a relatively
uniform process, assessing their performance is complex.
Note: This section will refer to public sector agencies, or agencies, as a name that is intended to capture
all public sector entities so it does not appear that any one form of entity is inadvertently ignored.
Because public sector agencies are tasked with delivering the government’s policy agenda, typical com-
mercial indicators of performance, such as profitability and wealth creation, are usually less important than
indicators of efficiency and effectiveness in policy implementation. With regard to policy implementation,
most parliaments and communities are concerned about whether the policy being implemented is effective
in achieving its intended purpose and whether the implementation has been undertaken as efficiently
as possible — that is, with the least amount of resources necessary. Resources consumed may include
money, public servant time and opportunity costs associated with alternative activities that may have been
undertaken instead of those implemented.
Performance engagements are used by public sector auditors to examine the extent to which government
policy and practice is undertaken in an economical, efficient and effective manner. Typically, such policy
implementation processes are referred to as ‘activities’.
Therefore, a performance audit is an audit or review that is undertaken to assess the economy, efficiency
and/or effectiveness of an activity or activities. The specific aspects of an activity that are selected by the
public sector auditor to be audited are commonly known as the ‘topic’ of the audit.
Interestingly, an activity that is the focus of a performance audit can be related to a single agency or
may relate to a number of agencies (see example 5.11). Indeed, the economy, efficiency and effectiveness
of activities can also be assessed when they relate to cross-jurisdictional activities.

EXAMPLE 5.11

Performance Audit Across Three Agencies

In 2019, the Auditor-General for Australia assessed the effectiveness of the management of cyber security
risks (cyber resilience) by three government business enterprises or corporate Commonwealth entities.
The entities selected for audit are ASC Pty Ltd, the Australian Postal Corporation and the Reserve Bank
of Australia. The overall findings are shown below.

P d f_Folio:343

MODULE 5 Other Assurance Engagements 343

 Areas Examined
This chapter examines whether entities are cyber resilient, with a culture of cyber resilience.
Conclusion
The Reserve Bank and ASC are cyber resilient, with high levels of resilience compared to 15 other entities
audited over the past five years. Australia Post is not cyber resilient but is internally resilient, which is similar
to many of the previously audited entities. The Reserve Bank has a strong cyber resilience culture, ASC is
developing this culture, and Australia Post is working towards embedding a cyber resilience culture within its
organisation.
The ANAO’s report pertaining to this performance audit is available at: https://www.anao.gov.
au/work/performance-audit/cyber-resilience-government-business-enterprises-and-corporate-
commonwealth-entities
Source: ANAO 2019a, p. 37.

Elements of the Engagement

Performance audits are a variant of the generic assurance engagement. Figure 5.9 is adapted from the
appendix to ISAE 3000 (Revised). The figure illustrates the parties to, and elements of, a generic assurance
engagement, and the relationships between them. Figure 5.10 is a modification of figure 5.9 and shows the
elements of a public sector performance audit. Table 5.3 helps with understanding the differences between
the two figures by providing a comparison of generic assurance engagements, public sector performance
audits and financial statement audits.

FIGURE 5.9 Elements of a generic assurance engagement

Responsibility Measure/Evaluate Assure

Responsible Measurer/ Engaging

party evaluator party

Criteria

Underlying Subject matter Terms of the

subject matter information engagement

Assurance
report

Intended Practitioner
users

Source: International Auditing and Assurance Standards Board (IAASB) 2018, ISAE 3000 (Revised) Assurance Engagements
Other than Audits or Reviews of Historical Financial Information, in Handbook of International Quality Control, Auditing, Review,
Other Assurance, and Related Services Pronouncements, 2018–19 edn, vol. 2, p. 204, accessed July 2019 https://www.ifac.org/
publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

dPf_Folio:344

344 Advanced Audit and Assurance

 FIGURE 5.10 Elements of a public sector performance audit

Responsibility Measure/Evaluate Assure

Head of Accountant
government Mandate
(attestation)
agency Assurance
practitioner
(direct)

Criteria Legislation
ISAE 3000
ASAE 3500
INTOSAI
Activity Findings standards

Assurance
report

Auditor-
Parliament general

Source: Based on ASAE 3500 Performance Engagements, Appendix 3, p. 33 and International Auditing and Assurance Standards
Board (IAASB) 2018, ISAE 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial
Information, in Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services
Pronouncements, 2018–19 edn, vol. 2, p. 204, accessed July 2019, https://www.ifac.org/publications-resources/2018-handbook-
international-quality-control-auditing-review-other-assurance

Comparing the elements of a generic assurance engagement, public sector performance

TABLE 5.3 audit and financial statement audit
Generic assurance
engagement Public sector performance audit Financial statement audit

Responsible party Head of government agency Company board

Measurer/evaluator Public sector auditor (direct) Company accountant

Engaging party Legislated mandate Company audit committee

Underlying subject Activity (government agency The business

matter or program)

Criteria Various required or expected standards Accounting standards

of performance identified by public
sector auditor

Subject matter The outcome of the measurement or Financial statements

information evaluation of the economy, efficiency or
effectiveness of the activity against the
criteria

Practitioner Public sector auditor Registered company auditor/Audit

Practitioner

Assurance report Public sector auditor’s conclusion Auditor’s opinion

Intended users Parliament, the general public, Shareholders, investors, responsible party
responsible party (i.e. agency) (i.e. board and executive management)

Source: Adapted from International Auditing and Assurance Standards Board (IAASB) 2018, ISAE 3000 (Revised) Assurance
Engagements Other than Audits or Reviews of Historical Financial Information, in Handbook of International Quality Control,
Auditing, Review, Other Assurance, and Related Services Pronouncements, 2018–19 edn, vol. 2, p. 68, accessed July 2019,
Pdf_Folio:345

https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance

MODULE 5 Other Assurance Engagements 345

The Performance Audit Process
The overall performance auditing process is very similar to most forms of assurance, as illustrated in
figure 5.11.

FIGURE 5.11 Performance auditing from start to finish

Decide: What to audit

Understand the organisation,

program or activity subject to audit

Decide: How to audit

Decide: What and how to report

Source: CPA Australia 2019.

The stages of the audit process set out in figure 5.12, and discussed in this module, represent the broad
framework underpinning the methodology of performance auditing.
Note: In the discussion, the steps in each stage of the audit process are numbered as in figure 5.12.

FIGURE 5.12 Performance audit process

1. Select the organisation, program or activity for audit.

1.
Project
identification
2. Identify potential audit topics based on significance, risk to good stage
management and potential benefits.

3. Gain an understanding of the organisation, program or activity

subject to audit.

4. Undertake preliminary study by identifying fundamental issues,

key management systems and controls; develop audit objectives,
general criteria, scope, approach and expected benefits from the audit.

5. Prepare preliminary study report. Planning

stage

6. Discuss the preliminary study report contents with management

of the organisation subject to audit.

7. Develop detailed audit criteria.

8. Develop the audit plan including the audit program.

9. Carry out audit procedures as defined in the audit program.

10. Analyse evidence, evaluate findings so as to develop conclusions Audit conduct

and recommendation. stage

11. Communicate summary of draft findings and proposed

recommendations to head of the organisation and minister.

Reporting
12. Report to the head of the organisation, the minister and parliament.
stage

Follow-up
13. Follow up and report on conclusions and recommendations.
stage
Source: CPA Australia 2019.
Pdf_Folio:346

346 Advanced Audit and Assurance

 The following sections examine the stages in the performance audit process, some concepts associated
with performance auditing (such as economy, efficiency and effectiveness), performance audit considera-
tions and performance indicators.
Project Identification Stage
The first stage of the performance audit process is project identification. This stage is made up of
two steps:
1. selecting the organisation, program or activity for audit
2. identifying potential audit topics based on significance, risk to good management and potential benefits.
These steps are discussed next.
1. Select the Organisation, Program or Activity for Audit
The first step in conducting a performance audit is to select organisations, programs or activities within
or across organisations for audit. One possible approach is to determine what is significant (including
materiality) and to identify key risks.
For example, an audit office can examine a government’s public accounts and rank all agencies in order
of levels of expenditure (financial materiality). Individual agencies can also be reviewed to determine
their major areas of expenditure (which can be described as programs or activities) or in terms of risk. An
example related to risk is the work completed by the Auditor General of Western Australia who reviews
that state’s public sector IT security on an annual basis.
The Western Australian Office of the Auditor General’s Information Systems Audit Report is available
at: https://audit.wa.gov.au/reports-and-publications/reports/information-systems-audit-report-2019
Another example is where the public sector auditor might assess a police department’s practices in
relation to issuing fines and compare those practices to the legislative requirements.
Programs and activities are reviewed for their significance (i.e. public interest, significance of the
program or activity to the government agency, resources committed, accountability concerns) or risk
to good management (i.e. significant underspending or overspending, adverse parliamentary or media
comment, non-achievement of stated objectives). The importance of ‘significance’ is discussed next.
Significance
An understanding of significance is essential to selecting topics for audit. It is the responsibility of the
public sector auditor to decide what is significant. As with all audits, deciding if a potential audit project
is significant involves professional judgment. In making decisions about significance, the public sector
auditor should consider such things as the:
• public funds expended on the program/policy/legislative framework/activity
• impact on the community should the elements not be undertaken efficiently and effectively
• impact on other programs/policy/legislative frameworks should the elements not be undertaken eco-
nomically, efficiently and effectively
• value of the findings as exemplars and communications opportunities for improvement across the entire
public sector.
To further consider significance and make decisions on what to audit and report, the auditor should
consider a number of quantitative and qualitative materiality factors, including:
• dollar value
• public interest
• significance of the program to the activities of the organisation
• visibility of the program as reflected in its political sensitivity or importance
• inherent risk of the program, function or activity
• potential for savings
• sustainability issues
• resources committed
• accountability concerns
• quality of controls
• deterrent value (i.e. that disclosure might discourage future breaches)
• ethics, integrity and compliance with relevant laws, regulations, etc.
• inaction on previously reported items.
With an understanding of significance, the public sector auditor is able to identify potential topics for
audit.

Pdf_Folio:347

MODULE 5 Other Assurance Engagements 347

2. Identify Potential Audit Topics
The second step in the performance audit process is to identify potential performance audit topics based
on significance, risk to good management and potential benefits.
Given their limited resources, audit offices can select only a relatively small number of activities to be
subject to performance audit each year. The choice of which performance audits to undertake is a key
judgment to be made by the public sector auditor.
While most public sector auditors in each jurisdiction have complete discretion in the selection of
areas subject to performance audits, in practice this selection is made in consultation with parliament,
government entities, and other stakeholders. Choices are made after carrying out an environmental scan
of key risks and challenges to the public sector, and identifying factors that could potentially improve
performance (ANAO 2019b). Significance informs this choice as well.
The annual audit work program is also designed to anticipate and respond to current and emerging
risks and challenges impacting on public administration, and complements the ANAO’s primary strategic
planning document — the corporate plan.
For instance, in choosing which audits to undertake, the ANAO takes into account a number of factors,
including:
1. Risk: both financial and non-financial risk at the whole-of-system, portfolio and individual program
levels.
2. Impact: possible benefits that will flow from audit coverage, including improved transparency, admin-
istrative effectiveness, greater efficiency, improved performance, and key learnings and insights for the
whole of government.
3. Importance: the criticality of the effective and efficient delivery of findings from the proposed audit
topic to key stakeholders, including the Parliament and the public.
4. Materiality: the significance of the program in terms of the value, dependence and citizen reach, and
the extent to which the program contributes to the broader objectives of government, or to changing or
influencing decisions.
5. Auditability: the extent to which the area of proposed audit coverage is able to be audited ….
6. Previous coverage: the extent to which the area has been subject to previous audit coverage … (ANAO
2019b).

Some topics for performance engagements may include considerations of:

• the economy, efficiency and effectiveness of:
– management systems
– an entity’s management
– the operations of an entity
– internal controls
– the implementation of government policies or programs
– the application of government grants
– financial prudence
• the validity and reliability of performance measurement systems
• compliance with legislation
• the identification and potential impacts of breaches of legislation
• intended and unintended impacts of government programs
• the extent to which community needs have been met
• the extent to which stated objectives of an activity have been met
• the possibility or practice of corruption.
Examples of performance audits conducted by the ANAO are shown in example 5.12.

EXAMPLE 5.12

Examples of Performance Audits

There are many examples of performance audit topics reported by public sector auditors in many
jurisdictions. The examples provided here of the ANAO’s performance audits give a perspective not only of
performance audit topics but also the combination of performance audits so that the entire audit program
can be considered. Therefore, only one audit office’s examples are provided.

dP f_Folio:348

348 Advanced Audit and Assurance

 As indicated earlier in this module, one of the objectives of performance auditing is to facilitate
improvement in public administration. A review of the objectives of some of the ANAO’s performance
audit reports provides an indication of the ANAO’s approach.
The ANAO website includes a range of different types of performance audits covering different themes.
Some performance audits cover a large range of an agency’s activities while others relate to a narrower
area. The website also provides overviews of completed performance audits. The following examples from
the website identify the subject matter, criteria and objective for each of the audits.

Management of Commonwealth National Parks

Report number: 49
Year: 2018–19
Tabled: Friday 21 June 2019
Portfolio: Environment and Energy
Entity: Department of the Environment and Energy; Director of National Parks
Objective: The audit objective was to assess the effectiveness of the Director’s management
of the six terrestrial Commonwealth national parks.
Criteria: To form a conclusion against the audit objective, the ANAO adopted the following
high-level criteria.
• Are appropriate governance arrangements in place to support strategic risk
management and business and operational planning?
• Are national park business management and operational plans effectively
implemented?
• Does the Director effectively measure, monitor and report on park operational
activities?

Coordination and Targeting of Domestic Violence Funding and Actions

Report number: 45
Year: 2018–19
Tabled: Thursday 13 June 2019
Portfolio: Social Services
Entity: Department of Social Services
Objective: The objective of the audit was to assess the effectiveness of the Department of
Social Services’ role in implementing the National Plan to Reduce Violence Against
Women and their Children 2010–2022 (the National Plan).
Criteria: To form a conclusion against this objective, the ANAO adopted the following high-
level audit criteria.
• Effective governance arrangements are in place.
• Targeting of funding and actions is aligned to the outcomes of the National Plan.
• Monitoring and reporting of performance for key Department of Social Services’
initiatives and the National Plan is effective.

Management of Small Business Tax Debt

Report number: 42
Year: 2018–19
Tabled: Thursday 30 May 2019
Portfolio: Australian Taxation Office
Entity: Australian Taxation Office
Objective: The objective of the audit was to assess the effectiveness of the Australian
Taxation Office’s (ATO’s) management of small business tax debt arising from
compliance activities.
Criteria: To form a conclusion against the audit objective, the ANAO adopted the following
high-level criteria.
• The ATO has effective arrangements for managing small business tax debt
arising from compliance activities.
• The ATO’s processes provided for consistent management of small business tax
debt arising from compliance activities.
• The ATO effectively monitors and reports on the collection of small business tax
debt arising from compliance activities.

P d f_Folio:349

MODULE 5 Other Assurance Engagements 349

 While the three examples above considered effectiveness, other audits consider both effectiveness and
efficiency.

ANZAC Class Frigates — Sustainment

Report number: 30
Year: 2018–19
Tabled: Monday 18 March 2019
Portfolio: Defence
Entity: Department of Defence
Objective: The audit objective was to examine whether the Department of Defence (Defence)
has effective and efficient sustainment arrangements for the Royal Australian
Navy’s fleet of eight ANZAC class frigates.
Criteria: The high-level criteria used to assess Defence’s performance were as follows.
• Defence has a fit-for-purpose sustainment framework between Navy and the
Capability Acquisition and Sustainment Group.
• Defence has an appropriate framework to monitor and report on the effective-
ness and efficiency of operating the ANZAC fleet.
• Defence effectively administers the ANZAC sustainment strategic partnership to
achieve specified availability and performance outcomes.

While most audits are aimed at a specific agency, performance audits sometimes range over agencies.

Addressing Illegal Phoenix Activity

Report number: 32
Year: 2018–19
Tabled: Friday 29 March 2019
Portfolio: Across Entities
Entity: Across Entities — whole of government
Objective: The objective of the audit was to assess the effectiveness of the Phoenix
Taskforce to combat illegal phoenix activities.
Criteria: To form a conclusion against this objective, the ANAO’s audit criteria were as
follows.
• Does the Phoenix Taskforce have effective governance arrangements?
• Has the Phoenix Taskforce developed and implemented effective strategies and
processes to combat illegal phoenix activities?
• Do the Phoenix Taskforce performance measurement arrangements enable it to
assess effectiveness?

Source: Australian National Audit Office (ANAO) 2019, [Performance audits], accessed July 2019, https://www.anao.
gov.au/pubs. © Commonwealth of Australia 2019. Reproduced with permission.

A more comprehensive list of ANAO performance audits or copies of complete performance audit
reports are available on the ANAO’s website at: http://www.anao.gov.au. This website also provides
links to other auditors-general websites in Australia and overseas.

QUESTION 5.22

List two factors that could affect the selection of activities that will form the subject matter for
assurance on performance.

Planning Stage
Once the target organisation, program or activity for performance audit has been selected and the audit
topics identified, the next stage is to plan the audit. This stage contains several interrelated steps, which
are discussed in detail in this section.
You should read the following section in conjunction with ASAE 3500, paragraphs 28–34 and the
planning section of ASAE 3000.
dP f_Folio:350

350 Advanced Audit and Assurance

 Planning the audit in a general sense involves determining:
• auditable areas that address significant issues
• a description of the subject matter to be audited
• expected benefits from the audit
• audit objectives
• audit scope
• timing
• audit criteria
• the audit approach, including the methodology to be used
• the required skills and knowledge of the personnel (audit team) intended to undertake the engagement,
and the use of consultants, experts and specialists
• procedures for liaison with management of the entity subject to audit
• the coordination and timing of the proposed audit with field auditors, and determining what work may
have been already conducted.
These aspects are determined after having gained an understanding of the organisation — its purpose,
key activities, internal control structure and the significant accountability relationships.
3. Gain an Understanding of the Organisation, Program or Activity
Earlier modules provided detailed coverage of obtaining knowledge of a business for the conduct of
a financial statement audit. ASAE 3500, paragraphs 32–33, expands on these requirements in relation
to obtaining an understanding of the activity that will be subject to the performance audit and other
engagement circumstances.
As for any other audit, in order to undertake a successful performance audit, the public sector auditor
needs to gain a sufficient understanding of the organisation and subject matter to appreciate the significance
of events, transactions and practices related to the performance audit and the context in which the activity
is undertaken.
Valid activities
As already highlighted, when undertaking a performance audit, the public sector auditor examines an
activity in order to form a conclusion about whether that activity is being undertaken economically,
efficiently and/or effectively.
The means by which objectives are determined and pursued (including the quality of policy advice
given to the executive government by officials), arrangements and controls implemented, results achieved
and costs incurred are all considered to be potential areas of legitimate review. For example, without
questioning the merits of policy objectives, a public sector auditor may review:
• whether policy objectives have been determined, and policy decisions taken, with appropriate authority
— that is, does the law allow an agency or minister to do a certain thing
• the quality of information and policy advice given to government by officials (whether it is sufficient,
relevant, timely and reliable information)
• the existence and effectiveness of the administration that informs the government whether policies are
meeting their objectives
• whether, and to what extent, stated policy objectives have been met
• the economy, efficiency and performance of the means chosen to implement a policy
• the intended and unintended direct and indirect effects of a program
• whether the costs of alternative strategies or service levels have been considered or reviewed as costs or
circumstances change
• whether subsequent decisions on implementation are consistent with the approved objectives, and have
been taken with the proper authority at the appropriate level
• whether the resultant instructions to staff accord with approved policy objectives
• whether decisions are clearly understood by those concerned.
4. Undertake a Preliminary Study (Optional)
When an organisation, program or activity has been selected for a performance audit, the public sector
auditor may undertake a preliminary study to gather and evaluate information needed for further decision
making and for the conduct, control and report of an audit. The study will also provide information about
the size and scope of the organisation’s activities as well as areas of possible uneconomical, inefficient
operations, or areas with lack of effective goal achievement or compliance with laws and regulations.

Pdf_Folio:351

MODULE 5 Other Assurance Engagements 351

 If a preliminary study is not undertaken, much of the information that follows is otherwise captured in
a comprehensive audit plan that is considered by the public sector auditor in deciding whether to proceed
with the audit topic, or to amend the scope before commencement.
Audit objectives relate to why the audit is being conducted. For example, the purpose of the audit could
be to assess whether appropriate processes are being used, consider the efficiency and effectiveness of
carrying out particular activities or examine the probity of certain transactions, such as the disposal of
assets. Alternatively, it could simply assess whether a particular rule or law is being adhered to in a
particular department.
The audit scope covers the:
• part of the entity, system or organisational unit to be audited
• matters subject to audit
• time period covered.
For example, a performance audit could cover the whole Department of Health, only specific hospitals,
or parts of hospitals, such as emergency departments. It could cover specific activities, such as the purchase
of assets or disposal of assets for the whole department, or it could consider only certain aspects of parts
of hospitals; for example, the ‘colour code’ system used in hospital emergency departments or the waiting
times for elective surgery.
5. Prepare the Preliminary Study Report
If a preliminary study is undertaken, the public sector auditor usually prepares a preliminary report, which
includes:
• the audit topic
• the major reasons for carrying out the performance audit
• an overview showing that the auditor has thoroughly investigated the nature of the organisation, program
or activity subject to audit
• a description and analysis of relevant parts of the organisation’s operations, especially:
– key management and operational activities
– systems and controls and its policy
– the organisational and environmental context
– existing performance measures
• the relationship of the audit to previous relevant internal and external reviews undertaken by the public
sector auditor or the agency’s internal auditor
• any preliminary evidence that supports undertaking the audit.
The focus of the report should be to outline:
• the objectives and scope of the audit for each matter of significance
• general audit criteria (and the sources of more detailed criteria) for each matter of significance
• the audit approach to be used in reaching conclusions and developing recommendations
• the expected benefits from the audit in terms of economy, efficiency, effectiveness, quality of service,
planning, control, and management and accountability
• a preliminary estimate of the time required to undertake the audit.
6. Discuss the Preliminary Study Contents with Management
Once the preliminary study has been completed, it is important that the public sector auditor discusses its
contents with management of the organisation that is subject to the performance audit. These discussions
will centre on areas or issues to be audited, basic audit objectives, general criteria, scope, key management
systems and the expected benefits. It is also important for the auditor to hold discussions with management
to present preliminary findings and build understanding on these matters, including identifying and
correcting any errors of fact or misunderstanding. Fundamental disagreement, such as disputes over
criteria, will lead to disagreement over the conclusions of the audit as reflected in the report.
7. Develop Detailed Audit Criteria
On obtaining management’s feedback on the general criteria during discussions on the contents of the
preliminary study, the public sector auditor would normally proceed to refine the audit criteria from a
general level to a more detailed level. As mentioned earlier, audit criteria represent better practice that is
expected to exist in the ideal situation for the activity being audited.
In a performance audit, the audit objectives and activity determine what suitable criteria to consider are.
The objectives of audits vary considerably. For example, consider some of the performance audits and
subject matter outlined earlier in this module:
Pdf_Folio:352

352 Advanced Audit and Assurance

• management of the six terrestrial Commonwealth national parks
• implementation of the National Plan to Reduce Violence Against Women and their Children 2010–2022
• management of small business tax debt arising from compliance activities by the ATO
• effectiveness and efficiency of Defence’s sustainment arrangements for the Royal Australian Navy’s
fleet of eight ANZAC class frigates
• combating illegal phoenix activities.
Criteria for these performance audits would be expected to vary substantially, so it is worth reviewing
the examples above to ensure the relationship between the criteria and the other aspects of a performance
audit are understood.
As mentioned earlier, some performance audits cover more than one agency while others cover a
substantial portion of one agency or only a single program. In each of these cases, it is likely that the
criteria will be very different.
When selecting or developing suitable criteria, characteristics such as relevance, completeness, reliabil-
ity, neutrality and understandability are important. Criteria can either be established (i.e. embodied in laws
and regulations, such as accounting standards, or accepted industry standards) or specifically developed
for the purpose of the assurance engagement. As discussed in ASAE 3500, paragraphs 23 and A13–A16,
suitable criteria need to be identified by the auditor and may be taken directly, or developed from:
(a) regulatory bodies, legislation or policy statements;
(b) industry standards, relevant benchmarks, and relevant practice guides developed by professional bodies,
associations or other recognised authorities;
(c) statistics, measures or practices developed by the responsible party or by similar entities; or
(d) those developed by the assurance practitioner themselves, in which case the assurance practitioner ordinarily
documents why the selected criteria are suitable (ASAE 3500, para. A13).

While the auditor may need to adapt these criteria, they are often an excellent starting point. The
auditor always has a responsibility to assess whether criteria are suitable and appropriate to the specific
circumstances of the audit.
Example 5.13 sets out examples of criteria that are appropriate for some performance audits.

EXAMPLE 5.13

Suitable Criteria
Criteria to Assess the Adequacy of Systems and Practices
Systems should or are expected to:
• exist, and respond to risks
• be soundly designed, reflecting normal practices or central agency direction
• operate effectively, providing management with reasonable assurance that inherent risks are appropri-
ately managed.
Criteria to Ascertain Compliance With Authority
• Authority is required for objectives, operations, programs and individually significant transactions.
• Individual expenditures should be proper, related to objectives and approved.
• Expenditures forbidden by law should not be made.
Criteria to Examine Accountability Information
Information about the way that delegated responsibility has been exercised should fairly disclose
significant matters so that:
• the information is a complete and reliable record of significant events and transactions
• the information uses accepted conventions of estimation and measurement
• accepted conventions are used to disclose and present the information in an accessible way.
Criteria to Assess the Adequacy of Results
The organisation should achieve results (in areas of important responsibilities) that are satisfactory
compared with:
• public commitments and statements
• management targets
• reasonable expectations
• comparable organisations.
Source: CPA Australia 2019

P d f_Folio:353

MODULE 5 Other Assurance Engagements 353

8. Develop the Audit Plan, Including the Audit Program
Once the preliminary report (if applicable) has been completed and selected criteria discussed with
management, and detailed criteria have been developed, the public sector auditor should prepare an audit
plan. Audit programs form part of the audit plan.
An audit plan is created at the commencement of the audit and it is used to:
• identify the resources (human and other) to be applied to the audit
• make sure the resources are applied to the most appropriate areas, focusing on areas of highest risk and
materiality, in the most efficient ways
• identify any potential problems that may impede the audit.
An audit program is the documentation of the specific audit procedures to be carried out and their timing,
together with the staff member responsible for carrying it out. Typically, the audit plan does not change as
an audit progresses, however, performance audit programs can, and often do, change.
As we have discussed previously, financial statement audits usually recur annually. Performance audits
are often one-off audits. Unlike financial statement audit programs, which are comparatively standard from
year to year, performance audit programs need to be developed and adapted as the audit progresses. The
audit program often changes in response to:
• difficulties encountered
• evidence gathered that may suggest unexpected results or suggest more important audit processes should
be undertaken
• a lack of available information or cooperation from agency staff.
This flexibility in the audit process is necessary to accommodate practical issues, such as the availability
of data to evaluate against suitable criteria during the audit conduct stage. The audit program may
require development and adaptation in circumstances where difficulties are encountered in detailing the
audit criteria at the planning stage, or initial expectations regarding what might be significant may, on
investigation, be revealed as not significant.
Further, performance audits may be repeated when the public sector auditor undertakes a follow-up
project (discussed later in this module) aimed at determining the extent to which the auditee has responded
to recommendations, findings or comments arising from an original audit.

Conducting the Performance Audit

The next stage in the performance audit process is to conduct the audit. In conducting the audit, the
public sector auditor collects, tests and analyses evidence that is relevant and appropriate, based on the
performance audit objectives, criteria and methodology developed in the planning phase. It is the phase in
which the audit plan is implemented.
You should read the following section in conjunction with ASAE 3500, paragraphs 35–39, and for
further detail, paragraphs A40–A46.

9. Carry Out Audit Procedures as Defined in the Audit Program

The conduct stage is directed towards achieving the audit objectives. This involves gathering and evaluating
information to compare actual practices against the criteria, and obtaining relevant, reliable, sufficient,
objective and timely evidence to support any conclusions reached and recommendations made. Where
significant deviations from the criteria are identified, the underlying cause and effect should be determined
during this stage of the audit.
The next section discusses the techniques that can be used during the conduct of the audit. Having
developed the criteria, identified the evidence required and plan the audit, the necessary evidence must
now be collected to be able to arrive at a conclusion.

Techniques for examining economy, efficiency and effectiveness

During the audit conduct stage, the auditor uses various techniques to gather and evaluate informa-
tion against detailed audit criteria to assess economy, efficiency and effectiveness. The techniques for
examining economy, efficiency and effectiveness during a performance audit include reviews of inputs
and outputs, systems-based reviews, comparisons and effectiveness evaluations. They may also include
processes used by public sector auditors to collect or create data. For instance, a survey may be used to
assess criteria. In considering the implementation of the audit, it is important to consider a number of
techniques commonly used by public sector auditors.
These techniques are now examined more closely.

Pdf_Folio:354

354 Advanced Audit and Assurance

Inputs/outputs review
A review of inputs and outputs is primarily concerned with these questions.
• Can costs be reduced while still achieving the same output?
• Can greater output be achieved for the same cost?
An input-based review is concerned with reviewing costs and resources used in relation to output
(e.g. cost per tonne of refuse collected), where these costs and resources can be measured. Performance
measures, or output indicators, provide both the organisation and auditor with useful tools for the
assessment of efficiency.
Systems-based review
In addition to input/output-based reviews for assessing economy and efficiency, it is often useful to conduct
a systems-based review. Systems-based reviews provide the auditor with knowledge of the key systems,
processes and controls that are involved in the audited function or entity so they can identify:
• risks to delivery of services and risks to achievement of outcomes
• sources of and potential errors in performance data
• the reasons for any deviation from intended or benchmarked performance levels.
Systems-based reviews concentrate on areas such as the systems and processes of an organisation,
including key controls that prevent or detect error, fraud and non-performance, and can include examining
organisational structure and decision-making forums (i.e. governance arrangements).
The main purpose of a systems-based review is to address questions such as the following.
• What are the objectives for each area under review?
• How is success measured in each of the areas?
• Do the systems and the organisational structure provide the right background and information to allow
management to exercise proper control over its resources?
• If performance is not currently monitored by management, what performance information could be
derived from existing systems and processes?
• What corrective action is taken to get back on track to success?
• How are the pricing schedules calculated?
– How often are they reviewed?
• How are staffing levels determined?
– How often are they reviewed?
• How are regulated entities monitored for compliance?
– What enforcement actions have occurred?
• In relation to each activity under review, why is the work done?
– And if it has to be done, why is it done in the way that it is? Is the data used in the systems accurate?
• Can costs be reduced or the work carried out more cheaply by contractors without service quality and
quantity being compromised?
• What would be the effect of changing service levels?
• Are stakeholders satisfied?
– What mechanisms are in place to obtain stakeholder feedback and measure satisfaction?
• Is there a culture of learning and continuous improvement?
– How is this demonstrated?
Examples of management systems or processes that may be examined and the type of performance
information that could be gathered are outlined in example 5.14.

EXAMPLE 5.14

Examples of Management Systems and Processes That May

be Examined

Systems or processes Performance information

Human resources • Number of days lost to absenteeism per annum

• Staff turnover rates per annum

(continued)

P d f_Folio:355

MODULE 5 Other Assurance Engagements 355

 (continued)
Systems or processes Performance information

Complaints • Number of days lost to absenteeism per annum

• Number of staff complaints per annum

Work health and safety • Number of hours of WHS training per person on induction/per annum
(WHS) (compliance culture)
• Number of days lost to injury and illness incidents per annum

QUESTION 5.23

For each of the following questions, list the management system or process and the type of data
that could be examined to provide assurance on performance at a hospital.
(a) What is the wait time in the emergency department?
(b) How is the customer call centre performing?

Comparisons
It is useful to compare trends and statistics with other selected organisations of a similar type. Comparisons
may be made on any (or all) of the following bases:
• service expenditure levels
• usage of services or measures of client population served
• unit costs of services provided
• employment levels
• performance indicators.
In many cases, published figures will not be available, although comparative figures can often be
obtained from other organisations. For example, it may be possible to compare administrative overheads
as a percentage of the total cost of a service department (e.g. accounts payable) with organisations of a
similar size and nature.
Comparisons of costs or statistics between individual facilities of an organisation may be useful because
of the knowledge the auditor has of the organisation and the reasons why there might be differences.
Comparisons between different but similar cost centres can be particularly useful (e.g. between similar
residential homes, schools or divisions). Other examples are repair costs by class of vehicle and energy
costs by school.
Comparison of performance in previous years is also helpful to distinguish trends. A particularly useful
indicator is the trend in the ratio of administrative costs to operational costs, especially in the larger
government agencies, such as those in health and education. A large range of unit costs and performance
measures can be derived from the financial management information system or other agency records.
Effectiveness evaluation
As discussed earlier, effectiveness is arguably the most important element of performance auditing. There
is no point in an organisation doing the ‘right’ thing very efficiently and economically if the major policy
objective is not achieved. For example, it is fruitless for a public sector organisation to provide a vocational
training program that is both economic and efficient if a reasonable percentage of trainees in the scheme
do not or cannot obtain employment related to that training.
In considering the best approach to auditing for effectiveness, the auditor should concentrate on ensuring
that the organisation has systems in place to determine and report upon its own effectiveness.
Generally, to evaluate performance effectively, performance measurement systems require the following
to be set and put in place:
• objectives — which should be clearly defined
• responsibility for achieving those objectives — in accordance with the organisational structure
• performance indicators — in terms of defined objectives and responsibility
dP f_Folio:356

356 Advanced Audit and Assurance

• appropriate performance indicators — in terms that will enable benchmarking with both internal and
external norms of acceptable achievement
• systems to produce information to enable the recipient to compare performance with norms — the
information must be relevant, appropriate, timely and in a form that the recipient can use effectively.
The public sector auditor may audit the extent to which an agency’s performance measurement systems
include these components in order to rely on agency-generated data or the system itself may be the subject
of the audit.
The auditor will concentrate on how clearly the organisation has set policy objectives and how effectively
the outcome of those objectives can be evaluated.
If the policy objectives are reasonably well defined, the auditor’s next main concern is whether there
is an adequate system of measurement for evaluating the effectiveness of the policies. As described
previously, efficiency and economy are relatively easily measured as compared to effectiveness. Therefore,
the attributes of a performance measurement system are critical in order to evaluate effectiveness.
Measuring effectiveness using an organisation’s conventional information system is not easy because
such systems are usually concerned with budgeted and actual costs. Performance measures for effective-
ness often have to rely on more subjective information, such as user feedback. As such, some areas are
very difficult to measure or cannot be definitively measured and rely on subjective ideas of performance
outcomes.
For example, it is difficult to determine the success of an alcoholism treatment program merely by
using the numbers of patients whose alcohol consumption has reduced. Many other social factors blur
the evaluation of these types of programs, such as the degree of family support. However, it is normally
possible to quantify in some way the effectiveness of a service and, even if this is difficult, the auditor
should be satisfied that reasonable efforts have been made to establish effectiveness indicators for major
programs.
In some cases, the public sector auditor will need to test the adequacy of the client’s indicators, which
may not be sufficiently far-reaching. For example, the effectiveness measures for a vocational training
scheme might be the ‘percentage of graduates gaining employment’. But the auditor may decide this is
not an adequate measure and would want to find out, for example, what percentage of graduates gained
training-related employment and what percentage stayed in employment for longer than one year.
The auditor has a valuable constructive contribution to make in suggesting improvements to performance
measurement systems and the sources of the data that are used. It is useful to consider some of the following
main sources of data used for effectiveness reviews.
• Citizen surveys. Where a sample of users could be asked a series of questions on the performance or
scope of a particular service, which is often the only means of evaluating the quality of a service.
• Trained observer ratings. For example, the rating of services using photographic standards by trained
observers for areas such as street cleaning.
• Comparison with similar programs. For example, comparison with industry or other benchmarks, such
as turnaround time for planning applications, average response time to emergency calls by firefighting
units, and employment take-up rates from vocational training.
• Internal records. For example, occupancy rates for residential homes and user complaints on refuse
collection.
Having established the techniques the auditor plans to use to gather and evaluate information against
audit criteria, the auditor needs to obtain evidence to form an opinion on the subject matter. The next
section discusses the requirements in relation to obtaining evidence of sufficient quantity and quality to
support the conclusions and recommendations during the conduct of the performance audit.
Evidence
As with a financial statement audit, the assurance practitioner should obtain sufficient appropriate
evidence on which to base their conclusions (ASAE 3500, para. 35(d)). The auditor will ordinarily seek
corroborating evidence from different sources or of a different nature in forming conclusions, which may
be particularly important where qualitative criteria are being considered.
Sometimes, information on objectives, management of resources, performance and results is not
adequately reported by the organisation and generally accepted management practices often do not exist.
Therefore, the task of collecting evidence can be complex, and the auditor often must rely on evidence
that is persuasive rather than conclusive. The degree of persuasiveness should be high in sensitive or
controversial areas.

Pdf_Folio:357

MODULE 5 Other Assurance Engagements 357

 Examples of methods of obtaining evidence include:
• examination of existing records (e.g. completed or current work files, statutory and management
accounts, performance reports, minutes of meetings)
• written questionnaires
• interviews and discussions with the client and the staff concerned
• direct observation (i.e. looking in detail at one or more specific activities), such as inspecting physical
assets and observing customer inspections.
For example, in its performance report Farm Management Deposits Scheme, the ANAO reviewed
‘advice and briefing material provided to government’; examined ‘FMD Scheme documentation provided
by Agriculture, the ATO and Treasury’; analysed ‘FMD Scheme data provided by financial institutions to
Agriculture and the ATO for 2014 to 2017’; interviewed ‘key staff responsible for administering the FMD
Scheme’; and discussed the operation of the Scheme with registered tax agents (ANAO, 2019c, p. 18).
Example 5.15 presents the case of the fictitious Starlights Defence Force. Read the information given
and then complete the tasks.

EXAMPLE 5.15

Starlights Defence Force Performance Audit

Starlights Defence Force (SDF) consists of three divisions — the Air Force, Army and Navy. SDF does
not have an overarching policy on food rationing and distribution, so each of the three divisions makes
its own food rationing and distribution arrangements. In addition, over the past few years, some of these
functions (including catering services) have been contracted out to private providers in an attempt to
achieve enhanced economy and efficiency. These contractors do not provide any cost information or any
type of performance information in relation to the supply of these goods and services.
The Minister for Defence has asked that a performance audit be carried out on SDF’s food rationing and
distribution arrangements because of its lack of a coherent policy in this area. In particular, the Minister is
concerned that food rationing and distribution procedures may not be cost-effective or best practice. The
Minister has come to this conclusion based on a preliminary review that indicates that the Army’s daily
cost of providing an officer with meals is 20% more expensive than the same service provided by private
contractors, and 40% above that supplied by relevant private industry benchmarks. These figures could
very well apply to the other divisions of SDF.
In addition to these concerns, the minister has been informed that:
• less than 50% of defence staff take meals in the dining hall even though sufficient daily amounts are
supplied to cater for a full turnout
• each division (even if located in the same region) negotiates separate contracts from the same suppliers
and contractors
• management of private contracts is poorly monitored and not coordinated because, among other things,
staff are not suitably trained
• performance information that is available seems to be more relevant to monitoring activities rather than
measuring costs and comparing performance.
............................................................................................................................................................................
(a) How does a performance audit serve the notion of ‘accountability’ in the public sector?
(b) State the objectives of a performance audit in these circumstances.
(c) List and explain the audit criteria that could be used to assess the economy, efficiency and effectiveness
of current SDF food rationing administrative arrangements.
(d) From the information supplied in this example, develop performance indicators that could assist in deter-
mining the economy, efficiency and effectiveness of SDF’s food rationing and distribution arrangements.
(e) Identify the key recommendations that you could include in your report.
Check your response against the suggested answer at the end of the book.

Cause and effect

Once an audit finding regarding any performance failure has been identified, two complementary forms
of assessment take place. These are:
• determination of the causes of the lack of performance
• assessment of the effect of the lack of performance.
The cause is the reason why something happened. There may be several causes for each conclusion.
The auditor needs to identify the cause that, if changed, would prevent similar occurrences; it forms the
basis of a recommendation to the responsible agency.
dP f_Folio:358

358 Advanced Audit and Assurance

 The effect of a variation in performance against the audit criteria may be quantifiable. The effect
of uneconomic processes, expensive inputs or unproductive facilities can be estimated in dollar terms.
Additionally, the effect of inefficient processes, idle resources or poor management may be seen in delays
or wasted physical resources. Qualitative effects as evidenced by a lack of control, poor decisions or lack
of concern for service may also be significant.
The effect should demonstrate the need for corrective action. The effect could also have occurred in the
past, be occurring now or may possibly occur in the future. The auditor needs to determine if the effect
occurred in the past, and whether the situation has already been remedied to prevent it from recurring.
For example, in its performance report Regulation of Great Barrier Reef Marine Park Permits and
Approvals, the ANAO identified the cause and effect of weaknesses in the permit application process:

While GBRMPA has well-established arrangements for processing and assessing permit applications,
there were weaknesses in the quality and completeness of the assessments undertaken against regulatory
requirements. The causes of these weaknesses included fragmented and incomplete guidance material
for staff, incomplete records, insufficient consideration of relevant assessment requirements and limited
assurance from quality control processes. As a consequence, the permit application assessment reports
prepared for the delegate did not address all regulatory requirements on which decisions to issue or refuse
permits were to be based (Australian National Audit Office (ANAO) 2015).

In examining cause and effect, the auditor should be aware of the following.
• Cause and effect are interrelated and the knowledge of one assists the understanding of the other
(e.g. knowledge of the system for managing human resources helps in understanding the issue of human
resource efficiency).
• Any adverse effects of control weaknesses should be quantified where practical.
• The cause or effect may be either an isolated occurrence or part of a pattern indicating a potential
breakdown of the internal control system.
• Causes may be external to the system or the organisation subject to audit (e.g. directives from central
agencies have an effect on the operations of many public sector agencies), and effects may also extend
beyond the system or organisation subject to audit.
It is important that performance measures actually measure what can be influenced by the actions and
activities of the organisation, or part of the organisation, which is being measured.
An understanding of the techniques for examining economy, efficiency and effectiveness; the require-
ments for audit evidence; and cause and effect are essential to the ‘conducting the audit’ stage of a
performance audit. Following these stages, auditors then evaluate their findings, form conclusions and
prepare the assurance report.
10. Analyse Evidence and Evaluate Findings so as to Develop Conclusions and Recommendations
On a progressive basis throughout the conduct of the audit, the auditor evaluates evidence against the
selected performance audit criteria. The aim of this evaluation is to develop findings to:
• confirm or modify planning decisions and assessments
• develop conclusions relative to the audit objectives
• establish confidence in the audit conclusions.
As discussed earlier, the auditor should consider the implications of evidence obtained. The auditor
must evaluate the extent and the impact of identified variations in the entity’s performance of the activity
which are material (significant) to the auditor’s conclusion. ‘Material variations are those which could
impact performance in relation to economy, efficiency and/or effectiveness and be reasonably expected to
influence relevant decisions of the intended users of the assurance report’ (ASAE 3500, para. 31).
The impact on users of assurance reports is the ultimate test of what is material in the context of an audit.
As such, it is important when assessing materiality that stakeholders’ interests and information needs for
decision making are considered. This may include reporting good performance to provide fairness and
balance in reporting, as decision makers are interested in knowing what is working well, as well as what
needs to be improved.
The auditor should consider carefully why adverse variations or positive variations (which may indicate
over-allocation of resources) from criteria have occurred. Once the causes of variations have been
identified, it is important to consider their effect — actual or potential — on the organisation and the audit.
This process requires that considerable professional judgment is exercised and consultation undertaken to
ensure the process is carried out with due care and objectivity.

Pdf_Folio:359

MODULE 5 Other Assurance Engagements 359

 When the auditor identifies a variation from performance audit criteria, typically they should do the
following.
• Assess whether the variation is an isolated instance, or represents a systemic or general weakness.
• Identify the fundamental cause of the variation. This is important in appreciating the significance
(materiality) of the conclusions and developing a basis for recommending remedial action.
• Assess and, where practical, quantify the impact or potential impact of the variation. Quantifying the
impact of a variation helps determine its materiality.
• Consider the relative significance of the conclusion in relation to the audit objectives for the organisation.
Each matter reported is required to be of a nature and significance that warrants the attention of
parliament.
• Determine if management or parliament is aware of the deficiency and whether corrective action has
commenced. This helps the auditor to decide on the reporting strategy and to ensure fairness in the report.
A matter that has been identified by management and is being corrected or disclosed to parliament may
be less significant for reporting than a previously unknown, unresolved problem.
Having considered the causes and effects of variances from criteria from which conclusions are devel-
oped, recommendations are then prepared. The focus of recommendations is to indicate the improvements
that are necessary, rather than how to achieve them. Where corrective action is underway, it is good practice
to point this out.
When developing recommendations, the auditor should consider the results of the cause and effect
analysis, taking into account:
• circumstances that help or hinder the organisation in meeting performance criteria
• the feasibility and cost of adopting a recommendation (the benefits of a recommendation should
outweigh the cost of implementing it)
• alternative courses for remedial action
• effects, both positive and negative, that may arise if the recommendations are adopted.
It is good practice to ensure that the recommendations:
• flow from the auditor’s observations and associations
• respond to the underlying cause of the deficiencies
• are clear and succinct, and stand alone
• state what needs to be done but not the specifics of how
• are positive in tone and content
• are capable of being implemented in a reasonable time frame
• are cost-effective
• are able to be followed up
• are consistent and coherent with other recommendations.
11. Communicate Summary of Draft Findings and Proposed Recommendations
It is important that the public sector auditor maintains contact with management of the organisation during
the course of the audit for two reasons.
• It assists in maintaining management’s commitment to the audit by providing regular feedback on
progress.
• It is a useful tool by which the auditor can test findings with management, who are obviously more
familiar than the auditor with the organisation and its programs.
Effective, ongoing communication with management also ensures that there will be ‘no surprises’ in the
audit report.
The public sector auditor’s report may include recommendations for improvement to address the
variations identified (ASAE 3500, paras A52–A53) in the following areas:
• economy and efficiency in the acquisition and use of resources
• effectiveness in achieving program objectives
• service delivery and quality
• management planning and control
• accountability.
Performance audit reports may also identify suspected poor or wasteful practices, allegations of fraud,
misuse of resources or serious shortcomings in an internal control structure. The performance audit report
should persuade the organisation to take action where improvements are shown to be necessary, reasonable
and cost-effective.

Pdf_Folio:360

360 Advanced Audit and Assurance

Reporting Stage
The development of the audit report is a critical and complex task undertaken by a public sector auditor.
Public sector auditors carry out their responsibilities in accordance with an audit mandate, which is usually
specified in legislation in the respective country. This mandate specifies the type of audit to be conducted,
the entity or activity to be audited, and the powers and responsibilities of the auditor. The International
Organisation of Supreme Audit Institutions (INTOSAI) operates as an umbrella organisation for the
external government audit community. In Australia, the government audit responsibilities are undertaken
by the federal and state/territory auditors-general.
In a performance audit, the public sector auditor must decide what the focus of the audit is, and they
must also decide how best to communicate the nature of the evidence gathered, and their opinion on that
evidence. That is, the public sector auditor must decide how to make the results of the audit available
to stakeholders, such as the parliament, other government agencies and the broader community. This is
usually done by issuing a report.
Performance audit reports may be prepared based on either:
• an attestation engagement whereby the responsible party, normally the agency concerned, measures or
evaluates the underlying subject matter against criteria (i.e. they prepare the report) to enable the auditor
to express a conclusion
• a direct reporting engagement in which the public sector auditor directly measures or evaluates the
underlying subject matter against criteria (i.e. prepares the subject matter information) and expresses
the conclusion.
As noted earlier, attestation performance audits are less frequent than direct engagement performance
audits. In other words, usually a performance audit is not carried out over a document or report produced
by the agency being audited; it is carried out over an activity. The output of the performance audit process
is a report developed by the public sector auditor that is tabled in parliament and may be reported on by
the media.
Typically, a report produced by a public sector auditor will outline:
• what the purpose of the performance audit was
• what was found
• a conclusion (opinion) regarding the findings.
Therefore, the objective of a performance engagement is to enable the public sector auditor to express a
conclusion (opinion) about an activity’s performance to be included with commentary, methodology and
other discussion, in a report. The report is intended to provide users with assurance and an understanding
of the economy, efficiency and effectiveness of a particular activity.
Performance engagements generally provide reasonable assurance, which is the highest level of assur-
ance available. In some circumstances, however, or within some aspects of a performance engagement,
limited assurance may be provided. This is a lower level of assurance and relies on less extensive
procedures and evidence, and the auditor’s conclusion is expressed in a form that conveys whether anything
has come to the attention of the auditor to cause them to believe the activity has not been performed
efficiently, economically or effectively. Limited assurance engagements are referred to as ‘performance
(assurance) reviews’ rather than ‘performance audits’.
In contrast to financial statement audits, which focus solely on accountability, performance auditing
focuses on improving both accountability and management practice. Importantly, publishing the report
allows other agencies — whether in that jurisdiction or not — to learn from the experience of others,
thus creating opportunities for greater economy, efficiency and effectiveness more broadly. Therefore, the
reports of public sector auditors can be far-reaching and used widely.
In addition, in Australia, to assist public service managers (and others) to improve management practice,
some audit offices distil audit findings and incorporate them into better practice guides (BPGs). These
guides aim to improve public administration by describing best practices employed in some government
organisations. Public sector auditors may encourage entities to use the BPGs to review their own practices.
BPGs are available on a diverse range of topics, including:
• records management
• information and technology controls
• long-term financial planning for entities.
ASAE 3500, paragraph 45 lists the following basic elements to be included in an assurance report for a
performance engagement:
(a) a title, indicating that it is an independent assurance report;
Pdf_Folio:361
(b) an addressee;

MODULE 5 Other Assurance Engagements 361

 (c) identification of the scope of the engagement including:
i. the responsible party (or parties) and a description of their responsibilities;
ii. the activity which was the subject matter of the performance engagement;
iii. a description of the objective of the performance engagement;
iv. identification of the criteria for evaluating the performance of the activity and the party specifying
those criteria, if it was not the assurance practitioner;
v. if appropriate, a description of any significant inherent limitations associated with the evaluation of
the activity’s performance against the identified criteria; and
vi. the assurance practitioner’s responsibilities.
(d) a statement that the performance engagement was conducted in accordance with ASAE 3500
Performance Engagements;
(e) a statement that the assurance practitioner complies with the independence and other relevant ethical
requirements related to assurance engagements;
(f) a summary of the work performed by the assurance practitioner to obtain reasonable assurance and to
provide a basis for the assurance practitioner’s conclusion;
(g) the assurance practitioner’s conclusion about the performance, in terms of economy, efficiency and/or
effectiveness, of the activity as evaluated against the identified criteria;
(h) when the assurance practitioner has been unable to obtain sufficient appropriate evidence or has identified
material variations in the activity’s performance in terms of economy, efficiency, and/or effectiveness as
evaluated against the identified criteria, the assurance report shall contain:
i. a description of the extent and impact of those matter(s); and
ii. the assurance practitioner’s conclusion that either the activity did not perform in certain material
respects, did not perform in all material respects, or there was not sufficient or appropriate evidence
to conclude whether the activity was performed.
(i) signature of the assurance practitioner, the Audit Office or location in the jurisdiction where the assurance
practitioner practices, and the date of the assurance report.

An example of an assurance report for a performance engagement is available at: https://www.anao.

gov.au/work/performance-audit/the-bureau-meteorology-delivery-extreme-weather-services
You should read the following section in conjunction with ASAE 3500, paragraphs 43–48, and
A49–A55.
12. Report to the Head of the Organisation, the Minister and Parliament
Under the relevant audit Acts, the Auditor-General reports to parliament on the results of a performance
audit and provides copies to the relevant chief executive (accountable authority) and the minister, subject
to legislative requirements.
Audit conclusions and recommendations are mainly communicated to management via the performance
audit report. It is important that audit conclusions and recommendations are separately identified and
framed in their proper context so the reader can understand relevant circumstances or factors that may have
impacted performance of the audited activity. Contextual information is usually provided in an introductory
or ‘background’ section of the audit report, and as appropriate throughout the report in order to sufficiently
frame audit findings and conclusions. Important contextual factors worth noting may include:
• unusually short implementation time frames
• changes in government or stated government priorities
• activities or delivery methods that represent a new and unfamiliar area for the government or the agency
• changed economic or market conditions.
The auditor should ensure that each matter reported to parliament is:
• of a nature and significance that warrants attention
• represented concisely, completely, fairly, objectively and in a timely manner.
Proposed audit findings and conclusions should be thoroughly discussed with the auditee before the
audit report is prepared. This is usually done at an exit interview with the manager and other appropriate
officers within the agency. The exit interview will ensure factual accuracy and facilitate acceptance of the
findings by the agency responsible for the audited activity. The exit interview generally occurs when the
performance audit team is leaving the auditee agency’s site or shortly thereafter.
To ensure procedural fairness, and to correct any errors of fact, the proposed audit report is provided to
the auditee for comment. Responses to the report are often incorporated in the report or in a separate report.
In the case of the ANAO, any comments received on a proposed performance audit report are required to
be included in the final audit report.
Review example 5.16 now.
Pdf_Folio:362

362 Advanced Audit and Assurance

 EXAMPLE 5.16

Trivoria Kneeball League

Utopia is an island continent made up of six states and two territories. One of the six states, Trivoria, is
the stronghold of a unique sport called kneeball, played and followed passionately among the population.
The last few years have seen strong moves by the sport’s administrators to make the sport more nationally
oriented. To help with this, two of Trivoria’s struggling teams have been relocated interstate to New North
England and Kingsland respectively. Other states, notably West and South Utopia, were invited into the
competition after having created their own teams. By 20X8, the competition comprised 16 teams: 10
based in Trivoria, two each from West and South Utopia, and one each from Kingsland and New North
England. The teams each attracted various levels of passion and membership, but among the Trivorian
teams, four teams (not all of which were the best performing) attracted the largest crowds and were the
strongest financially. The season comprised 22 games, excluding the finals series. Kneeball attracted huge
television and internet rights, with payments to the best players the source of much envy in other, less
popular sports.
Recently, there had been criticism of kneeball’s administrators in terms of how they undertake the
season’s draw. The administrators insisted that the determination of which team played which other team,
and in what order, was entirely fair within the guidelines set. However, in order to add credibility to the
process, the administrators decided to hire the services of a large public accounting firm to oversee
the draw. Peter Bailey’s CPA firm had recently made the decision to expand into offering assurance
services beyond the traditional audit role, being attracted by the increased profitability and prestige of
being associated with high-profile engagements. Peter, an experienced audit manager, was given the
task of overseeing the kneeball league’s draw for 20X9. Peter did not know a lot about kneeball, but
had undergone training in the methodologies involved in adding credibility to non-financial numbers, and
looked forward to his task as one that would bring valued publicity to the integrity and reputation of his
firm and lead to other similar engagements.
The kneeball league wanted Peter’s CPA firm to provide assurance that the draw for season 20X9 was
fair. Peter envisaged this would involve attesting to the fact that all teams had an equal chance of being
selected to play on any given date. However, he was surprised to find that the league’s guidelines for the
draw involved eight criteria that, in his opinion, made it difficult for fairness to be achieved.
1. The four strongest Trivorian teams each had to play each other twice, but with 22 games played by 16
teams, not all teams played each other twice.
2. There were certain ‘award’ dates (e.g. Armistice Day) when two particular teams had to play each other.
3. It was not possible for all teams to be scheduled for an equal number of ‘home’ games, even taking
into account the need for only some teams to play each other twice.
4. The interstate teams had to travel a disproportionate number of times to Trivoria, the ‘home’ of kneeball.
5. The temperature variation across the continent of Utopia meant that, early in the season, teams not
acclimatised to higher humidity and temperatures (when they played at locations nearer the equator)
were at a distinct disadvantage.
6. Even within a single state, not all grounds were comparable. Some had retractable roofs in case of bad
weather, while others did not.
7. In order to maximise television and internet ratings, some games were played at night, with others
during daylight. Even during daylight hours, some grounds had lights that could be used when visibility
fell, while others did not. Even in the same round, not all teams had an equal number of days of rest
since their prior scheduled game.
8. At least one of the finals had to be played in Trivoria, regardless of whether either of the competing
teams was from that state.
The more Peter learnt about the intricacies of this game, the interstate rivalries and the huge amounts
of money involved, the more concerned he became. How could he sign off on the draw as fair when, as far
as he was concerned, inequities arose? He scheduled a meeting with the board to discuss his concerns
and his conclusion that the only way to make the draw ‘fair’ was to increase the number of games or
reduce the number of teams, or both. The board, through the CEO, argued that:
• The game had always been administered in this way.
• The game’s level of patronage showed little community concern over these issues.
• Guidelines attached to the draw were transparent.
• The number of games could not be increased because of the wear and tear on players.
• The number of teams could not be reduced because of the parochial politics of disbanding or merging
teams.
............................................................................................................................................................................
(a) In your opinion, do the eight criteria outlined extend beyond matters related to the draw?
(b) What evidence would Peter have examined in coming to his conclusion? How does this differ from the
evidence gathered during an audit of financial statements.

P d f_Folio:363

MODULE 5 Other Assurance Engagements 363

 (c) In your opinion, was Peter, being relatively new to Trivoria, the correct person to be assigned to this
assurance task?
Check your response against the suggested answer at the end of the book.

Follow-Up Audits
Generally, public sector auditors cannot impose the recommendations made in their performance audit
reports on an agency. It is a matter for the agency to determine whether to implement the recommendations.
It is important, however, for the effectiveness of the performance audit function in achieving better
outcomes and improved performance that agencies accept and implement recommendations.
Public sector auditors usually adopt a process of ongoing consultation and discussion with agencies
during the course of an audit to promote acceptance of the recommendations. This includes consultation
with agencies during the planning stages, providing information on the audit approach and objectives,
and maintaining open and regular communication with the auditee. Audit conclusions and any proposed
recommendations are communicated to agencies for comment before the report is finalised.
Finally, after parliament, the minister (if applicable) and the agency’s management have been presented
with a final report, it is sound practice for the public sector auditor to periodically follow up on
recommendations contained in the audit report.
13. Follow Up and Report on Conclusions and Recommendations
Follow-up procedures are the final stage of the performance audit process, as illustrated in figure 5.12
earlier in the module. These procedures include an assessment of whether action taken by the organisation
has corrected or will correct the problems that gave rise to the audit conclusions and recommendations.
They will also ascertain whether any additional work should be done by a subsequent audit.
Assessing the action taken by management on the conclusions and recommendations (and assessing the
benefits of the audit) will also allow the effectiveness of performance audits to be measured.
A similar function is performed in various jurisdictions by parliamentary oversight committees, such
as public accounts committees, which may undertake inquiries to assess the extent to which agencies
have addressed audit findings and implemented recommendations. Where a parliamentary committee has
inquired into the status of audit recommendations, it may not be necessary for the public sector auditor to
conduct a follow-up audit into the audit topic.
Examples of follow-up audits are available at: https://www.anao.gov.au/work/performance-audit/
cybersecurity-follow-audit

QUESTION 5.24

Chan and Partners Accountants is a successful mid-tier accounting firm with a large range of clients
across Australia. During the 2017 year, Chan and Partners gained a new client, Medical Services
Holdings Group (MSHG), which owns 100% of the following entities:
• Shady Oaks Hospital, a private hospital group
• Gardens Nursing Home Pty Ltd, a private nursing home
• Total Cancer Specialists Limited (TCSL), a private oncology clinic that specialises in the treatment
of cancer.
Year end for all MSHG entities is 30 June. TCSL owns two relatively old linear accelerators
used in radiation therapy. Recently, radiation therapists using these linear accelerators have raised
concerns that they have adverse radiation effects on patients.
TCSL also wishes to purchase a new, more technologically advanced linear accelerator. The
Department of Health funded half the purchase price on the basis that TCSL followed the
Department’s ‘Guidelines for procurement of medical equipment’ when purchasing the accelerator.
The Department of Health has engaged the Auditor-General to check that TCSL met the terms of
the funding agreement.
The Auditor-General has also been asked to conduct a performance audit that examines how
well hospitals manage waste. Hospitals generate significant amounts of waste, both general and
clinical. General waste is not dangerous and can be disposed of more cheaply than clinical waste.
Five years ago, the federal government measured the amount of hospital waste produced in terms
of quantity and cost of disposal. The government then set an objective for hospitals to improve how
they manage waste and published a document titled ‘Waste management guidelines’.

dP f_Folio:364

364 Advanced Audit and Assurance

 The aims of the Auditor-General’s performance audit include assessing whether:
• improvements have occurred
• hospitals have reduced the amount of waste produced
• hospitals have reduced the cost of waste disposal.
The Auditor-General’s preliminary findings indicate that many hospitals do not have processes for
segregating general and clinical waste. These hospitals treat all waste as clinical waste.
1. Discuss the relevant criteria against which the Auditor-General will check TCSL’s compliance
with the terms of the funding agreement.
2. Identify two criteria the Auditor-General can use to examine how well hospitals manage waste.

In the next section, our discussion turns to non-assurance services.

The key points covered in this section, and the learning objectives they align to, are listed below.

KEY POINTS

5.1 Explain the types of assurance engagements, other than the audit of historical financial
information.
• Performance audits are concerned with the economy, efficiency and effectiveness of an organisa-
tion’s activities.
• The most informative and robust publicly-reported performance indicators are those that are also
used internally by an agency for management purposes, because they are monitored regularly
and the entity will have invested in its systems and processes to produce accurate and reliable
information.
• Performance audits carried out by public sector auditors extend the scope of assurance which
they provide parliament beyond the purely financial reporting of government entities to consider
the economy, efficiency and effectiveness of activities delivered or controlled by the government.
• Performance audits can provide an assessment of how well and how economically the public sector
is implementing the government’s policy program.
• Because public sector agencies are tasked with delivering the government’s policy agenda, typical
commercial indicators of performance, such as profitability and wealth creation, are usually less
important than indicators of efficiency and effectiveness in policy implementation.
• While most public sector auditors in each jurisdiction have complete discretion in the selection
of areas subject to performance audits, in practice this selection is made in consultation with
parliament, government entities and other stakeholders. Choices are made after carrying out an
environmental scan of key risks and challenges to the public sector, and identifying factors that
could potentially improve performance.
• The techniques for examining economy, efficiency and effectiveness during a performance audit
include reviews of inputs and outputs, systems-based reviews, comparisons and effectiveness
evaluations.
• Performance audit reports may also identify suspected poor or wasteful practices, allegations of
fraud, misuse of resources or serious shortcomings in an internal control structure.
• In contrast to financial statement audits, which focus solely on accountability, performance auditing
focuses on improving both accountability and management practice.
• Audit conclusions and recommendations are mainly communicated to management via the
performance audit report.
5.2 Apply the appropriate standard that relates to assurance engagements, other than the audit of
historical financial information.
• ASAE 3500 Performance Engagements is an adjunct to ISAE 3000 (ASAE 3000) (Revised) Assurance
Engagements Other than Audits or Reviews of Historical Financial Information and in order to
comply with the standards, public sector auditors must comply with the requirements of both
standards.
• Guidance on performance audits has also been issued by the International Organisation of Supreme
Audit Institutions (INTOSAI).
• The ISSAI 3000 reporting requirements are consistent with the current practice of the ANAO’s
current approach in reporting to the Parliament and with the ANAO’s purpose.

P d f_Folio:365

MODULE 5 Other Assurance Engagements 365

5.6 NON-ASSURANCE SERVICES
Non-assurance services include agreed-upon procedures and compilation engagements. Agreed-upon
procedures, including comfort letter engagements, are engagements where the auditor is engaged to issue
a report of findings based on procedures agreed upon with specified parties. The auditor does not express
an opinion or a conclusion on the subject matter.
When a compilation engagement is undertaken, the auditor applies accounting and financial reporting
expertise to assist the client in the presentation of financial information. No assurance is provided on the
compiled financial information. These non-assurance services are discussed next.

AGREED-UPON PROCEDURES
An assurance practitioner can undertake procedures of an assurance nature that are agreed upon with the
entity and the user of the report. Such procedures are potentially broad ranging and can be in any area
where the client and user perceive it to be beneficial to have a report on a matter using audit-related skills.
Agreed-upon procedures engagements are quite common in practice. They are designed to reflect the
individual circumstances of the clients and meet the needs of users. Guidance is provided through ISRS
4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information. In Australia,
the relevant pronouncement is ASRS 4400 Agreed-Upon Procedures Engagements to Report Factual
Findings.
ISRS 4400/ASRS 4400 outlines that in accepting such engagements, it is essential that there is a clear
understanding as to which procedures are agreed and the terms of the engagement. These matters are
detailed in the engagement letter that should clearly set out the:
1. Nature of the engagement, including the fact that the procedures performed will not constitute an audit
or a review and that accordingly no assurance will be expressed.
2. Stated purpose of the engagement.
3. Identification of the financial information to which the agreed-upon procedures will be applied.
4. Nature, timing and extent of the specific procedures to be applied.
5. Anticipated form of the report of factual findings.
6. Limitations on distribution of the report of factual findings … (ISRS 4400, para. 9).

Reporting Considerations
ISRS 4400/ASRS 4400 outlines that, for agreed-upon procedures engagements, no opinion is expressed
and consequently no assurance is provided. The report issued by the assurance practitioner should outline
in detail the procedures undertaken (which should be those agreed as outlined in the engagement letter) and
the findings from these procedures. It is up to the user to draw conclusions from the information provided
and to determine the level of assurance to attach to this information (ISRS 4400, para. 5).
The report clearly communicates to the user that agreed-upon procedures were undertaken, not an audit
or review.
The report should contain:
• a title (in many cases, the title ‘Report of Factual Findings’ is used)
• an addressee
• identification of the specific information to which the agreed-upon procedures have been applied
• a statement that the procedures performed were those agreed upon with the recipient
• a statement that the engagement was performed in accordance with ISRS 4400/ASRS 4400
• identification of the purpose of the engagement
• details of the specific procedures performed
• a description of the auditor’s factual findings
• a statement that the procedures performed do not constitute an audit or review and, as such, no assurance
is expressed
• a statement that, had an audit or review been performed, other matters may have come to the auditor’s
attention that would have been reported
• a statement that the report is restricted to those parties that have agreed to the procedures to be performed
• a statement that the report relates only to the information specified and does not extend to the entity’s
financial statements taken as a whole
• the date of the report, the auditor’s address and the auditor’s signature (ISRS 4400, para. 18/ASRS 4400,
Pdf_Folio:366
para. 43).

366 Advanced Audit and Assurance

 An example of a report of factual findings (in connection with agreed-upon procedures for accounts
payable) is contained in Appendix 2 to ISRS 4400. You should review this example to confirm your
understanding of these reports.
The demand for agreed-upon procedures (AUP) engagements continues to grow, and these engagements
are widely used in many jurisdictions. In November 2018, the IAASB published an Exposure Draft of
Proposed ISRS 4400 (Revised), Agreed-Upon Procedures Engagements. Comments on the exposure draft
were due by March 2019. The IAASB proposes changes to the existing AUP standard to ensure it remains
relevant in the current business environment. Proposed changes include:
• the role of professional judgment in an AUP engagement
• disclosures relating to the practitioner’s independence or lack thereof
• guidance on appropriate or inappropriate terminology to describe procedures and findings in AUP reports
• the use of a practitioner’s expert in an AUP engagement
• restrictions on the distribution and use of the AUP report (IAASB 2018a, p. 1).

You can read more about the status of this project at http://www.iaasb.org/projects/agreed-upon-
procedures-isrs-4400.

QUESTION 5.25

One of the most important steps in an agreed-upon procedures engagement is to ensure that the
procedures that are agreed to be performed are acceptable and meet the requirements of the
intended recipients of the report. A statement to this effect must be included in an agreed-upon
procedures report.
(a) How can the auditor be satisfied that the intended recipients would consider the procedures
performed as sufficient for their purposes?
(b) What steps can the auditor take to ensure that there is no misunderstanding as to the
procedures agreed upon, or the form of the report to be issued?

Next, we discuss a particular type of AUP: comfort letter engagements.

Comfort Letter Engagements

In Australia, there is currently one agreed-upon procedures standard that is specific to a particular subject
matter. This is ASRS 4450 Comfort Letter Engagements, which has no international equivalent. This
standard addresses the auditor’s responsibilities when requested by the client entity to provide a comfort
letter to certain requesting parties relating to particular financial information included in the client’s
funding document. The requests usually relate to the issuing of new debt or equity finance by the client
company, and the requesting parties are usually underwriters, buyers, sellers or brokers appointed by the
client entity. The comfort letter is based on the auditor having performed the requesting parties’ specified
procedures and consequently no assurance is expressed in the comfort letter.
The auditor’s comfort letter report should include the following elements:
• the responsible party of the entity and the requesting parties’ addresses
• the date the auditor signs the comfort letter
• identification of the offering document to which the comfort letter relates
• the purpose of the comfort letter and that it has been prepared in accordance with ASRS 4450 and the
engagement letter
• the specified procedures requested by the requesting parties which have been performed by the auditor
on each type of financial information, and that no assurance is expressed on that financial information
• a statement that the auditor is not responsible for the sufficiency of the procedures performed
• the results of the procedures
• confirmation that the use of the comfort letter is restricted to its addressees and is prepared for the sole
purpose of assisting the requesting parties in their due diligence defence of the offering document
• the auditor’s firm name
• the auditor’s address (ASRS 4450, para. 60).
Next, we discuss the final topic on non-assurance services, namely compilation engagements.

Pdf_Folio:367

MODULE 5 Other Assurance Engagements 367

COMPILATION ENGAGEMENTS
Compilation engagements are not assurance engagements and are, therefore, not designed to provide
assurance. As outlined in paragraph 17 of the International Framework for Assurance Engagements,
the assurance framework and thus auditing and assurance pronouncements do not cover ‘compilations
of financial or other information’. There is, however, guidance for these types of engagements contained
in ISRS 4410 (Revised) Compilation Engagements. In Australia, the relevant pronouncement is APES 315
Compilation of Financial Information issued by the Accounting Professional and Ethical Standards Board
(APESB).
Compilation engagements involve the use of accounting expertise, as opposed to auditing expertise,
to collect, classify and/or summarise financial information. This will usually entail preparing financial
statements from transaction and other information, without the requirement to test the accuracy of that
information. These are commonly used engagements for SMEs in circumstances where there is not a
requirement for an entity to have an assurance report provided on their financial statements.
ISRS 4410 (Revised) makes it clear that the procedures employed in a compilation engagement are
not designed to and do not enable the assurance practitioner to express any assurance on the financial
information. It explains, however, that users of the compiled financial information derive benefit from
application of the assurance practitioner’s expertise in accounting and financial reporting and compliance
with professional standards. These benefits include delivering the service in accordance with the ethical
principles of integrity, objectivity, professional competence and due care.

Reporting Considerations
When reporting on a compilation engagement, in accordance with ISRS 4410 (Revised), paragraph 40, the
report on the engagement should contain:
(a) the report title;
(b) the addressee(s), as required by the terms of the engagement;
(c) a statement that the practitioner has compiled the financial information based on information provided
by management;
(d) a description of the responsibilities of management, or those charged with governance, in relation to
both the compilation engagement and in relation to the financial information;
(e) identification of the applicable financial reporting framework …;
(f) identification of the financial information …;
(g) a description of the practitioner’s responsibilities in compiling the financial information, including that
the engagement was performed in accordance with this ISRS …;
(h) a description of what a compilation engagement entails …;
(i) explanations that:
i. since a compilation engagement is not an assurance engagement, the practitioner is not required
to verify the accuracy or completeness of the information provided by management for the
compilation; and
ii. accordingly the practitioner does not express an audit opinion or a review conclusion on whether the
financial information is prepared in accordance with the applicable financial reporting framework;
(j) … [†]
(k) the date of the practitioner’s report;
(l) the practitioner’s signature; and
(m) the practitioner’s address.
†Certain other explanatory information if the financial information is prepared using a special purpose
reporting framework.

To check your knowledge of this area, review example 5.17 now.

EXAMPLE 5.17

Manna Pty Ltd

You have undertaken an engagement to compile the financial statements for Manna Pty Ltd and have
prepared the following compilation report. The law requires that general purpose financial statements be
prepared for Manna Pty Ltd, applying International Financial Reporting Standards for Small- and Medium-
sized Entities (IFRS for SMEs).
dP f_Folio:368

368 Advanced Audit and Assurance

 [To Management of Manna Pty Ltd]
We have compiled the accompanying financial statements of Manna Pty Ltd based on information you
have provided. These financial statements comprise the statement of financial position of Manna Pty
Ltd as at June 30, 20X3, the statement of comprehensive income, statement of changes in equity and
statement of cash flows for the year then ended, and a summary of significant accounting policies and
other explanatory information.
We have applied our expertise in accounting and financial reporting to assist you in the preparation
and presentation of these financial statements in accordance with IFRS for SMEs. We have complied with
relevant ethical requirements, including principles of integrity, objectivity, professional competence and
due care.
These financial statements and the accuracy and completeness of the information used to compile
them are your responsibility.
[Practitioner’s signature]
[Date of practitioner’s report]
[Practitioner’s address]
............................................................................................................................................................................
Study this Practitioner’s Compilation Report and identify three elements that are missing, according to the
practitioner’s reporting requirements contained in ISRS 4410 (Revised), para. 40.
Check your response against the suggested answer at the end of the book.

QUESTION 5.26

You have been approached by a client who is unsure of the requirements with regard to financial
reporting. Your client understands that there are compilations, reviews and audits but is not aware
of the differences between them.
Prepare notes for a meeting with your client to discuss the differences between compilation,
review and audit engagements. Identify the different levels of assurance and the form of opinion
that would be provided under each engagement. You should also provide brief notes about the type
of procedures that could be involved in each engagement.

The key points discussed in this section, and the learning objectives they align to, are listed below.

KEY POINTS

5.3 Describe non-assurance and other engagements services provided by professional

accountants.
• Assurance practitioners can undertake procedures of an assurance nature that are agreed upon
with the entity and the user of the report. These procedures are potentially broad ranging and can
be in any area where the client and user perceive it to be beneficial to have a report on a matter
using audit-related skills.
• In Australia, assurance practitioners may undertake an AUP engagement that relates to a particular
subject matter, such as new debt or equity finance where the requesting party is the underwriter or
broker appointed by the client entity. These engagements are undertaken in accordance with ASRS
4450 Comfort Letter Engagements. The auditor provides a comfort letter based on the specified
procedures performed and notes that no assurance is expressed in the comfort letter.
• Compilation engagements involve the use of accounting expertise, as opposed to auditing exper-
tise, to collect, classify and/or summarise financial information. This will usually entail preparing
financial statements from transaction and other information, without the requirement to test the
accuracy of that information. These are commonly used engagements for SMEs in circumstances
where there is not a requirement for an entity to have an assurance report provided on their financial
statements.

P d f_Folio:369

MODULE 5 Other Assurance Engagements 369

REVIEW
This module described some of the new assurance services that are being offered, including compliance
engagements, assurance of prospective financial information, non-financial information (especially envi-
ronmental and sustainability assurance and business performance measurement), systems and processes,
and behaviour. Various examples of each of these categories were discussed, including potential criteria.
The impact of information technology, increased data availability and the related issue of continuous
assurance were also examined, together with the competency requirements for new assurance services.
Finally, the role of internal audit in providing assurance services was discussed.
This module discussed how performance audits in the public sector are performed to comply with
legislative requirements and to assist accountability and improved performance in public administration.
While the discussion has centred, for illustrative purposes, on the public sector, the principles apply equally
in the private sector.
The module also described and explained concepts and practices of performance audits, and the unique
problems and difficulties that may be encountered in undertaking the related fieldwork, particularly those
associated with determining performance criteria.
In summary, the performance audit process involves the following.
• The public sector auditor develops an audit plan and program based on achieving the audit objective.
• Audit procedures are developed by the auditor to compare the condition (what is) against the established
criteria (what should be) and collect sufficient appropriate audit evidence.
• The auditor analyses the evidence collected to develop findings and form conclusions.
• The matters identified are analysed by the auditor as to their cause and effect.
• The auditor assesses their conclusions for their materiality (significance) and reportability, and develops
recommendations as advice to the entity to help it correct any identified problems or prevent problems
from occurring.
• The public sector auditor may consider following up the performance audit by undertaking a similar
audit at a future point in order to determine whether any adverse findings or recommendations identified
in the first performance audit were taken up by the agency(ies) subject to the performance audit.
This module concluded with a discussion on non-assurance services. Non-assurance services include
agreed-upon procedures, including comfort letters and compilation engagements. Agreed-upon procedures
are commonplace, as they are designed to reflect the individual circumstances of the clients and meet the
needs of users, especially for SMEs that are not required to produce audited financial statements.

WESTERWAYS CASE STUDY ACTIVITY

Other Assurance Engagements

As the financial statements audit came to a close, Joy and Mark Valenti approached Ray Campbell wanting
to know more about sustainability reports. In particular, they wanted to know if they should consider
preparing such a report and what the benefits, if any, would be to Westerways and their stakeholders.
Len Lewis had mentioned to Mark that many SMEs were now preparing sustainability reports and having
them assured. Len thought that maybe this was something that they should consider doing in the next
financial year for Westerways.
Summary of Ray’s Discussion With the Valentis on Content Applicable to Sustainability Reports
A sustainability report provides information about the entity’s economic, environmental and social impacts
and demonstrates the link between its strategy and its commitment to a sustainable global economy.
Businesses are being increasingly held accountable on issues related to human rights, climate change,
waste management, and the use of scarce resources such as water. However, as a retail hardware and
gift store, not all of these social and environmental issues will be relevant to Westerways business.
The most common reporting framework for the preparation of sustainability reports is the GRI standards.
These standards were devised by an institution whose mission is to develop, and disseminate globally,
applicable sustainability reporting standards in order to establish a common reporting practice for
sustainability reporting across a range of economic, environmental and social impacts. The current
GRI Standards were released on 19 October 2016 and have superseded the GRI G4 Guidelines. All
sustainability reports published on or after 1 July 2018 are required to use the GRI Standards.

dP f_Folio:370

370 Advanced Audit and Assurance

 According to CPA Australia (2012), sustainability reports provide four opportunities for SMEs. First,
large organisations often require their supply chains to demonstrate sustainability (e.g. through tender
processes or the need for sustainability reports, sometimes with assurance). By demonstrating sustain-
ability in practices and products, SMEs can differentiate themselves from competitors. Second, they
provide a credible way to present sustainability performance to stakeholders. Third, organisations that
can demonstrate sustainability have a greater range of finances available to their business. Fourth,
sustainability reporting can unlock internal advantages such as staff support, risk management and
process improvements.
Furthermore, GRI and IOE (2016) claim that sustainability reporting provides SMEs both internal
and external benefits. These benefits were explained to help the Valentis understand the benefits that
sustainability reporting should provide to Westerways and their stakeholders.

Internal benefits External benefits

Vision and strategy Reputation and trust

Management systems Attracting capital

Strength and weakness Stakeholder engagement

Employee motivation Competitive advantage

Assurance of Sustainability Reports

After explaining the content and benefits of sustainability reporting to Joy and Mark Valenti, they advise
Ray Campbell that they will prepare one for the next financial year. Ray then discussed with the Valenti’s
matters relating to having their sustainability report assured.
Summary of the Matters Ray Discussed with the Valentis on Assurance of Sustainability Reports
1. The five essential elements of a sustainability report assurance engagement conducted in accordance
with the International Framework for Assurance Engagements.
2. The appropriate assurance standard that will provide guidance to Ray when performing the assurance
engagement on Westerways sustainability report.
3. The procedures Ray is likely to perform to provide assurance on Westerways sustainability report.
4. The expected benefits of having their sustainability report assured.
............................................................................................................................................................................
CASE STUDY TASKS
1. Suitable content for Westerways sustainability report.
(a) Based on your knowledge of sustainability reports and Westerways business, describe the content that
would be appropriate for Westerways to include in a sustainability report.
(b) Based on the information provided in the two documents that Ray referred to above, what benefits
should sustainability reporting provide to Westerways and their stakeholders?
2. Assurance of Westerways sustainability report.
Outline the information Ray would have included in his discussion of these matters with the Valentis.

REFERENCES
Auditing and Assurance Standards Board (AUASB) 2019, ‘Explanatory Memorandum Exposure Draft 01/19: ASRE 2410 Review
of a Financial Report Performed by the Auditor of the Entity’, May, accessed July 2019, https://www.auasb.gov.au/Work-In-
Progress/Open-for-comment/ASRE-2410.aspx?preview=true
Auditing and Assurance Standards Board (AUASB) 2017, ‘Auditor review reports – the impact of the new auditor reporting
requirements’, AUASB Bulletin, 27 July, accessed July 2019, http://auasb.cmail19.com/t/ViewEmail/r/
822C68B69F019C102540EF23F30FEDED
ASX Corporate Governance Council 2019, Corporate Governance Principles and Recommendations, 4th edn, accessed July 2019,
https://www.asx.com.au/documents/regulation/cgc-principles-and-recommendations-fourth-edn.pdf
Australian Council of Superannuation Investors 2018, Corporate Sustainability Reporting in Australia: An Analysis of ASX200
Disclosure, June, accessed July 2019, https://www.acsi.org.au/publications-1/research-reports.html
Pdf_Folio:371

MODULE 5 Other Assurance Engagements 371

Australian National Audit Office (ANAO) 2015, Regulation of Great Barrier Reef Marine Park Permits and Approvals, accessed
July 2019, https://www.anao.gov.au/work/performance-audit/regulation-great-barrier-reef-marine-park-permits-and-approvals
Australian National Audit Office (ANAO) 2019a, ‘Cyber Resilience of Government Business Enterprises and Corporate
Commonwealth Entities’, 4 July, accessed July 2019, https://www.anao.gov.au/work/performance-audit/cyber-resilience-
government-business-enterprises-and-corporate-commonwealth-entities
Australian National Audit Office (ANAO) 2019b, ‘Annual audit work program 2019–20: Overview’, accessed July 2019,
https://www.anao.gov.au/work-program/overview
Australian National Audit Office (ANAO) 2019c, ‘Farm Management Deposits Scheme’, 26 June, accessed July 2019,
https://www.anao.gov.au/work/performance-audit/farm-management-deposits-scheme
Australian National Audit Office (ANAO) 2018, ‘ANAO Auditing Standards’, 29 October, accessed July 2019,
https://www.anao.gov.au/about/legislation-and-standards
Chalmers, K & Godfrey, J M 2007, ‘Drop by precious drop’, INTHEBLACK, vol. 77, no. 10, pp. 59–61.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013, Internal Control—Integrated Framework:
Executive Summary, accessed July 2019, https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf
CPA Australia 2012, A Guide for Assurance on SME Sustainability Reports, accessed July 2019, https://cpaaustralia.com.au/
~/media/corporate/allfiles/document/professional-resources/auditing-assurance/guide-assurance-sme-sustainability-
reports.pdf?la=en
CPA Australia 2018, ‘APES 310: Dealing with Client Monies’, accessed July 2019, https://cpaaustralia.com.au/professional-
resources/accounting-professional-and-ethical-standards/apes-310-dealing-with-client-monies
CPA Australia 2019, ‘Non-financial information assurance’, accessed July 2019, https://www.cpaaustralia.com.au/professional-
resources/audit-and-assurance/non-financial-information-assurance
Department of Agriculture and Water Resources 2018, ‘Australia’s water resources’, January, accessed August 2019,
www.agriculture.gov.au/SiteCollectionDocuments/about/factsheets/water.pdf
Global Reporting Initiative (GRI) & the International Organization of Employers (IOE) 2016, ‘Small business big impact: SME
sustainability reporting from vision to action’, GRI & IOE, 21 September, accessed July 2019, https://www.globalreporting
.org/resourcelibrary/Smallv%20Business% 20Big%20Impact%20Booklet%20Online.pdf
Global Reporting Initiative (GRI) 2019a, ‘About sustainability reporting’, accessed July 2019, https://www.globalreporting
.org/information/sustainability-reporting/Pages/default.aspx
Global Reporting Initiative (GRI) 2019b, ‘New to sustainability reporting’, accessed July 2019, https://www.globalreporting
.org/information/sustainability-reporting/Pages/New-reporters.aspx
Hong Kong Securities and Futures Commission 2013, Fit and Proper Guidelines, accessed July 2019, http://www.sfc.hk/web/
EN/assets/components/codes/files-current/web/guidelines/fit-and-proper-guidelines/Fit%20and%20Proper%20Guidelines.pdf
Huggins, A, Green, W & Simnett, R 2011, ‘The competitive market for assurance engagements on greenhouse gas information: Is
there a role for assurers from the accounting profession?’, Current Issues in Auditing, vol. 5, no. 2, pp. A1–A12.
International Auditing and Assurance Standards Board (IAASB) 2019, ‘Extended External Reporting Assurance’, IAASB,
Consultation Paper, 28 February, accessed July 2019, https://www.ifac.org/publications-resources/consultation-paper-extended-
external-reporting-assurance
International Auditing and Assurance Standards Board (IAASB) 2018a, Agreed-upon Procedures ISRS 4400 Exposure Draft
Summary, accessed July 2019, https://www.iaasb.org/projects/agreed-upon-procedures-isrs-4400
International Auditing and Assurance Standards Board (IAASB) 2018b, Handbook of International Quality Control,
Auditing, Review, Other Assurance, and Related Services Pronouncements, vol. 1, 2018–19 edn, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance
International Auditing and Assurance Standards Board (IAASB) 2018c, Handbook of International Quality Control,
Auditing, Review, Other Assurance, and Related Services Pronouncements, vol. 2, 2018–19 edn, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance
International Auditing and Assurance Standards Board (IAASB) 2018d, Handbook of International Quality Control,
Auditing, Review, Other Assurance, and Related Services Pronouncements, vol. 3, 2018–19 edn, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance
International Auditing and Assurance Standards Board (IAASB) 2016, Supporting Credibility and Trust in Emerging
Forms of External Reporting: Ten Key Challenges for Assurance Engagements, Discussion Paper, accessed July 2019,
https://www.ifac.org/system/files/publications/files/IAASB-Discussion-Paper-Integrated-Reporting_0.pdf
International Federation of Accountants (IFAC) 2010, ISAE 3420: Assurance Reports on the Process to Com-
pile Pro Forma Financial Information Included in a Prospectus, Exposure Draft, accessed August 2019,
http://www.ifac.org/system/files/publications/exposure-drafts/comments/4428-ifac-ny-us-isae-3420.pdf
Institute of Internal Auditors (IIA) 2019, ‘About internal auditing’, accessed July 2019, https://global.theiia.org/about/about-
internal-auditing/Pages/About-Internal-Auditing.aspx
Institute of Internal Auditors (IIA) 2017, International Standards for the Professional Practice of Internal Auditing (Standards),
accessed July 2019, https://global.theiia.org/standards-guidance/Public%20Documents/IPPF-Standards-2017.pdf
International Integrated Reporting Council (IIRC) 2014a, Assurance on <IR>: An Introduction to the Discussion, accessed July
2019, http://integratedreporting.org/wp-content/uploads/2014/07/Assurance-on-IR-an-introduction-to-the-discussion.pdf
International Integrated Reporting Council (IIRC) 2014b, Assurance on <IR>: An Exploration of Issues, accessed July 2019,
http://integratedreporting.org/wp-content/uploads/2014/07/Assurance-on-IR-an-exploration-of-issues.pdf
International Integrated Reporting Council (IIRC) 2015, ‘Assurance on <IR>: Overview of feedback and call to action’, accessed
July 2019, http://integratedreporting.org/resource/assurance/
International Integrated Reporting Council (IIRC) 2019, ‘Integrated reporting: frequently asked questions’, accessed July 2019,
https://integratedreporting.org/faqs/
KPMG 2017, The road ahead: The KPMG Survey of Corporate Responsibility Reporting 2017, KPMG Publication, accessed July
2019, https://home.kpmg/xx/en/home/insights/2017/10/the-kpmg-survey-of-corporate-responsibility-reporting-2017.html.
Pdf_Folio:372

372 Advanced Audit and Assurance

KPMG 2019, ‘Continuous auditing and monitoring’, accessed July 2019, https://home.kpmg.com/xx/en/home/services/advisory/
risk-consulting/internal-audit-risk/continuous-auditing-and-monitoring.html
Majmudar, U & Rana, N 2017, ‘Richard Howitt talks about the importance of Integrated Reporting for India’, The Economic
Times, 19 February, accessed August 2019,https://economictimes.indiatimes.com/blogs/et-commentary/richard-howitt-talks-
about-the-importance-of-integrated-reporting-for-india/
Michaelides, M 2017, ‘Compliance engagement requirements to be clearer’, CA ANZ Perspective, April, accessed August 2019,
https://www.charteredaccountantsanz.com/-/media/c9a0ad6b0cec4a448435605cc776b7fd.ashx
Rio Tinto 2019, ‘Water’, Our Commitment, accessed July 2019, https://www.riotinto.com/ourcommitment/water-24293.aspx
Schooley, S 2019, ‘What is corporate social responsibility?’, Business News Daily, 22 April, accessed August 2019,
https://www.businessnewsdaily.com/4679-corporate-social-responsibility.html
Simnett, R, Nugent, M & Huggins, AL 2009, ‘Developing an international assurance standard on greenhouse gas statements’,
Accounting Horizons, vol. 23, no. 4, pp. 347–63.
Staples Rodway Audit Ltd 2019, ‘Independent limited assurance report on the prospective financial information’, Staples Rodway,
15 February, accessed July 2019, https://smartinvestor. sorted.org.nz/assets/disclose-documents/13/6a/8d/10a44786f4/
Independent-Limited-Assurance-Report-on-the-Prospective-Financial-Information.pdf
Trotman AJ & Trotman, KT 2015, ‘Internal Audit’s Role in GHG Emissions and Energy Reporting: Evidence from Audit
Committees, Senior Accountants, and Internal Auditors’, Auditing: a Journal of Practice & Theory, vol. 34, no. 1, pp. 199-230.
Vasarhelyi, MA, Alles, M, Kuenkaikaew, S & Littley, J 2012, ‘The acceptance and adoption of continuous auditing by internal
auditors: A micro analysis’, International Journal of Accounting Information Systems, vol. 13, pp. 267–81.
WAM Global Limited 2018, ‘Prospectus’, May, accessed July 2019, http://www.wilsonassetmanagement.com.au/files/
WAM_Global_Prospectus.pdf
Water Accounting Standards Board (WASB) 2012, Australian Water Accounting Standard 1: Preparation and Presentation
of General Purpose Water Accounting Reports, accessed July 2019, http://www.bom.gov.au/water/standards/documents/
awas1_v1.0.pdf
Water Accounting Standards Board (WASB) 2014, Standard on Assurance Engagements ASAE 3610 and Australian Water
Accounting Standard AWAS 2 Assurance Engagements on General Purpose Water Accounting Reports, accessed July 2019,
http://www.bom.gov.au/water/about/publications/document/awas2.pdf

Pdf_Folio:373

MODULE 5 Other Assurance Engagements 373

GLOSSARY
access controls Procedures designed to restrict access to online terminal devices, programs and data.
accounting estimate An approximation of a monetary amount in the absence of a precise means of
measurement. This term is used for an amount measured at fair value where there is estimation
uncertainty, as well as for other amounts that required estimation.
adverse opinion An opinion expressed when the effect of a disagreement, or a conflict between
applicable financial reporting frameworks, is an extreme case and the auditor concludes that a
qualification of the auditor’s report is not adequate to disclose the misleading or incomplete nature
of the financial report.
advocacy May occur when an auditor is asked to promote or represent their client in some particular
way. This could happen when a client asks the auditor to promote their shares on the stock exchange,
argue their client’s position on a proposed accounting disclosure or represent them in a court case. The
auditor’s objectivity may be impaired. Further, the auditor’s independence of mind and in appearance
could be compromised.
agency The agency is responsible to parliament for the efficient, effective and economical use
of resources in carrying out its responsibilities.
analytical procedures Evaluations of financial information through analysis of plausible relationships
among both financial and non-financial data. Analytical procedures also encompass such investigation
as is necessary of identified fluctuations or relationships that are inconsistent with other relevant
information or that differ from expected values by a significant amount.
applicable financial reporting framework The financial reporting framework adopted by management
and, where appropriate, those charged with governance in the preparation of the financial statements
that is acceptable in view of the nature of the entity and the objective of the financial statements, or
that is required by law or regulation.
application controls Manual or automated procedures that typically operate at a business process level.
They can be preventative or detective in nature and are designed to ensure the integrity of the
accounting records. They relate to procedures used to initiate, record, process and report transactions
or other financial data.
appropriate underlying subject matter A range of information, such as data, reports on systems and
process, and reports on behaviour.
appropriateness Appropriateness relates to the relevance and reliability of audit evidence. To be
relevant, audit evidence must assist in achieving the audit objectives, and to be reliable, it must have
credibility.
appropriateness of audit evidence The measure of the quality of audit evidence, that is, its relevance
and its reliability in providing support for the conclusions on which the auditor’s opinion is based.
appropriateness of evidence The measure of the quality of evidence.
assertions Representations by management, explicit or otherwise, that are embodied in the financial
statements, as used by the auditor to consider the different types of potential misstatements that
may occur.
assess the risks The auditor assesses the risks of an incorrect conclusion based on the sample. This may
occur because the sample results may provide information that leads the auditor to reassess earlier
judgments of risk or provide information that risks are higher at particular times during the year.
assurance engagement risk Is the risk that the practitioner reports that the subject matter information is
fairly presented, when in fact it is materially misstated.
attestation An attestation engagement is where the responsible party, normally the agency concerned,
measures or evaluates the underlying subject matter against criteria (i.e. they prepare the report) to
enable the auditor to express a conclusion.
attestation engagements Engagements where attest means affirm, verify or corroborate the work of
others, where a party other than the assurance practitioner (normally management) measures or
evaluates the underlying subject matter against the criteria.
audit documentation The record of audit procedures performed, relevant audit evidence obtained and
conclusions the auditor reached (terms such as ‘working papers’ are sometimes used).
audit evidence Information used by the auditor in arriving at the conclusions on which the auditor’s
opinion is based.
Pdf_Folio:374

374 GLOSSARY
audit risk The risk that an auditor may give an inappropriate opinion on the financial information that is
materially misstated.
audit risk model A model that expresses the relationships among audit risk components. It simply
states that audit risk = inherent risk × control risk × detection risk.
audit trail A chain of evidence from initiating a transaction to its recording in the general ledger and
financial statements.
balanced Performance indicators should provide a complete picture of what is being done, covering all
significant areas.
blockchain An open, distributed ledger that records transactions between two parties in a verifiable and
permanent way.
business model Everything about how the business creates and delivers value to its stakeholders.
business risk Results from significant conditions, events, circumstances, actions or inactions that could
adversely affect the entity’s ability to achieve its objectives and execute its strategies, or from the
setting of inappropriate objectives and strategies.
cause The reason something happened.
computer-assisted audit techniques (CAATs) CAATs are the computer-assisted tools and techniques
employed by auditors to extract and analyse client data.
comparative information Amounts or disclosures of one or more previous periods that are presented on
a comparative basis with those of the current period.
confidentiality The obligation that all members of the professional bodies refrain from disclosing
information that is learned as a result of their employment to people outside of their workplace.
conflict of interest situation Occurs when the auditor is not capable of exercising objective and
impartial judgment in relation to the conduct of the audit or when a reasonable person with full
knowledge of the relevant facts and circumstances would conclude that the auditor is not capable of
being objective and impartial.
contingent liability A potential liability that becomes an actual liability when one or more future
event(s) occurs or fails to occur.
continuous auditing Continuous auditing involves the use of embedded modules in a client’s computer
system to perform auditing activities, such as control and risk assessments, on a more frequent basis.
control activities Those policies and procedures that help ensure that management directives are carried
out. Control activities are a component of internal control.
control environment Includes the governance and management functions and the attitudes, awareness
and actions of those charged with governance and management concerning the entity’s internal control
and its importance in the entity. It is a component of internal control.
control risk Relates to the efficacy of an entity’s internal controls and the risk that those controls will
not prevent, or detect and correct, a material misstatement at the assertion level.
cost-effective Performance indicators should balance the benefits of the information against the costs of
preparing them.
criteria The standards, rules or benchmarks used to prepare and evaluate the subject matter information
of an assurance engagement.
data analytics A process of inspecting, cleansing, transforming and modelling data with the goal of
discovering useful information, informing conclusions and supporting decision making.
detection risk The risk that the assurance practitioner’s evidence-gathering procedures will not detect a
material misstatement.
deviation A deviation exists when a control exists but does not operate effectively, i.e. it does not
prevent or detect and correct a misstatement on timely basis.
direct In a direct reporting engagement the public sector auditor directly measures or evaluates the
underlying subject matter against criteria (i.e. prepares the subject matter information) and expresses
the conclusion.
direct engagements Engagements where the assurance practitioner directly measures or evaluates the
underlying subject matter against the criteria.
disclaimer of opinion Expressed when the possible effect of a limitation on scope is an extreme case
and the auditor has not been able to obtain sufficient appropriate audit evidence and accordingly is
unable to express an opinion on the financial report.
dummy transactions Fictitious transactions that simulate real transactions and are used to test
internal controls.
Pdf_Folio:375

GLOSSARY 375
economy The performance principle relating to the minimisation of the costs of resources, within the
operational requirements of timeliness and availability of required quantity or quality.
effect The impact of a variation in performance against the audit criteria may be quantifiable.
effectiveness The performance principle relating to the extent to which the intended objectives at a
program or entity level are achieved.
efficiency The performance principle relating to the minimisation of inputs employed to deliver the
intended outputs in terms of quality, quantity and timing.
Emphasis of Matter Emphasis of Matter paragraphs are appropriate whenmatters are appropriately
presented or disclosed in the financial statements but are of such importance that they are fundamental
to users’ understanding of the financial statements.
engagement letter Written terms of an engagement in the form of a letter.
engagement partner The partner or other person in the firm who is responsible for the engagement and
its performance, and for the report that is issued on behalf of the firm, and who, where required, has
the appropriate authority from a professional legal or regulatory body.
engagement risk The risk that the practitioner expresses an inappropriate conclusion when the subject
matter information is materially misstated.
engagement team All partners and staff performing the engagement and any individuals engaged by the
firm or a network firm who perform procedures on the engagement. This excludes an auditor’s
external expert engaged by the firm or by a network firm.
enquiry Consists of seeking information of knowledgeable persons, both financial and non-financial,
within the entity or outside the entity.
entity’s risk assessment process A component of internal control that is the entity’s process for
identifying business risks relevant to financial reporting objectives and deciding about actions to
address those risks and the results thereof.
errors Unintentional misstatements in financial statements, including the omission of an amount or
a disclosure.
evidence Information used by the practitioner in arriving at the practitioner’s conclusion.
extent The quantity of information collected and tested. It is equivalent to sufficiency. More evidence is
better than less, but this is highly dependent on its quality.
factual misstatements Misstatements that are known with certainty.
familiarity May occur when, because of a long or close relationship with a client, a professional
accountant becomes too sympathetic to their interests or too accepting of their work.
fieldwork Entails gathering evidence and analysing and evaluating evidence in accordance with the
audit plan.
financial statements A complete set of financial statements as determined by the requirements of the
applicable financial reporting framework.
firm A sole practitioner, partnership or corporation or other entity of professional accountants.
fraud An intentional act by one or more individuals among management, those charged with
governance, employees, or third parties, involving the use of deception to obtain an unjust or
illegal advantage.
fraud risk factors Events or conditions that indicate an incentive or pressure to commit fraud or provide
an opportunity to commit fraud.
fraudulent financial reporting Involves intentional misstatements, including omissions of amounts or
disclosures in financial statements, to deceive financial statement users.
free from bias Performance indicators should report information impartially, using information that is
gathered and analysed in a way that is free from built-in bias.
general controls Policies and procedures that relate to many applications and support the effective
functioning of application controls by helping to ensure the continued proper operation of information
systems. It commonly includes controls over data centre and network operations; system software
acquisition, change and maintenance; access security; and application system acquisition,
development and maintenance.
generalised audit software (GAS) Software designed to read and process data, typically from large
databases, to perform a wide range of audit tasks.
going concern basis An assumption that an entity will continue in the future unless evidence is available
to the contrary.
haphazard selection Involves the auditor selecting sampling units without any conscious bias and in a
manner that the drawn sample can be expected to be representative of the population.
Pdf_Folio:376

376 GLOSSARY
independence Independence comprises independence of mind (professional judgment not compromised
— acting with integrity and exercising objectivity and professional scepticism) and independence in
appearance (how others perceive the integrity, objectivity or professional scepticism of the auditor).
indicators Measurements of the extent to which the criteria have been achieved.
inducements Are offers of gifts hospitality or other privileges intended to influence the
recipient’s behaviour.
inherent risk A function of the nature and uncertainty surrounding some transactions, account balances
and disclosures, such as complex calculations and accounting estimates.
inspection Examining records or documents, whether internal or external, in paper form, electronic
form, or other media, or a physical examination of an asset.
integrated test facility (ITF) A simple version of embedded audit software that populates a client’s
system with ‘dummy’ records.
integrity The obligation that all members of the accounting professional bodies be straightforward
and honest.
internal audit function The internal audit function is a function of an entity that performs assurance
and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance,
risk management and control processes.
internal control The process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations,
and compliance with applicable laws and regulations. The term ‘controls’ refers to any aspects of one
or more of the components of internal control.
intimidation May occur when a professional accountant is deterred from acting objectively because of
actual or perceived threats.
IT environment The policies and procedures that the entity implements and the IT infrastructure
(hardware, operating systems, etc.) and application software that it uses to support business operations
and achieve business strategies.
judgmental misstatements Typically involve judgments such as accounting estimates in which
uncertainty is a factor.
key audit matter (KAM) Those matters that, in the auditor’s professional judgment, were of most
significance in the audit of the financial report of the current period.
letter of enquiry A letter sent by the auditor to the entity’s legal counsel asking the legal counsel to
provide information directly to the auditor regarding any litigation and claims or other liabilities that
the legal counsel is aware of, including any costs and an estimate of the financial implications.
letter of subordination A letter from the parent company stating it agrees not to demand repayment of
debts that the subsidiary owes for a fixed period (usually 12 months).
letter of support A letter from the parent company stating that it agrees to provide financial assistance
to a subsidiary for a fixed period (usually 12 months).
library controls Are controls over the library collections of information, typically segregated by the
type of stored information, such as programs, data or documentation.
limited assurance engagement An assurance engagement in which the practitioner reduces
engagement risk to a level that is acceptable in the circumstances of the engagement but where that
risk is greater than for a reasonable assurance engagement. The conclusion conveys whether a
matter(s) has come to the practitioner’s attention to cause the practitioner to believe the subject matter
information is materially misstated.
lower assessed level of control risk approach The auditor’s planned assessed level of control risk is
low or medium. The plan involves obtaining a substantial understanding of the internal control
systems, planning extensive tests of controls but restricting the extent of substantive procedures.
management representation letter A letter that contains representations from management to an
auditor made during the conduct of the audit.
material misstatement Information in the financial statements that is misstated by an amount that is
likely to impact on the economic decisions made by users relying on the financial statements.
material uncertainty related to going concern Exists when events or conditions cast significant doubt
on the entity’s ability to continue as a going concern.
materiality In respect of accounting information, an omission, misstatement or non-disclosure that
could adversely affect the decisions of the user in given circumstances.
Pdf_Folio:377

GLOSSARY 377
misappropriation of assets Involves the theft of an entity’s assets and is often perpetrated by employees
in relatively small and immaterial amounts. However, it can also involve management who are usually
more capable of disguising or concealing misappropriations in ways that are difficult to detect.
misstatement A difference between the reported amount, classification, presentation or disclosure of a
financial statement item and the amount, classification, presentation or disclosure that is required for
the item to be in accordance with the applicable financial reporting framework. Misstatements can
arise from error or fraud.
mitigating circumstances Circumstances that offset the conditions that have raised doubts about the
entity’s ability to continue as a going concern.
modified auditor’s report Issued when the audit opinion is qualified, adverse or disclaimer of opinion
or when it is appropriate for the auditor to draw attention to or emphasise a matter that is relevant
to users.
monitoring of controls A process to assess the effectiveness of internal control performance over time.
It includes assessing the design and operation of controls on a timely basis and taking necessary
corrective actions modified for changes in conditions. Monitoring of controls is a component of
internal control.
nature The type and source of evidence.
NOCLAR Non-compliance with laws and regulations (NOCLAR) is an action that violates a law
or regulation that directly impacts on the financial statements or violates laws which address
compliance matters.
non-audit services Services that are not audit related. Examples are accounting, management
consulting, and insolvency and business recovery.
objectivity The obligation that all members of the professional bodies not allow their personal feelings
or prejudices to influence their professional judgement.
Other Matter Include matters not presented or disclosed in the financial statements that are relevant to
users’ understanding of the audit, the auditor’s responsibilities or the auditor’s report.
outcome Could be the reduced percentage of the population being diagnosed with diabetes over a
particular period.
output Could be the number of pamphlets distributed or the number of people attending an
information session.
overall audit strategy Sets the scope, timing and direction of the audit, and guides the development of
the more detailed audit plan.
overall materiality As part of determining the overall materiality for planning purposes, the auditor
selects a base and applies a percentage to that base.
parliament The parliament allocates responsibility to the agency.
performance materiality The amount set by the auditor at less than materiality for the financial
statements as a whole to reduce to an appropriately low level the probability that the aggregate of
uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole.
performed as risk assessment procedures Analytical procedures performed as risk assessment
procedures are used at the planning stage to identify areas of high risk and to assist in determining the
extent of planned audit procedures.
pervasiveness A description of the impact or possible impact of a material misstatement or material
scope limitation on the financial statements as a whole. If the material misstatements affect many
facets of the financial statements it is referred to as having a pervasive impact on the financial
statements as a whole.
predominantly substantive testing approach The auditor’s planned assessed level of control risk is
high, and the plan requires a minimum of understanding of internal control, no tests of controls but
extensive use of substantive audit procedures.
professional behaviour The obligation that all members of the professional bodies comply with rules
and regulations and ensure that they do not harm the reputation of the profession.
professional competence and due care The obligation that all members of the accounting professional
bodies maintain their knowledge and skill at a required level and complete each task thoroughly,
document all work and finish on a timely basis.
professional judgment The application of relevant training, knowledge and experience, within the
context provided by auditing, accounting and ethical standards, in making informed decisions about
the courses of action that are appropriate in the circumstances of the audit engagement.
Pdf_Folio:378

378 GLOSSARY
professional scepticism An attitude that includes a questioning mind, being alert to conditions which
may indicate possible misstatement due to error or fraud, and a critical assessment of evidence.
projected misstatements The result of audit sampling when the sample results are projected to
the population.
projected to the population A projection of the misstatement in the population based on the findings in
the sample.
projecting the errors Projecting the errors in a sample to the population based on findings by applying
the percentage of misstatement in the sample to the population to determine the projected
misstatement in the population.
public interest entities (PIEs) Either a listed company or an entity defined by regulation or legislation
as a public interest entity.
public sector auditor The public sector auditor carries out a process that is superimposed on the
accountability relationship between the parliament and agency, in order to provide assurance regarding
the agency’s policy implementation.
qualified opinion Expressed when the auditor concludes that an unqualified opinion cannot be
expressed but that the effect of any scope limitation, disagreement with those charged with governance,
or a conflict between applicable financial reporting frameworks is material but not extreme.
quantifiable Performance indicators should illustrate the extent to which objectives have been achieved
in absolute and proportional measures (i.e. subjective and judgmental statements should be avoided).
random selection Is where each sampling unit making up the account balance or class of transactions
has a chance (often an equal chance) of selection.
reasonable and informed third party A party, not necessarily an accountant, who possesses the
relevant knowledge and experience to understand and evaluate the appropriateness of the accountant’s
conclusions in an impartial manner.
reasonable assurance engagement An assurance engagement in which the practitioner reduces
engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the
practitioner’s conclusion which is expressed on the basis of the outcome of the measurement or
evaluation of the underlying subject matter against criteria.
related party A party that is a person or other entity that has control or significant influence, directly or
indirectly through one or more intermediaries, over the reporting entity; or another entity over which
the reporting entity has control or significant influence, directly or indirectly through one or more
intermediaries; or another entity that is under common control with the reporting entity.
relevant Performance indicators should relate to the user’s needs and to clearly defined objectives that
communicate what is to be measured.
review engagement A review engagement provides only limited assurance whether the financial
statements conform to generally accepted accounting principles.
risk assessment procedures The audit procedures performed to obtain an understanding of the entity
and its environment, including the entity’s internal control, to identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement and assertion levels.
risk of material misstatement The risk that the financial statements are materially misstated prior to
audit. This consists of two components at the assertion level — inherent and control risks.
second partner review A review of working papers by an audit partner who did not participate in
the audit.
self-interest threat May occur as a result of the financial or other interests of a professional accountant.
self-review threat May occur when the assurance team needs to form an opinion on their work or work
performed by others in their firm.
significant risk An identified and assessed risk of material misstatement that, in the auditor’s judgment,
requires special audit consideration.
subsequent events Events occurring between the period end and the date of the auditor’s report, and
facts discovered after the date of the auditor’s report.
substantive analytical procedures Are analytical procedures used as substantive procedures either to
replace or to corroborate a test of details.
substantive procedures Audit procedures designed to detect material misstatements at the
assertion level.
sufficiency Relates to the quantity of audit evidence obtained. The auditor needs enough evidence
to provide reasonable assurance as to whether the financial statements are free from material
misstatements.
Pdf_Folio:379

GLOSSARY 379
sufficiency of evidence The measure of the quantity of evidence.
systematic selection Involves selecting every nth item in the population, the interval being determined
by dividing the number of items in the population by the sample size and then selecting a random
starting point.
technical review A review by an audit partner or manager to ensure that the form and content of the
financial statements are in accordance with the applicable financial reporting framework, including the
Corporations Act and Australian Securities Exchange (ASX) requirements (where applicable).
test data Used by the auditor to test the integrity of the program and systems, and the information
contained within them.
tests of controls Audit procedures designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.
those charged with governance Refers to the governing body of the entity (i.e. the board of directors
for a listed company) and other persons having responsibility for planning and directing activities for
an entity.
three-party relationship Involves the practitioner (professional accountant), the responsible party (the
person(s) responsible for the underlying subject matter) and the intended users of the report.
time-based and timely Performance indicators should cover a defined time period to determine whether
the performer has achieved the target and produced on a timely basis so that corrective action can
be taken.
timing When the evidence is collected (e.g. year-end). Evidence collected at year end, or close to the
date of the subject matter information, is the most reliable.
true and fair view A term that is synonymous with ‘fairly presented’. It is used when expressing a fair
opinion on financial statements when required by the Corporations Act.
unmodified auditor’s report An auditor’s opinion on a general purpose financial report prepared in
accordance with a financial reporting framework designed to achieve fair presentation that states that
the financial report ‘gives a true and fair view’ or ‘presents fairly, in all material respects’, in
accordance with the applicable financial reporting framework.
verifiable Performance indicators should result in similar conclusions when an independent assessment
is conducted.
written assurance report A written report that provides reasonable or limited assurance about the
subject matter information.
written representations Signed statements by responsible and knowledgeable individuals that have
bearing on one or more of management’s assertions.

Pdf_Folio:380

380 GLOSSARY
 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 381 — #1

AUDIT CASE STUDY:

WESTERWAYS PTY LTD
RELEVANT STANDARDS AND GUIDANCE MATERIALS

International standards Australian standards

ISA 315 (Revised) Identifying and Assessing the Risks of
Material Misstatement through Understanding the Entity and
Its Environment
ISA 320 Materiality in Planning and Performing an Audit
ISA 330 The Auditor’s Responses to Assessed Risks
ISA 450 Evaluation of Misstatements Identified during
the Audit
ISA 500 Audit Evidence
ASA 315 Identifying and Assessing the Risks of
Material Misstatement through Understanding the
Entity and Its Environment (Compiled)
ASA 320 Materiality in Planning and Performing
an Audit (Compiled)
ASA 330 The Auditor’s Responses to Assessed
Risks (Compiled)
ASA 450 Evaluation of Misstatements Identified
during the Audit (Compiled)
ASA 500 Audit Evidence (Compiled)

ISA 520 Analytical Procedures ASA 520 Analytical Procedures (Compiled)

ISA 540 (Revised) Auditing Accounting Estimates and ASA 540 Auditing Accounting Estimates and
Related Disclosures Related Disclosures

ISA 700 (Revised) Forming an Opinion and Reporting on ASA 700 (Revised) Forming an Opinion and
Financial Statements Reporting on a Financial Report (Compiled)

ISA 705 (Revised) Modifications to the Opinion in the ASA 705 (Revised) Modifications to the Opinion
Independent Auditor’s Report in the Independent Auditor’s Report

ISA 706 (Revised) Emphasis of Matter Paragraphs and Other ASA 706 (Revised) Emphasis of Matter
Matter Paragraphs in the Independent Auditor’s Report Paragraphs and Other Matter Paragraphs in the
Independent Auditor’s Report

INTRODUCTION
This section introduces the business entity, a small company whose financial report is to be audited,
together with its owners and its financing arrangements. It gives a picture of the business as it is now
and it looks back a few years to the start of the business. The decision had been made by the founders of
the business to operate in a limited company structure and to arrange for an annual audit of the company’s
financial statements. Campbell Lee Taylor, a local firm of accountants, has been offered the audit work,
together with some other professional services, and the firm’s partners have accepted the offer.

THE BUSINESS IN ITS ENVIRONMENT

Westerways Pty Ltd opened its doors for trading on 1 April 20X6 as a one-shop business, located in Drue
Street in Arnton. The entrepreneurs behind the company had lived most of their lives in Arnton and knew
the idiosyncrasies of its people. After less than two years of successful trading in Arnton, the owners opened
a second shop, in Tannam, another provincial town, slightly larger than Arnton, about 90 kilometres away.
This shop is in Stone Street in Tannam.
Each shop (in fact they now call them ‘stores’ with each store having two ‘shops’ in it) and its offices
occupy the ground floor of a building. On each of the front windows of the stores, there is a slogan: ‘You’ll
love it at Westerways’. This seems to be true, because there are always customers in the stores, buying or
just browsing. In either case, they are welcome, because the owners believe that today’s browsers produce
tomorrow’s customers — if not the browsers themselves, then their friends or relatives.

CASE STUDY 381

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 382 — #2

Arnton, where Westerways is based, has a population of about 80 000 and is located 200 kilometres from
the Lusitania capital city, Ventura, a city of 2.5 million. It is located on a river, navigable only by small
boats beyond Arnton, though there is also a railway and a good highway, as well as the nearby airport. It
is in an area whose wealth comes particularly from dairying and horticulture and from a mining company
operating in the nearby hills. The local industry is mainly support engineering for the agricultural activities
and the mine. There is also a growing tourism industry, centred on the river and on lakes and the forested
hills nearby.
Tannam, 170 kilometres from Ventura, is an agricultural and horticultural town. It supplies Ventura with
vegetables and flowers and has a growing export industry making use of the airport. Its horticulturalists are
hoping to experience growth over the next few years, with limiting factors being the availability of good
land and good seasonal labour. Their association is working with the government to develop appropriate
technology.
Lusitania is a country with a population of more than 4 million, adjoining much larger and more populous
countries. Its people are industrious, and in recent decades have come to realise the importance of education
and training as a means to develop their economy. The country is reasonably blessed in its natural features,
with good soil, regular rainfall and sunshine on most days. It has lakes and rivers that facilitate transport as
well as providing water for the horticultural, viticultural and dairying industries. Thirty years ago, minerals
were discovered in Lusitania and it now has a growing mining industry, which has given its government
royalty income for development of the country’s infrastructure. Since then, it has seen the rise of a number
of support and related industries. Lusitania has been quite successful in attracting some ‘down-stream’
industrial development for its primary produce and also some new technology industries, which are located
near its airport in the triangle of land between Ventura, Arnton and Tannam, which is in the centre of what
is becoming a recognised wine-producing area. The capital, Ventura, is the country’s main port and there
are a number of provincial towns based on various combinations of agriculture, mining and industry.

THE PEOPLE INVOLVED

Westerways Pty Ltd is a small limited company, with 50% of its shares owned jointly by its young
managers, Joy and Mark Valenti, 30% by well-established local businessperson and horse racing identity,
Mr Len Lewis, and 10% each by Ms Verity Samson and Mrs Bambi Baggio. Ms Samson and Mrs Baggio
are wealthy friends of Len and he had suggested that they take up the shares as an investment when the
business started. They are ‘silent’ investors, in that they do not become involved in the management of the
business. Len on the other hand is on the Board of Directors. In fact, Len had been the employer of Mark
Valenti before Mark and his wife started the business.
In the few years after leaving university, while working for Len, Mark had talked sometimes to him
about his desire to start his own business. Over those years, Mark and later also his wife, Joy, saved money
to put themselves in a position to open their own shop. When Mark and Joy one day asked Len whether
he would come in with them as a limited liability shareholder, he agreed, but with some conditions. They
accepted these and the business began operations a few weeks later.

THE MANAGEMENT AND THE STAFF

Mark and Joy run the stores together, supported in each store by a Staff Supervisor, who heads the
sales team with a Deputy Supervisor. In the head office in Arnton there is an Administrator, who is
responsible for the computerised accounting system, and in the Tannam store there is a part-time Assistant
Administrator. Mark and Joy had originally performed these duties themselves, but within a year the
business was doing well enough for them to delegate these routine functions. This was fortunate because
although Joy had proved to be a conscientious and competent administrator, she prefers buying and
bargaining with those of the customers who are interested in the higher-priced giftware. Mark, on the
other hand, while also an experienced administrator from his previous work with Len Lewis’s businesses,
has an entrepreneurial mind, with little love for routine activities and with a restless vision for new ventures
and business expansion.
The company at present employs nine shop assistants in each store on a casual basis for varying numbers
of hours per week. The stores are open long hours each day, with at least three staff on the floor at all times:
one at the sales counter and the other two moving around, helping customers or assisting at the counter.
Often, neither Mark nor Joy are in a store, but they are confident in the integrity of the supervisors and
assistants and have also set up appropriate internal controls after consultations with their accounting firm,
Campbell Lee Taylor.

382 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 383 — #3

THE MARKET
The initial business strategy was to sell hardware, with most customers likely to be men, in conjunction with
domestic ware and gifts, for which the majority of customers were likely to be women. It was hoped that
‘mums’ and ‘dads’ would come together and that there would be consultation in the store over merchandise
of interest, leading to immediate purchase rather than delay and possible change of mind. The Valentis also
believed that the people of the district would be happy to buy their home and garden needs in one place
in their home town, even if the goods were slightly more expensive, rather than purchase their house and
kitchenware and gifts from small shops and their hardware from the stores on the outskirts of the capital,
Ventura. A further business strategy was to have large windows and eye-catching window displays, and
Joy Valenti’s artistic talents were well suited to this.
The business strategy proved to be a good one. The first Westerways store was very successful from its
opening. The window displays attracted passers-by into the store, including both ‘locals’ and visitors to
the town, and when they came in they bought, and they told their friends of their pleasant experience of
seeing interesting merchandise and of bargaining with Mark and Joy. As the Valentis had hoped, families
were soon coming into the shop. It also soon became apparent that young people were finding the store a
useful source of gifts for their friends. Within a few weeks, the store was employing casual staff to assist.
Sales of gifts and unusual items of house and kitchenware were very successful. The hardware items
sold steadily, though the gross margin for many of these items was among the lower for the items sold.
The kitchenware and gifts were more risky, in the sense that it was more difficult to predict what would
sell, but they generally earned a higher gross margin.
Mark and Joy decided which items to buy based on their business intuition and from what customers
requested from time to time. In fact, as their inventory diversified, more suggestions tended to come from
their regular customers. They had to exercise considerable judgment in making decisions on selling prices
and, where necessary, on discounting of prices where slow-moving lines need to be ‘offloaded’.
There is a trade association for the retail hardware industry in Lusitania, which has an objective to assist
member hardware shop owners in any way it can. However, it has been of little assistance with business
decisions because it covers purely hardware, while the Westerways business strategy is to trade also in fine
homewares and gifts. There is no trade association that can give them assistance here and they have had
to use their own judgment.
The trade association does have data on the value of sales and the number of shop assistants per square
metre of floor space. However, the Valentis believe that their own business already does much better than
the guidelines, so they have made no recent comparisons.
Mark and Joy knew before they started the business that it is generally believed among businesspeople
with small shops that they must be able to mark up the cost of their merchandise by at least 60% on average
if they are to make an adequate return after meeting their expenses.
A variable that the Westerways management closely observe is stock turnover. They have no firm view
yet on stock turnover standards by product but review the data that is available in deciding on discounts
and advertising for the purpose of lowering stock levels.
One guideline for the business comes from the suppliers, most of whom suggest retail prices. They also
give advice on discounting. They are not by law in Lusitania allowed to require retailers to sell at particular
prices.

EXPANSION OF THE BUSINESS

The decision to open a second shop in Tannam was quite an easy one. The directors had developed
confidence that their formula of selling hardware and gifts together in provincial towns was the right one
and there were so many similarities between Arnton and Tannam that it seemed clear that a shop there
would be successful also. The Tannam store opened for business on 15 November 20X7.
Westerways did develop ambitions to sell to the agricultural and other businesses in the province.
The prime supplier to industry is the national Ventura-based company, Rural and Industries Suppliers
Corporation Ltd, which manufactures some products and buys and sells agricultural and industrial
merchandise in large quantities, delivering to the customer when requested. However, the Westerways
hardware shops did acquire a small number of industrial buyers who sometimes found that Westerways
had what they required. Westerways is expanding its product range slightly to meet these needs, but they
do not intend to move to directly compete in the industrial market, considering that their combination of
products puts them in the domestic consumer market.

CASE STUDY 383

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 384 — #4

THE PREMISES
The store and company offices in Arnton occupy the whole of the ground floor of a two-storey building.
The sales area of the store is in two sections, separated by a partition, but with one counter located near
the door and placed in such a way that the person at it has a reasonably clear view of both sections of the
shop. One section, the larger one, sells the various lines of hardware — that is, items such as paint, tools,
electrical appliances, nuts and bolts and similar items for home makers who like to do things themselves,
together with supplies and equipment for gardeners. The smaller section of the shop sells a varying range
of gifts of all sorts and quality homewares — items such as crockery, cutlery, ornaments and other items
of unusual design. These two sections are referred to as the ‘hardware shop’ and the ‘gift shop’ (which,
considering the wide range of goods it sells, is not quite true, but the name seems to be successful from a
marketing point of view).
At the back of the premises on the hardware shop side there is a loading bay, for both supplier deliveries
and collections of large items by customers. At the back on the gift shop side there is an administrative
office, located in such a position that a person working in it looks out into the loading bay area, which
is useful for security purposes. Between the loading dock and the offices, there is a small store used for
merchandise and office supplies.
In the floor above, there are a number of rooms that Westerways did not need and decided to let. They
are not high-quality offices and would not command much rent, but would be attractive to some businesses
and could later be taken over by Westerways. Access to these rooms is via a closed staircase to one side
of the store.
The business premises are quite well secured, though the Valentis have nonetheless chosen to carry
insurance of buildings and contents. Access would be difficult or impossible through the roof because of
the concrete between the store and the rooms above. The front of the shop, with its brick wall and steel
and reinforced glass door, and a relatively high pavement, is protected well enough to deter ramming by
motor vehicles (this being, unfortunately, a recent development in Arnton). The gates at the loading bay
are made of steel. There are varying amounts of cash on the premises, but at night the tills are cleared, a
float is retained in a strong wall safe, and the day’s takings are banked in a night safe located just across
the road. However, there are many valuable and useful items of inventory in both sections.
The store in Tannam is similar to the one in Arnton, but the office area comprises just one small
accounting office and rooms for the staff.

BUSINESS ACTIVITIES
Mark and Joy do the buying, from manufacturers and wholesalers located in the Lusitania region. Some of
the suppliers’ representatives visit the shop to take orders and give advice. Other orders are placed by email
after telephone discussions. The Valentis also visit suppliers and potential suppliers, with Mark focusing
on merchandise for the hardware shops and Joy on merchandise for the gift shops.
Some of the Westerways merchandise comes from other countries. Joy Valenti has been travelling
overseas to buy directly from suppliers. It was found that the Lusitania wholesaler-importers did not carry
the range of lines that the business needed, particularly for the gift shop. For importing, they obtained
the advice of the corporate financial advice specialist in their accounting firm, Alina Lee, and to protect
themselves against currency fluctuations, they work closely with their bank and hedge against risks.
A periodic activity is the receipt of merchandise at the delivery bay. The Supervisor or Deputy usually
take it, though all the staff are trained to receive goods. They check the merchandise in and use a trolley to
move it to the store or directly to the shelves. The packaging is discarded in bins behind the store. All of
Westerways’ inventory is delivered by van, brought from the docks at Ventura or directly from the supplier.
Selling activities occur almost entirely on the shop floor, though some sales are made online to known
credit customers.

FINANCING THE BUSINESS

To get Mark and Joy started, as stated above, Len provided 30% of the equity capital and arranged with
two of his friends to provide a further 10% each. In order to protect the outside shareholders’ interests,
Len stipulated that there should be an annual audit of the company’s financial statements. At the Valentis’
request, he approached the public accounting firm that did much of the work for his own businesses,
Campbell Lee Taylor (CLT), to do the audit work, as well as perform the taxation services for the new
company.

384 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 385 — #5

Len was persuaded by Mark to have the company buy its premises rather than lease. Mark argued that
Drue Street had declined over the last few years and property values were low. If the new business was
successful, and its owners were determined that it should be, it would attract other businesses back to the
street and that would ‘push up’ values, which the business should benefit from rather than the business’s
landlord. Len was concerned that this increased the capital requirements and the gearing, but he accepted
Mark’s argument and so the management sought and found a suitable freehold building. There would be
rents from the rooms upstairs to help repay the mortgage. Also, the business could expand into this upper
floor if and when it needed to.
Len and the Valentis secured a loan on mortgage from the company’s bank for purchase of the store’s
land and building. The shareholders’ equity was therefore used to finance the balance of the premises, the
other non-current assets and the working capital. However, because the owners thought that the business
would be subject to some seasonal fluctuations, they also made a standing arrangement with the bank to
go into overdraft. As part of its loan contract and overdraft facility, the bank is given each year’s budget
and the audited financial statements.
The company then used its shareholders’ funds to install fixtures, shelving, etc., to buy office furniture,
a trolley for moving the inventory, and a small LAN-based accounting system. It invested further funds in
starting up the business, including purchase of inventory and paying the salaries of Mark and Joy.
Immediately after the purchase of the property, Westerways did some maintenance work on the upper
floor and advertised them on the basis of a one-year lease and subsequent yearly renewals. It let the rooms
at a monthly rent to two small businesses, which have remained there since commencement.
To start trading in Tannam, the company used its own accumulated funds. The directors decided not to
buy the premises in Stone Street because the Valentis were not happy with this property as a long-term
investment. They expected to move the store within the next year two years, when the company’s name
had become known, and buy a property in a neighbouring lower priced street, hoping again to contribute
to the growth of land values in that street and itself to benefit from this.
In addition to meeting its loan repayment conditions, the business has been able to pay cash dividends
in each of its years of operation and expects to do so again in the current year.

PLANNING THE AUDIT

UNDERSTANDING A SMALL BUSINESS
Introduction
In this section, we cover the first stage in the planning for the current year’s audit. First, we comment
on what it is that auditors verify in their audits, the assertions made by the directors to the shareholders
and other readers of the financial report. Then, there are some comments on the need for planning for
audit evidence development. Under the current risk-based audit philosophy, audit planning activities are
referred to as ‘risk assessment procedures’ and some procedures are mandatory. The next section discusses
this and introduces the performance of these procedures in the current audit. This section is supported
by two appendices containing, in Appendix 2, notes made by the Audit Senior last year after she had
examined documents, interviewed the management and toured the premises and, in Appendix 3, transcripts
of two interviews with management to obtain updates on the business situation and on its governance
and management. Next, there is a discussion about using client data for planning purposes, including
obtaining insights into the business, revealing areas for particular audit attention and determining planning
materiality. This leads to a discussion of professional problems with the use of planning materiality. Finally,
some comments are made on Westerways Pty Ltd data used for audit planning; there is an appendix giving
the data (Appendix 4).

Inquiries, Observation and Inspection at Westerways

The auditors have now been involved with Westerways Pty Ltd for several years, so in the preliminary
planning stage each year they need only to obtain up-to-date information on the business and its
environment, and ensure that all the firm’s staff involved with the audit have this knowledge. Among
other things, there are on the audit files notes on the business and its information systems. Some of these
notes are carried forward for use in this audit. They are in Appendices 2 and 5.
The Audit Senior in charge for this client this year again, Fiona Kerr, has during the year had a short
telephone conversation with the company’s Administrator, Jill Johnson, to discuss the accounting system
and the processing of the increasing volume of business transactions. She has also telephoned Joy Valenti,

CASE STUDY 385

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 386 — #6

as a courtesy, as well as to discuss the progress of the business and its accounting system. She therefore
needs to do little more preparation before contacting the management to advise of the impending interim
audit. She scans the audit documentation to remind herself of any major points arising from the last audit.
She also examines the firm’s correspondence files for any matters relevant to this year’s audit. Then she
telephones the company to arrange the first audit planning visit, finds that Joy is away, and so arranges an
interview with Mark. On this occasion, her intended audit assistant, Bruce Banks, is available and so she
takes him with her for this visit. She had asked Mark on the telephone whether he minded if she brought
an audio tape recorder to record the conversation. He had no objection and she therefore recorded the
interview and later had a CLT typist transcribe the recording. This is attached as Appendix 3.
Before she went, she spoke to the engagement partner, Ray Campbell. He queried with Fiona what
Westerways’ Board of Directors was doing about its governance responsibilities. Fiona responded that
perhaps they should speak to Chairman Len Lewis about that. Ray agreed and so Fiona asked Ray’s
personal assistant to arrange an interview for the two of them with Len soon after her interview with
Mark. She asked the assistant to confirm with Len that she could bring a tape recorder and Len agreed.
The transcript of this interview is also attached, as the second part of Appendix 3.

Using the Client’s Financial Data in Audit Planning

On arrival at the client’s premises, after having a quick tour of the store with Mark, the auditors discussed
the year to date results with him, comparing this year’s results with the previous year and with budget.
They later obtained copies of some of the data and keyed it into an electronic spreadsheet.
Then, using the financial data they had obtained for the current year and the data they already had from
previous years, the auditors developed spreadsheets of financial performance and financial position data.
They would use these for two major purposes.
1. To perform analytical procedures. They use the results of these procedures for two purposes.
(a) To enhance their understanding of the business. They realise that auditing cannot be done by mere
examination of the accounting records. To make the judgments needed to develop the audit evidence
and to arrive at their opinion whether the financial statements are acceptable, they need to understand
the business and to confirm whether the understanding that they develop of the business is reflected
in the data in the accounting records.
(b) To reveal apparent anomalies in the data that they will investigate during the audit evidence develop-
ment stage. They realise that analytical review is an effective way of guiding their subsequent audit
testing, thereby making their whole audit more efficient. In this way, they use analytical procedures
both to assist in planning the audit and to develop some of the audit evidence.
CLT have found it useful in some audits to compare the company’s data with data for its com-
petitors where this is available. For some industries, a trade association collects data, summarises
it, and releases it for the individual companies in the industry to use for comparison and evaluation
purposes. This data is not always available. In all audits, though, the auditors interview the senior
management personnel at the beginning of the audit to get their perspectives on the progress of the
business in its industry.
2. To determine their planning materiality figure. In arriving at their opinion whether the financial
statements comply with financial reporting criteria (i.e. whether they ‘give a true and fair view’ of
the financial results and position of the company), the auditors recognise that there may be differences
between their own conclusions as to the best figures to include in the financial report and the figures in
the draft report prepared by the company’s accountant. These differences may arise through errors in
input or processing, or through variations in accounting estimates resulting from differences between
the judgments of management and their own, for example on the amount needed as the allowance for
doubtful debts. They will accept the company’s financial report figures if the differences are not so large
as, in their opinion, to mislead users of the report — in other words, if the differences in their opinion
are immaterial.

Obtaining Current Year Data for Audit Planning

Usually, auditors plan their audit several months before the end of the client’s financial year. That means
that they do not have the actual data for the whole of the current year. As an audit policy, CLT then either
obtain recently revised budget data for the full year or, if this is unavailable, ‘annualise’ the data that they
do have, using budget data and evidence from management to obtain estimates of the last few months’
operating figures and of the closing balance sheet figures. For example, if when they do their planning
there are nine months’ management accounting reports, they multiply the operating data by 12/9 to get an

386 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 387 — #7

estimate of the year’s income and expenditure figures, compare this with the budget figures (knowing that
these were likely to have been prepared a year or so earlier), and consult management on whether their
estimates seem to be a reasonable approximation of the year-end figures. They then estimate the closing
assets, liabilities and equity balances. This is done after consultation with management because the levels
of the current assets and liabilities will depend to an extent on management’s actions — for example, to
meet a cash dividend payment, management may decide to delay payment to its creditors in one or two
months, or it may decide to discount some inventory lines for cash sale to increase the company’s cash
balance.

Financial Data of Westerways Pty Ltd

At Westerways Pty Ltd, while monthly financial statements are generated by the Ourbiz accounting system,
it is the quarterly results that are of most interest to management. The quarterly actual results are compared
with quarterly budgeted data and discussed at board meetings, and some decisions on business strategies
stem from these.
The tables of data in Appendix 4 have been developed for analysis by the audit staff of CLT.
They have been compiled using the audited data for the years ending 31 December 20X7 and 20X8,
the un-audited data from the management reports for the nine months ending 30 September 20X9, and
the budget data for the nine months ending 30 September and for the year ending 31 December 20X9. The
company commenced operation on 1st April 20X6, and 20X7 was the first full year, with the second store
opening on 15 November of that year.
Company tax is payable at the rate of 30% on adjusted profits within three months of the company’s
year-end. As there are minimal ‘timing differences’, the Accounting Standard on tax effect accounting is
not applied and the auditors accept this departure as immaterial.
The directors declare a dividend each year after they have seen the draft financial statements and have
confirmed with the auditors, while the audit is still in progress, that they have found no major errors. The
proposed dividend is then journalised.

ASSESSING THE RISKS

Introduction
This section continues the coverage of risk assessment procedures in audit planning. It begins with the
responsibilities of the auditor to obtain an understanding of aspects of the internal control structure,
including the accounting systems. It continues by developing the assessment of business risks discussed in
module 2 to the identification of potential material misstatements in the financial report. Two particular risk
and control situations are then discussed: first, if any risks are found that the auditors judge to be significant,
they must identify controls that mitigate them and must advise management if they judge these controls to
be inadequate; second, if the auditors’ examination of the systems reveals that audit risk cannot be reduced
sufficiently by substantive procedures, the auditors must identify, and later test, relevant internal controls to
obtain sufficient audit evidence. Next, the section shows how, following performance of risk assessment
procedures, the risks of material misstatement must under Auditing Standards be discussed among the
members of the audit team and an audit strategy devised to reduce the residual risk to an acceptable level.
Appendix 5 gives the auditors’ notes on the Westerways Pty Ltd information systems, updated by the Audit
Senior in this year’s audit.

The Campbell Lee Taylor Approach to Understanding the Internal

Control Structure
From the flowchart prepared by one of their audit staff and with reference to the standards, the firm revised
its methodology and developed new standard audit working papers to guide its staff in the process of
obtaining the required understanding of the internal control structure. These include: PL4-CEE Control
environment evaluation.

The Campbell Lee Taylor Approach to Assessing Risk at the Financial

Report Level
CLT relates its assessment of risks at the financial report level very closely to its response to the risks.
It uses the first part of their standard working paper, PL5-GAS General audit strategy, for this purpose.
However, several of the working papers prepared before this one require consideration of these risks.

CASE STUDY 387

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 388 — #8

The Campbell Lee Taylor Approach to Assessing Risk at the Assertion Level
Standard working paper PL-TCR-Exp-PrI gives the auditors’ assessment of the risks of material misstate-
ment for purchase invoices. In column 1, the auditors have listed, with bullet points, what they consider
to be the possible material misstatements for the assertions. In column 2, they have listed numerically the
internal controls they have identified (e.g. O1 is the first internal control for the occurrence assertion), and
in column 3, they have given their assessment. Then in form PL-TCT-Exp-PoI, they have given for each
assertion the suggested control tests, cross referencing these to the controls (e.g. OC1 is the control test
for control O1).

The Campbell Lee Taylor Approach to Developing an Economic

Audit Strategy
The CLT audit methodology responds to this risk of investing excessive staff time in assessing controls in
the following way.
• As explained above in the section on understanding the client’s accounting systems, form PL8-SAS
requires the auditor to undertake a preliminary assessment of the controls in the system and this is
necessarily done before the audit team meeting.
• Forms PL-TCR-x and PL-ART-x are used to develop the full understanding of the risks and controls, but
the extent of completion of them before the audit team meeting is at the discretion of the team leader.
For example, if the preliminary assessment with form PL8-SAS reveals a significant risk requiring
appropriate internal controls, or reveals a lack of audit trail that will make substantive testing difficult or
impossible, the Audit Senior would complete form PL-TCR-x for those risks and controls only before
the team meeting; otherwise, the Audit Senior might only complete form PL-TCR-x where he or she
was confident that the strategy would be of reliance on internal control, or felt the need to complete it
in order to understand the controls better before the meeting.
• The audit team leader, probably the Audit Senior in charge, then provisionally completes audit working
paper PL5-GAS General audit strategy for discussion at the team meeting.

The Campbell Lee Taylor Approach to Assessing Controls for

Account Balances
CLT assesses controls for account balances through its standard working paper PL-ART-x.

The Campbell Lee Taylor Approach to Completing the Assessment of Risk

As shown above, the CLT audit team leader records the proposed general audit strategy in standard working
paper PL5-GAS. Some or all of the audit documentation must be made available to the team members prior
to the meeting. The meeting is reasonably formal and minutes are kept. Either before or after the meeting,
the audit team leader completes PL5-GAS, and completes PL1-RMR Risk of material misstatement and
audit responses, and attaches the minutes of the team meeting to it (see Appendix 6).

PERFORMING THE AUDIT

PERFORMING AUDIT PROCEDURES TO COLLECT EVIDENCE
Introduction
This section is concerned with CLT’s audit evidence development process and focuses on auditing
inventory and trade payable. Some comments will now be made on CLT’s testing of some of the most
important account balances in this audit that relate to your tasks for this case study.

Inventory
Attending the Inventory Count
On 1 January, Fiona Kerr and her assistant, Bruce Banks, each attended one of the stock counts conducted
at the two Westerways stores. They had previously attended a meeting at the Arnton store to plan the
counts, this meeting being attended by the Valentis, the Supervisor at each store and the Administrator and
Assistant Administrator. The count procedures were the same as in previous years. The counters worked
from listings containing all lines of inventory expected to be in the store but not giving the numbers on
hand. Each of the counters was allocated a page of the listing and as they counted, they entered the number

388 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 389 — #9

on their listing; they also left a card on the shelf beside the items with the item code and the number of items
counted. As they completed each sheet they handed it in to the Administrator, who keyed the quantities into
the system and then printed a listing of lines with a difference between recorded and counted number. The
listings of differences were handed to the Supervisors who did recounts. At the end of the count, the team
toured the store to confirm that all inventory items in their shelves or bins had cards on them indicating
that they had been counted.
At the count, the auditors observed count procedures for two hours at each store and discussed with the
Supervisor the differences revealed by the listing. They also did some test counts, which they recorded in
their working papers for tracing to the final stock report when it was printed a few days later.
The auditors also tested purchases cutoff as follows. They examined the most recent transactions by
obtaining a computer listing of the last three working days’ inputs of packing slips to the computer system
and checking these to the filed packing slips, which had been signed and dated by the person receiving the
goods. They confirmed that these corresponded and that all receipts before the stock count had been input
before the inventory count listings were printed. They confirmed also by inquiry of the Supervisors and
the Administrator that there had been no recent transfers between stores, which could have resulted in a
cutoff error.
The shop was not open for business during the count so there did not seem to be a problem of sales
accounting cutoff. They were informed that inventory dispatches occur only when sales are recorded or
there are transfers between stores. They would later confirm, by examination of accounting records, that
the sales for 31 December were the last sales recorded in the general ledger.
Further Audit Testing of Inventory
After the count, apart from following through the tests performed at the count, the audit focus was on the
valuation of inventory. The auditors tested the unit costs by comparing recorded cost with recent supplier
invoices. They also considered whether any lines needed to be reduced from cost to net realisable value in
accordance with the accounting valuation rule. For this purpose, they were assisted by an Ourbiz system
report listing lines in descending order of stock turn and giving value held. They discussed their conclusions
with Mark and Joy Valenti. They then confirmed that the final inventory report totalled to the inventory
figure in the financial report.

Trade Payable
For trade payable, the auditors focused on the completeness assertion and particularly for purchases of
services. To confirm inclusion of all other purchases, they applied a number of standard audit techniques.
They examined all major payments between balance date and the completion of the audit field work and
confirmed that the related purchase had been accounted for in the correct financial year. They also sent a
request to the company’s solicitors requesting information on liabilities.
Some of the audit procedures for detection of omitted liabilities required the auditors to make good use
of their knowledge of the Westerways business. They read the minutes of Board of Directors meetings and
they reflected on business activities and events and considered how these might have affected the level of
liabilities at this balance date.

CONCLUSIONS AND REPORTING RESPONSIBILITIES

AUDIT CONCLUSIONS
This section is concerned with the evaluation of matters found in the audit, leading to the formulation of
the auditor’s opinion, which is reported to the readers of the financial statements. It is laid out as follows.
First, there is a general discussion of the going concern assumption used to prepare the financial statements.
Next, evaluating the results of testing is discussed followed by the final work on the audit. This section
ends with a discussion on formulating and issuing the audit report containing the audit opinion.

The ‘Going Concern’ Question

While reading the minutes of meetings of the Board of Directors the auditors looked for comments affecting
liquidity. They also discussed business prospects and plans with Mark and Joy Valenti. They concluded
that there was no evidence to suppose that business would not continue in the short to medium term. The
going concern assumption behind the annual financial statements was, in their opinion, therefore valid.

CASE STUDY 389

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 390 — #10

Evaluating the Results of Testing

On completion of their testing, auditors must evaluate the implications of the test results on the financial
report. In the audit of Westerways Pty Ltd this year, the auditors found a number of matters which in their
opinion required adjustment to the accounts and the financial report or additional disclosure in the report.
These are given in the information for task 4.1 module 4 case study activities.

Final Work on the Audit

In the third week in January, the Administrator, Jill Johnson, informed the auditors that the draft financial
statements were ready for audit. An extract from these is given in Appendix 8. In addition to these, there
would be the cash flow statement and the notes to the financial statements, which are not included in this
case study information.
On returning to Westerways Pty Ltd in mid-January, the auditors performed the final audit field work
procedures. These included obtaining the latest evidence on such matters as payment by debtors, sale of
inventory and payment of liabilities. They included also the work required to ensure the proper accounting
treatment of events occurring after balance date.
The auditors found some matters that they needed to discuss with the executive directors. In any audit,
it is likely that the auditors will find matters relevant to the objectives of the audit that will need discussion
with the client’s chief accountant and possibly with its Board of Directors or Audit Committee of the
board. These audit findings may require debate about changes to, or additional disclosure in, the financial
statements, or they may require a formal report to management but not to the shareholders.

REPORTING RESPONSIBILITIES
Formulating and Issuing the Audit Opinion
Depending on the outcome of the discussion with Westerways executive directors about the matters of
concern found during the audit, the auditors may have to modify their opinion in their report to the
shareholders. Task 4.1 activities focus on these matters.

Attendance at the AGM

The audit partner is likely to attend the annual general meeting of the company, held a few weeks after the
audit report is finalised. The audit partner will be seated with the board and will be prepared to answer
questions from shareholders on matters concerned with the audit. If more audit evidence has come to
light since the audit report and financial statements were signed, this would be reported at the AGM. For
example, it may now be better known whether and at what price the inventory has been selling and whether
the reduction in value in the financial statements for the last financial year was justified.

The Campbell Lee Taylor Approach to Reporting to Management

CLT agrees in its negotiations for acceptance of an audit the matters on which it will report and the person to
whom it will report them. It always includes an identified person responsible for governance of the entity.
If there is no Audit Committee of the Board, it submits its report to the Chairman of the Board. They
request an acknowledgement and initial reply within two weeks, and a fuller reply within two months in
circumstances where the client needs more time to take appropriate action on the matters reported.

390 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 391 — #11

APPENDIX 1: MEMORANDUM

TO Alina Lee, Anne Taylor

FROM Ray Campbell
SUBJECT Potential audit of a new retail business with Len Lewis involved
DATE 13 December 20X5
As you know, we were approached by Len Lewis to take on the audit of the financial report of a new
retail business being set up by an employee of his, Mark Valenti. Len is to provide about half of the equity
(I think that some of his friends are to be involved as well) and apparently has a lot of faith in the young
man and his wife, Joy. Len wants us to assist in the protection of his investment by helping the couple in
implementing an accounting system, reviewing their financial plans, and doing the final accounting and
taxation work and the audit. Apparently, the bank is providing some of the finance and has indicated to
them that it will be able to charge a lower interest rate if the financial report is audited. The results of my
preliminary inquiries follow. I first interviewed Len and after the pleasantries the interview went like this.
Ray: What do you know about the couple, Mark and Joy Valenti?
Len: Mark has worked for me since he left university, where he did an arts course with a business minor, I
think it was. He is a quick learner, has done well in administrative and supervisory roles in several of my
businesses and has given me no reason to doubt his ability and integrity — hence my decision to go into
business with him. Actually, he is a very talented young man. He was studying acting and had the chance to
go on the stage, but he decided he would go into business and leave acting as a hobby. We have a company
party once a year, as you know, and Mark organises and participates in the entertainment.
Ray: What about his wife, Joy?
Len: Smart young woman! Quick, and persistent too. I have discovered since our business negotiations began
that when she wants information, she doesn’t stop till she’s got it! It is quite an experience being ‘interviewed’
by Joy. She hasn’t worked for me, but I’ve met and talked to her often at office parties and at the races. Mark is
a bit of an entrepreneur and may be inclined to be a high-risk taker (he wants to be a big business man!), and
of course he has excellent interpersonal skills. Joy is, I believe, talented in art and design, but she seems to be
a steady and careful person. I presume that she’ll be the imaginative one, who’ll choose the special things for
the shop that people will want to buy in addition to the standard items, but I think she’ll also ensure that there
is good administration.
Ray: No criminal records, or misdemeanours?
Len: I have no knowledge of any. They aren’t a reckless couple. Far from it, I think. I know Mark likes to
gamble a bit — the horses, that is. I think Joy goes with him usually, to enjoy the spectacle. I’m pretty sure it’s
for small stakes. Joy no doubt has an influence there. She has said she wants a family in due course, and a nice
place to live, and she knows you have to be prosperous, but not rich, to have those things. She doesn’t want to
end up poor, as her parents, and Mark’s, did.
Ray: Have you any other comments on them or their proposed business?
Len: Well, there is one interesting aspect to Mark’s business proposal. We debated it for quite some time but
he convinced me. He wants to buy a property for the store, rather than leasing and then perhaps buying later.
He has located a property in Drue Street, which as you know is one back from our main street. He thinks
that if the business is very successful property values in Drue Street will rise and the business will get the
benefit. The business won’t need all the floor space upstairs, but there will be scope for expansion later. In
the meanwhile, there will be some rent to help with the mortgage.
Ray: This seems to be in keeping with what you have told me before — that Mark is something of an
entrepreneur and not just a budding shopkeeper!
Len: Yes. That is so. But as I said I have a lot of faith in Joy. She seems to me to be smart but steady. And she
seems to get on well with everyone she meets, so she should be good in retail.

Then Len called in Mark and Joy, who had just arrived as planned, and after the introductions, when I
ascertained that they had met while studying in the same faculty, he in drama and she in art and design, he
left us and the interview went like this.

CASE STUDY 391

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 392 — #12

Ray: You know that Len Lewis has suggested that your proposed business, which I understand is to be a
limited company, employs our firm as its accountants and financial advisers. Also, Len tells me that you
understand something of what auditing is and that he wants the company to have an annual audit of its
financial report.
Mark: Yes, we do. I should ask what you’ll be charging us for the audit work, which does not seem to be
helpful to us, the company, though it may be to the bank! No, first I would like to know what your firm can
do for us. Would you tell us about the other services you provide?
Joy: And can you explain to us the assurance we, and Len, and the bank, get from having the company’s
annual financial statements audited?

So, I found myself telling the Valentis about us and our assurance services first! Then we got on to them.
Ray: Now, I understand that you wanted to start a business and that Len has agreed to go in with you, but why
hardware?
Joy: Of course, it is not going to be only hardware. We expect to get better margins on other things in the
shop. Novel kitchenware, gifts for use in the home, and so on.
Mark: My father worked in a hardware store when I was a kid. I was there often, watching and helping,
because my mum died young. So, I became quite knowledgeable on the merchandise, and on the customers
who bought it — I found their activities intriguing: the debates in the family group as to what to buy, the
apparent lack of recognition of benefits to offset costs, on the other hand the impulsive buying decisions
sometimes! Then dad died when I was only twelve and I lived with his sister — my aunt, and my uncle. My
uncle was a bit of a handyman and used to do things at home and I helped him. Aunt was also a good gardener.
So, there is a history there, even though I have never myself worked in a hardware shop. But I’ve worked in a
variety of Mr Lewis’s businesses since leaving university and I have a good understanding of how to make a
business successful.
Joy: My dad and mum had a grocery shop in a village near here, though the shop used to sell whatever people
seemed to want. Unfortunately, they lost their money and had to sell the shop. I worked in it out of school
till I was seventeen. Then I won a scholarship and did a degree course in art and design. I want to use that
knowledge in business, trading in things I am able to select. I want also to work with some of the suppliers on
their designs. As I said, we have investigated and think that if we can find the right things for our customers,
and adapt as fashions change, and even contribute to fashion changes, we’ll be able to do well with them.
And we hope that our giftware will pull more people into our shop to buy hardware. With good merchandise,
margins of 100 to 200% should be obtainable. Hardware sells steadily, but the margins of most items are lower
than that, and the return per square metre of floor space in hardware is probably a bit lower.
Ray: You both seem to understand retail. What is your experience of business management and finance? I
understand that you want to buy the freehold of your first store, which will mean more funding. That must
mean that you have a business plan. You have put it through Len I suppose?
Joy: As to business experience, we employed a few casual staff in our shop and in the last couple of years
they were my responsibility. I’ve suffered the pain of trying to run a family business without enough capital,
because it was like that in the last year or so! The staff got paid but the creditors often had to be stalled and
weren’t happy!
Mark: I’ve been in management positions under Mr Lewis. In the last job, I was responsible for the financial
management of a subsidiary company — that is, making sure we collected the money from the debtors to buy
the inventory and pay the bills and taxation and the annual dividends to the holding company. That is not the
sort of thing I want to do as a job for life, but I now have some useful experience in it and as soon as we
can we will delegate the details. Yes, we do have a business plan and we have discussed it at length with
Mr Lewis.
Ray: Good. My corporate planning partner might be able to work with you to improve your business plan.
And what are your medium to long term ambitions?
Mark: First things first. We know our town. There are other towns like it nearby. We’re not so knowledgeable
about the big city, Ventura. If this business is successful, we think we’ll be able to open another in Laventa,
which is as you know about half an hour’s drive away. Then maybe into the suburbs of Ventura, or another
provincial town first, for example Tannam. There are other businesses that fit in with ours. We might be able to
diversify. But the main business will remain the hardware and gifts mix, unless that ‘runs out of steam’. There
is always the possibility that one of the Ventura city-based big groups will copy us and undercut us through
their buying power. At least then we’d have had useful experience in retail, so we’d change to another type of
retail, or to something else. Joy has an ambition to be in design. Of course, the buying of the property that you
mentioned is a backup as you might say. If the shop is half successful, even for a few years, the property values
in Drue Street will go up and we’ll have more to sell if we leave the industry.

392 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 393 — #13

Joy: How does that sound? What advice will your firm be able to give us over the next few years? Do you
follow the retail industry to help your retail clients?

I then had to expand on the services we provide to our clients, conscious that we are not as good as we
should be in the provision of services in retail.
This seems likely to be a satisfactory business and may grow to be a very good one. On the professional
independence issue for auditing, the total fee from this company will be a fraction of our practice’s income,
less than 1%. This work for Len Lewis with our other work for him will bring our dependence on his
business to about 8% of our income. While at first, we’ll be performing other services for this company,
those will soon cut back to annual compliance work. We may still get the occasional financial planning or
systems advice job, and perhaps some tax return work for the owners. I can’t see that that will threaten our
audit independence or the appearance of independence.
I think we should accept the invitation. The engagement risk to our firm seems low. I have provisionally
arranged to see the three of them here sometime next Tuesday, 19th. Does 12 noon suit? We could talk for
an hour or so and then take them to lunch, finishing at say, 2.30. Please let me know by Friday 15th, 4 pm,
and I’ll confirm with them.

APPENDIX 2: PERMANENT NOTES ON THE

BUSINESS AND ITS ENVIRONMENT
WESTERWAYS PTY LTD
The Industry — Important Conditions Affecting Westerways Pty Ltd
Westerways Pty Ltd trade in two parts of the retail industry — hardware and homeware/giftware.
Hardware
The retail hardware industry is relatively stable but quite competitive, with the supermarkets selling some
of the Westerways lines of merchandise, the large agricultural and industrial suppliers selling others, and
small specialist hardware shops selling many also. An important factor for Westerways is that there are
no large hardware stores (which may have the buying power to be able to undercut Westerways with their
selling prices) in the two towns in which they operate. The nearest large competing stores are in Ventura,
but they are only about two hours’ drive or bus trip away.
Technology progressively changes much of the hardware merchandise. For example, new weed killers
are released from time to time. When first released, they tend to be expensive while their manufacturers
recover their development costs, but later prices tend to fall if another supplier comes into the market with
a new or changed product. There are also cheap imitations on the market. Westerways management have
to make sometimes difficult decisions whether to stock merchandise that is cheaper but of poor quality.
Sources of supply include local manufacturers, which offer a limited range of reliable merchandise, and
importer/wholesalers, which offer merchandise varying in quality from excellent to poor. The suppliers
are not allowed under Lusitania law to set resale prices, but they do give Westerways recommendations on
price, and Westerways stick to them, hoping that in this way they will be able to persuade the suppliers to
give them purchase discounts.
Homewares
The retail homewares industry is fragmented in that competitors include specialist shops and department
stores, each of which sells only some of what Westerways sells. In the two towns in which Westerways
trades, there is a department store and there are boutique giftshops and kitchenware and cutlery shops.
Westerways relies on good buying, a reasonable range of higher quality merchandise, and good sales
staff. Also, selling the two types of merchandise under the same roof helps the Westerways business, in
terms of defraying overheads; on the other hand, this could hinder it because of buyers’ expectations of
sales staff expertise not always being met.
Sources of supply for high quality homeware are limited in Lusitania, but include manufacturers for
some lines and importers for many. However, to obtain the range it wants, Westerways is increasingly
buying directly from overseas.
Homewares is a more-risky business than hardware, in view of the need to predict customer wishes and
hold relatively high value inventory, but carries more prospect of profit. Some merchandise can be bought
from local suppliers on a consignment basis but this is not an option with overseas suppliers and importers.

CASE STUDY 393

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 394 — #14

Consignment Trading
Westerways does not, we have been told, take inventory on consignment, for payment to the supplier only
after sale. We need to confirm each year that this remains true.

The Business — Products, Markets, Suppliers, Operations

Hardware Business
The key to the hardware business, we understand, is to have on the shelves the things that the particular
customers expect to find in a hardware shop and then to be able to give the customers advice about using
them if they ask for advice. If Westerways is out of stock, the customers will sometimes be prepared to
come back for the item but are more likely to go to a competitor and then buy more of what they want there
instead of at Westerways. The product range is limited by what customers who might come in think the
type of shop is likely to carry. This means that the business can slowly widen its range as the customers
get used to what it carries.
Domestic Ware Business
This division of the business is dependent largely on clever buying, both the nature of the products and
the money invested in them (i.e. the quantity multiplied by the cost and the likely length of time they are
expected to be held before sale). The buyer here is Joy Valenti and she provides advice to the sales staff on
the merchandise. It appears that at present the success of the business is heavily dependent on Joy Valenti’s
skills with this merchandise. If this side of the business is to grow, we presume that it will have to find
buyers like her. We should expect travel expenses to increase.
We understand that Joy regularly discusses with present and prospective suppliers the nature of her
market and the designs that are likely, in her opinion, to be successful. She works with the importers to
find new suppliers and with manufacturers to modify their products. Westerways does not earn income
directly from this activity but obtains more saleable merchandise.
Additional factors in the success of this riskier side of the business are: knowledgeable sales staff with
excellent interpersonal skills, provided for by selection and training; and good advertising to get customers
in to the shop, done in part by ‘word of mouth’, but also by advertisements in the local newspapers and by
good window displays.
Advertising and Selling
To win customers, Westerways relies on a combination of ‘word of mouth’ advertising, store location,
window displays, and local media advertising. It puts relatively cheap advertisements in the local papers
because it expects that its main customers will be local people who read these newspapers. However, the
two towns in which Westerways trades have visitors from the capital every weekend and the stores are
becoming well known to these visitors.
Credit Sales
Westerways provides credit accounts to customers if the applicants can give some evidence that they will
buy regularly — this evidence can be given, for example, by an explanation of value and timing of needs, as
for example a business office that buys gifts for clients. Most credit customers are in trades (e.g. plumbing,
electrical) and buy from the hardware shop.
There is some risk that tradespeople like this will buy from a domestic hardware shop rather than an
industrial one (Rural and Industries Suppliers Corporation has branches in both Arnton and Tannam) only
because they have exhausted their credit with the industrial supplier. Westerways is aware of this risk but
so far have had no experiences of failure to pay debts.

Shoplifting and Merchandise Damaging Risks

To protect against shoplifting by customers, the only exit from the store is between the two counters (the
two entrances, one on each side of the two counters have a lifting steel bar). It would be difficult for anyone
to leave the store unobserved. Customers are asked on a discretionary basis at the counters to display the
contents of their bags. There are signs up at the entrance to the store and in both shops advising of this
inspection.
Against the risk of shoplifting by staff, Westerways has two prime strategies. There is discretionary
examination of staff bags on departure; also, staff are able to buy all merchandise at a 20% discount.
Related to these is the risk of deliberate damaging of goods, such as cement bags, by customers or staff,
to be able to buy them at a discount. All discounting of damaged goods is approved by the Valentis after
investigation into the circumstances.

394 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 395 — #15

Staffing
There are now five full time staff, a Supervisor and a Deputy Supervisor (who work different shifts) in
each store, and an Administrator in the Arnton store, but the Valentis are able to employ casuals who are
known to them or recommended, and they have a good record of getting and keeping staff. A problem is
that staff must have knowledge of the products and must be able to give advice to customers on how to use
them. They must, if they are to work in the gift shop, also know how to talk to customers about uses and
potential recipients of gifts.
The Valentis have quite an effective on-the-job training scheme for staff who are learning. In the quiet
times, an experienced staff member selects a product range, for example paints, asks the learner to explain
what he/she understands, then ‘role plays’ a difficult customer. This provides many laughs! Mark himself
is good at role-playing customers and creating a light-hearted atmosphere for the sales staff to throw off
their inhibitions and role play! Talking to the customers about the giftware seems to be found easier by the
staff, because they are themselves intrigued by Joy’s range of goods.
It should be commented that as agreed by the board in 20X6, the Valentis are paid salaries as managers
and they do not earn anything more based on performance other than the annual dividends. Len Lewis is
paid a director’s fee. The Secretary of the Company is by arrangement with Len Lewis the Secretary of
one of his companies, who is charged to Westerways Pty Ltd at a rate per hour.

Measurement of Financial Performance

Westerways measures performance through calculation and analysis of trends in the following.
• Gross profits by product range. The rule of thumb is: if its cost can be marked up by more than 50%,
keep selling it; if it does not, review it and probably keep it only if it is expected by customers to be in
the shop or has a high turnover. The gross profit percentage has been rising slightly over the life of the
business, this being because of a change in sales mix towards the higher mark-up domestic ware.
• Costs as a percentage of sales. The main cost is labour and this is watched with some anxiety, but it is
accepted by management that it has to be a secondary factor, given that they believe that an important
part of their business strategy is high quality service. The labour cost percentage has been rising over
the life of the business, but other costs have remained steady or fallen with a rise in sales.
• Customer satisfaction. Westerways have a survey questionnaire and, about every three months, a staff
member is given the task for a few hours of asking customers to complete it. The responses are
reviewed for indications of faults in the quality of the service. We understand that there are rarely any
complaints.
• Sales per square metre of floor space. Value of sales by square metre is the complementary factor. This
has been rising steadily and is not causing concern at present.

Fiona Kerr
7 October 20X8

APPENDIX 3: TRANSCRIPTS OF MEETINGS,

OCTOBER 20X9
WESTERWAYS PTY LTD
1. Transcript of meeting with Mark Valenti in the back office at Westerways Pty Ltd, Arnton store,
at 9 am 4 October 20X9

PRESENT: Mark Valenti, Managing Director

Fiona Kerr, Audit Senior
Bruce Banks, Audit Assistant

Mark: Hello again, Fiona. I had heard that companies like us tend to get a change of audit staff every year and
here you are again.
Fiona: Yes, Mark. It is the policy of Campbell Lee Taylor to try to keep audit staff on a job for at least
two years. In this case, I would have complained if I had not come here this year because I like visiting
Westerways.

CASE STUDY 395

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 396 — #16

Mark: Good. We aim to please. Now, is that the tape recorder you said on the phone you wanted to use on
me? OK. As long as I am not aware of it, I’ll be happy to oblige.
Fiona: I thought you had been an actor, Mark, and presumed that being recorded would be second nature
to you!
Mark: Ah, the movies. No, I was only on the stage.
Fiona: OK. Mark, this is Bruce Banks, who is on our Westerways audit team this year.
Mark: Pleased to meet you, Bruce. Are you a new chum in the CLT office, or have you transferred from
another division?
Bruce: Pleased to meet you too, Mark. And, no I am not a transferee but quite new at CLT. I came out of
university last year and have been on a few audits and done some systems work also. I graduated with a double
degree in accounting and information systems.
Mark: Well now, you’ll find we aren’t very sophisticated with our systems here, but they are reliable enough
and give us most of the information we want to run the business, and of course they give you annual reports to
audit. Now, what can I do for you both.
Fiona: Thanks for making the time for us, Mark. First, please, the progress of the business this year and your
thoughts on the near future.
Mark: This has been a steady year, with the retail market in Lusitania in quite good shape, and most of the
business’s merchandise has sold reasonably well. There are concerns that next year may not be so good,
because the government is likely to raise interest rates to meet economic requirements. Anyway, we were a
little stretched when we expanded rapidly and opened the second store after only eighteen months. But we are
over that now and are in a steady growth phase again — that is, as business expands, we take on new staff and
we expand the range of merchandise.
Fiona: What areas in particular have changed since we were last at Westerways in January. We understand you
now have a van. What are you particularly using it for now?
Mark: There had been an increasing demand from customers for delivery to their homes. There is also more
need for travel between the two stores for the transfer of merchandise. We decided quite suddenly that we
needed to buy a van and that we could afford it. We spoke to Len and he agreed and so we didn’t wait till the
next board meeting for approval. We recognised that this would mean an increase in overhead expenses but
hope that two benefits will be earned in due course: first, increased sales and second, ability to move inventory
economically between stores to meet demand, again leading to increased sales. We are now delivering free
of charge to customers who request it and who have made purchases to a value exceeding $300. Actually,
we have sometimes on request delivered free to smaller customers when the van is available — that is, to
customers who seem likely to become bigger for us. As a matter of fact, we are going to decide on a delivery
charge policy at the next board meeting. We have great hopes for the future with it. I should say that we have
been fortunate for a driver. Our Administrator Jill’s father is a retired truck driver and he has been happy to
work whenever we want him to. Occasionally, one of our sales staff makes a delivery, too.
Fiona: Any other significant changes?
Mark: Well, we are beginning to earn some good purchase quantity discount refunds. A key to success with
a small business, of course, is getting suppliers to provide purchase discounts, and to win these discounts the
business has to buy more from them — not necessarily more of particular products, but more in total value.
That means that small businesses like ours do better with the large suppliers with the wider range of products.
We are now entering into supply agreements with some of them, under which they calculate what we have
bought from them each month and on a cumulative basis, in accordance with a formula, and pay us a discount
in the form of a refund.
Fiona: And do you check the completeness and accuracy of the refunds?
Mark: Oh, I don’t know. I presume so. You’ll have to speak to Jill Johnson about that.
Fiona: Two auditing issues arise here, I think, Mark. Whether all refunds are brought to account, and whether
to use the cash or accrual basis for bringing them to account.
Mark: Yes, I see, but as to the cash or accrual basis, it’s not going to make any difference over a period of a
year, is it? You’ll get twelve refunds into a year if you use either the cash or accrual basis.
Fiona: Yes, but it will be more accurate to use the accrual basis. I’ll investigate the amounts involved and then
discuss it with Ray Campbell. We are about to start analysing your data for the nine months till the end of
September. Is there anything else you can predict we are going to find that we’ll be back asking you about?
Mark: You’ll find a further increase in the gross profit percentage, resulting from both a change in sales mix
and the purchase discount refunds from more suppliers. You’ll find also a continuing increase in labour cost
as a percentage of sales, and an increase in travel costs because of Joy’s trips to find good merchandise, and of

396 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 397 — #17

course the running costs of the van. I recall that for audit planning you use just nine months total data, actuals
and budget figures, don’t you. You realise that we have more detailed information than that? For example, our
accounting system gives us gross profit by inventory line, as we define it. And lots of other analyses. We get it
all on reports at month ends.
Fiona: Yes, we use those later in our audit. We think it useful to do our own analyses with Excel, in the early
planning stage. We look at your detailed reports when performing our substantive procedures. We’ve been
thinking of arranging to download more details for processing on our laptops, but we have not considered it
necessary so far. Mark, you took delivery of the van and began using it on 1st April, we understand. And your
depreciation rate for it is 20% per annum, straight line basis, the same as the other equipment?
Mark: Yes, I think that’s right. Jill will prove it for you.
Fiona: Well, thanks for that, Mark. Now, we are going to speak to Len Lewis, your Chairman, to get his views
on governance of Westerways. We thought we had better let you know, in case you misunderstood our motives.
Mark: Governance? The current fad, overseas as well as here, Joy tells me. But it is our function as well as
Len’s isn’t it?
Fiona: Yes, that is true. Good corporate governance is achieved when there is good management and when
there is good input by the independent, non-executive, members of the board to ensure that there is good
management by the senior management team and then to monitor the activities of the team to ensure that the
management remains good. This is done on behalf of the shareholders and the community. We think we know
the main things that you and Joy do. In the case of Westerways, a small family company, there is only one
non-executive director and he represents himself and the other outside shareholders and the community in
so far as it needs a representative on your board. We see our audit role as being to obtain confirmation that
your non-executive directors know their responsibilities here. And of course, for us as auditors, there is a
requirement that those responsible for governance satisfy themselves that we are independent and able to do
our job for the shareholders.
Mark: Yes, I see. You’ll be phoning his office, I suppose? He won’t be here again till the next board meeting.
Fiona: Well, thanks again, Mark. Bruce will be doing most of the audit testing, and so you’ll be seeing him
around for the next few days.
Mark: Good. OK, Bruce, if you have any questions, don’t hesitate to come and see me. Joy will be away for a
couple of days, but if you’re still with us, you’ll see her too.

2. Transcript of meeting with Len Lewis at his corporate head office on 9 am 6th October 20X9

PRESENT: Len Lewis, Chairman, Westerways Pty Ltd

Ray Campbell, Partner, Campbell Lee Taylor
Fiona Kerr, Audit Senior

Len: Hello again, Ray. It does not seem long since we last spoke.
Ray: No, indeed, Ray. Just last Friday. We were able to resolve that problem for you, weren’t we. Now, this
one is of a quite different nature. Have you met, Fiona Kerr? Fiona is one of our rising senior staff and we
hope she will stay with us a long time.
Len: Nice to meet you, Fiona. But I think I have seen you before somewhere.
Fiona: Well, I am flattered that you remember me, Mr Lewis. I was briefly at your Head Office last year when
you spoke a few words to my then manager before you had to rush off to a meeting.
Len: ‘Len’, please – not too much formality here. Good. I hope you do a quick and efficient job for us, to keep
Ray’s fees down! Now, it was about governance you wanted to speak to me I believe.
Ray: Yes. That is correct. About governance of Westerways Pty Ltd in particular. You appreciate that
directors, or at least non-executive directors, are required to wear two hats now, to represent the shareholders
and the community as well as to debate and resolve high level company business questions.
Len: Yes, I have had blurb about that from the Stock Exchange and the regulatory authorities. I already do as
a matter of common sense what they are saying I should be doing. In the case of Westerways, as you know,
I agreed to go into the business with Mark and Joy on condition that it was a limited company and that its
financial report was audited. This was doubly important from my point of view, that I persuaded two friends
to buy shares, on the grounds that it would be a good investment, and I have an obligation to look after them.
Now, you want to know what I do to meet my governance responsibilities, do you?
Ray: Yes, Len, that is exactly it.

CASE STUDY 397

 “Case_Study_PrintPDF” — 2019/11/18 — 7:17 — page 398 — #18

Len: OK. I am aware that in a business like this, run by owner managers, there are certain risks that other
investors take. They include incompetence or negligence by the management, of course, but I never expected
those problems with the Valentis. There remain the problems that they might not manage well enough, not use
good management principles, or that they might perpetrate a fraud by either stealing to enrich themselves at
the expense of the other shareholders, most likely by not putting sales through the till, or by inflating profit,
to make the business a better sale prospect, by putting extra cash through the till or manipulating cutoff, or
overstating inventory, or something like that.
So, I cover my responsibilities in two ways. First, in board meetings, I make sure that they are using good
management principles, taking into account the size of the business. With Joy and Mark, competence and
enthusiasm were never going to be a problem, nor of course interpersonal relations, with staff and customers.
Also, they had both managed before. The difficulty they would face, as I saw it, was how they responded to
growth of the business, how they would delegate and manage others doing the work that they could do well
themselves. So, I talk regularly to them about that, and make suggestions from my experience. As you well
know, the business is growing quite rapidly. They are very receptive.
On the matter of potential fraud, I do my best to monitor the results, to establish that the results have
substance. Before each board meeting, after looking at the financial performance reports, I make a point of
visiting each store and poking around, watching procedures, inspecting the inventory, asking the Supervisors
questions, having a chat with the Administrators, and so on. Then I quiz Mark and Joy before the formal
meeting. Beyond that, I rely on you, the auditors. Is that what you wanted to know? What else do you think
I should do?
Ray: That sounds to me like the actions of a conscientious director, Len. On the matter of our audit
responsibilities, we focus, of course, on finding material misstatements in the annual financial report. To do
that, we first assess the business risks, and from that the risks of material misstatement. It might be useful if we
gave you a summary of our assessment and asked for your comments.
Len: That would be interesting.
Fiona: I have that here. (Puts it on the table)
Len: (Reading it and commenting). Yes, I don’t disagree with that. You are able to obtain adequate evidence to
support all items in the financial statements I take it?
Fiona: Yes, we are. Not to prove to the last dollar, but to give us reasonable assurance that there are no
material misstatements.
Ray: Well, there was something else I wanted to talk to you about, Len, on another company. And I think we
should now let Fiona go, to continue her efficient audit of Westerways and keep your fee down!
Len: Good. Nice meeting you Fiona. (Fiona says goodbye and leaves.)

APPENDIX 4: ANNUALISED COMPARATIVE

FINANCIAL STATEMENTS
Westerways Pty Ltd Income Statement

Notional
year ending Year ending Year ending 9 months ending
31/12/20X9 31/12/20X8 31/12/20X7 31/12/20X6
$ $ $ $
TRADING REVENUE
Sales — cash 1 852 860 1 326 224 696 022 486 090
Sales — credit 17 333 132 202 74 400 2300
Total sales 2 029 193 1 458 426 770 422 488 390
Opening inventory 225 650 137 300 86 500 0
Purchases 1 207 420 936 748 510 455 431 390
Closing inventory (295 000) (225 650) (137 300) (139 500)
Cost of Goods Sold 1 138 070 848 398 459 655 291 890
GROSS PROFIT 891 123 610 028 310 767 196 500
Rates and water rates 2853 2840 2764 2240
Wages, salaries and
on-costs 506 413 343 393 159 084 96 668
Power 45 077 32 700 17 624 11 500
Depreciation of non-current
assets 21 981 16 255 10 173 7479

398 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 399 — #19

Westerways Pty Ltd Income Statement

Profit(Loss) on sale of
non-current assets (300)
Stationery and supplies 9892 7012 3560 2560
Interest 14 980 15 505 16 700 11 730
Advertising and promotion 5833 3800 2100 2800
Travel and vehicle
expenses 9963 5830 2800 1730
Rent paid Tannam store 56 000 52 000 12 000 0
Other administrative
expenses 5794 5360 3240 4600
Total expenditure 678 786 484 695 229 745 141 307
NET PROFIT FROM TRADING 212 337 125 333 81 022 55 193

OTHER REVENUE
Rent 8200 8200 8200 7200
Payment discounts
received 680 585 340 0
Total other revenue 8880 8785 8540 7200

NET PROFIT BEFORE TAX 221 217 134 118 89 562 62 393
Company tax 66 365 40 235 26 869 18 718

NET PROFIT AFTER TAX $ 154 852 $ 93 883 $ 62 693 $ 43 675

Accumulated profit brought
forward 50 251 26 369 13 675 0
Profit available for
distribution 205 103 120 251 76 369 43 675
Proposed dividend 120 000 70 000 50 000 30 000
Accumulated profit carried
forward $ 85 103 $ 50 251 $ 26 369 $ 13 675

Westerways Pty Ltd Statement of Financial Position

Notional
year ending Year ending Year ending 9 months ending
31/12/20X9 31/12/20X8 31/12/20X7 31/12/20X6
$ $ $ $
Current assets
Inventory 295 000 225 650 137 300 139 500
Trade debtors 17 600 15 100 7634 254
Prepayments 4080 2 220 2160 1744
Cash and deposits 81 033 44 630 48 802 38 378
397 713 287 600 195 896 179 876
Non-current assets
Land at cost 196 000 196 000 196 000 196 000
Buildings at cost 100 000 100 000 100 000 100 000
Less: Accumulated
depreciation (15 000) (11 000) (7000) (3000)
Store fixtures and furniture 49 700 49 700 34 900 16 480
Less: Accumulated
depreciation (12 915) (7945) (3345) (1236)
Equipment 22 400 12 920 12 920 6120
Less: Accumulated
depreciation (1120) (5066) (2482) (918)
Delivery van 32 540
Less: Accumulated
depreciation (4881)

CASE STUDY 399

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 400 — #20

Westerways Pty Ltd Statement of Financial Position

Accounting system 20 300 20 300 20 300 12 400

Less: Accumulated
depreciation (15 169) (10 094) (5019) (2325)
371 855 344 815 346 274 323 521
TOTAL ASSETS 769 568 632 415 542 170 503 397
Current liabilities
Trade payable 101 000 71 822 42 739 38 858
Company tax 66 365 40 235 26 869 18 718
Proposed dividend 120 000 70 000 50 000 30 000
Other liabilities and
provisions 42 100 33 107 17 193 11 146
329 465 215 164 136 801 98 722
Non-current liabilities
Bank loan (secured) 155 000 167 000 179 000 191 000
TOTAL LIABILITIES 484 465 382 164 315 801 289 722
NET ASSETS $ 285 103 $ 250 251 $ 226 369 $ 213 675
Share capital and reserves
Issued capital 200 000 200 000 200 000 200 000
Accumulated profits 85 103 50 251 26 369 13 675
TOTAL EQUITY $ 285 103 $ 250 251 $ 226 369 $ 213 675

APPENDIX 5: PERMANENT NOTES ON THE

WESTERWAYS INFORMATION SYSTEMS
WESTERWAYS PTY LTD
General
Westerways uses an accounting package called Ourbiz, which was installed by System Solutions Ltd
(SSL), monitored by the ICT division of CLT. SSL provided operations and user manuals and there is
a HELP facility for the operators. SSL also provided training for the proprietors and in the early months
of the life of the business Joy Valenti was the system operator so she knows it well. The ICT division also
provided the Valentis with some guidance on accounting. When the business expanded, an Administrator
was employed to take over system operations. She knew Ourbiz and did not need training other than on
the particular features of the Westerways business. When a second store was opened at Tannam, a part
time Administrator, who also knew Ourbiz, was employed there. The system was then expanded and new
Operations and User Manuals were provided. Westerways has the same hardware and system software and
runs the same sales and inventory management system at each of its two stores. Only the system at Arnton
has the purchasing, trade payable and payments, the human resources, and the general ledger applications.

Hardware, and Physical and Logical Controls

Hardware and system software comprise a LAN, running under a network operating system, Netsys2, with
a server, two EFTPOS terminals, two back office PCs and two printers. The servers have a modem for
inter-store communication. The back-office PCs are used only by the administrator at Arnton, the assistant
administrator at Tannam, the Valentis, and the Supervisor and her Deputy at each store. The server is
located in a locked computer room, with key-card access restricted to these same people. Each room has
a smoke detector, but this is not wired to anywhere outside the office so it would not be effective if no one
was in the office. There are two fire extinguishers in the computer rooms and the staff with access have
been trained how to use them.
The two store systems have a logical access control system with logging. To use the point of sale
terminals, a user ID and password are required and the user then has access only to the sales system. To
use a PC, similarly a user ID and password are needed and these give the access rights to the applications
that are assigned to that user ID. The server is not used to directly perform application functions, these
being performed from one of the PCs. The server is used to do the backups and various network operator
functions. To perform technical functions, such as loading software, changing user access rights, and
deleting the log, system administrator access rights are needed. The Supervisors and the Valentis have

400 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 401 — #21

operator rights. Only Joy Valenti has system administrator access rights but she does not use this user ID,
instead calling in the consultant from the system supplier when needed. We understand that while Joy
knows of the system log (which, for example, records failed access attempts as well as uses of each of the
applications), she does not consider it necessary to formally review the log at regular intervals.

Backup and Recovery

The supervisor or the assistant supervisor, whoever is on duty at close of business, goes into the computer
room, logs on with his/her operator user ID, runs the end of day reporting and backup job, and then takes
the backup tapes home for the night, so that they are off site. When neither of them is available at a store
(e.g. if one is on holiday and the other is sick), Mark or Joy do it. There are currently plans to train a third
person at each store to be a second deputy supervisor. Next day, the supervisor brings the backup tape back
in, takes it to the bank (or arranges for a member of staff to take it there) and brings back the tape for the
same day of the previous week. The administrator is responsible for ensuring daily that the backup has
been done and the tapes exchanged.
There are plans for each server to back up to an additional disk on the other store’s server online,
replacing the tape backup system. However, transmission speeds with Lusitania Telco are at present too
slow; it is hoped that this will become feasible in mid-20X0.

The Ourbiz System — General Ledger and Financial Reporting

Configuration and update from feeder systems
The Ourbiz system comprises a number of modules with a general ledger. As configured at Westerways,
the general ledger is updated in periodic mode each night from the Arnton and Tannam sales and inventory
management systems and the Arnton purchasing and human resources systems; an update report is printed
and this is checked by the Administrator against reports from the subsystems.
Inputs
Input to the subsystems is online real time, as are inputs of general journals to the general ledger. For general
journals, the system gives each one a number in a sequence and prints a report of these in numerical order.
A journal transaction document is raised by the Administrator, approved by Joy Valenti, and keyed in by
the Administrator. A report is printed at the end of the week, passed to Joy Valenti for approval and filed.
She checks for completeness of the reports.
Standing data changes are treated the same way, with input by the Administrator, sequence control, and
a printout showing a data item before change and after change. The input reports are printed weekly, passed
to Joy Valenti, who reviews them and signs the report for filing.
Non-Current Assets
On input of a non-current asset purchase from the expenditure system, the system generates a report
requesting more data, including a depreciation rate; this is input as a standing data change. The system
automatically calculates monthly the depreciation of non-current assets from data on file. When a non-
current asset is sold, on input of the sales proceeds the system calculates the profit or loss on sale.
Bank Reconciliation
The Administrator does the bank reconciliation weekly for both stores and when necessary inputs items to
the system items on the bank statement, including rent from the rooms above the Arnton store, the payroll
amount, loan interest and bank charges. Joy Valenti checks these and signs the document.
Reporting
The system produces a variety of reports, including the control reports, as explained above, and for business
management purposes financial statements containing year to date, current month and month by month
data. The monthly reports are reviewed only by Joy and Mark; the quarterly reports, with comparison of
actual with budget, are reviewed at board meetings by them and the Chairman, Len Lewis. The system
has a report writer that can be used to generate additional reports for management and can be used on our
behalf to provide printed transaction trails useful in our audit.

Sales, Sales Returns, Trade Debtors, and Cash Receipts

All Sales
Sales are mainly by cash, credit card (i.e. charges to customers’ Visa and similar accounts) and debit card
(i.e. charges to customers’ bank accounts through the EFT network). In the case of debit and credit card
sales, the card is inserted into an independent card-reader and this system dials the card issuer to confirm
that there is credit to meet the payment, in which case it charges the account. For debit card sales, the

CASE STUDY 401

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 402 — #22

customer keys in his/her PIN and one copy of a docket is given to the customer and the other put in the
till. For credit card sales, the customer signs one copy of the docket, which is put in the till, and is given
another copy. Sometimes, debit card customers ask for cash and, subject to the customer buying goods
worth more than $20, they are allowed this facility, to a limit normally of $100.
Selling prices are on labels on the shelves or other locations, and are stored in the system. Most items
have a bar code on them and this is read by the terminal’s scanner. If there is not a barcode, the operator
refers to the appropriate supplier catalogue for the item code and keys that in. Some catalogues contain
bar codes for products and these can be read by the scanner. The reading of the bar code causes the system
to read the selling price from the inventory system and display it.
Selling prices are keyed into the system when the line is first received and after that they may be modified
(i.e. to discount the item for quick sale) by Mark or Joy, or by the Supervisor on specific authority from
one of them. For these and other standing data changes, the system prints a log report at end of day and this
is scanned by the Administrator, who brings to the attention of Mark or Joy changes which she considers
of interest to them. Then she files the report; it is available for review by Mark or Joy.
Staff are allowed a 20% discount on the selling price of all merchandise. This is both to give them some
additional benefit for working for the company but also to discourage shoplifting or other irregularities
such as deliberately damaging merchandise to reduce its value and buy it at a reduced price.
Delivery Sales
Since buying the van, Westerways has been in a position to deliver to customers. It expects the merchandise
to have been purchased beforehand, on either a cash or a credit sale. It has taken a few phone orders from
well-known customers, payment or charge on delivery and delivery charge free, but have yet to determine
their company policy on this.
Credit Sales
Westerways does have a few regular customers with credit accounts. Some of these customers cause
concern when they pay late, but the Valentis believe that they have to accept this because they expect
them to give an increasing proportion of turnover in the years to come. They have not been given credit
limits, even though the system allows checking for credit availability. The operator asks for identification
(e.g. driving licence, buying company’s authority) and on input the sales terminal generates the invoice
and charges the debtor’s account. Where the account is a business account, the operator asks for an order
number and keys this in.
Receipts from Debtors
Receipts from debtors may be by cash or credit card at the counter, or by cheque received in the mail, in
which case whoever opens the mail (the Administrator, Assistant Administrator, Mark or Joy) brings them
out to the till and watches while they are put through by the cashier. Westerways do offer an early payment
discount, of 3% if paid within one week of sale.
Sales Returns by Customers
Occasionally a customer wants to return something to the store. Only the Supervisors and the Valentis have
the authority to approve a return and they key in their password to allow the till operator to process the
transaction. They first ascertain the type of sale. If the sale had been for cash, a cash sales return docket is
printed by the register and put into the till and the customer is given a refund with a copy of the docket. If
the sale had been a credit sale, a credit note is generated by the system and given to the customer, with a
copy being put in the till. In each case, the authoriser signs the docket in the till. The system prints daily a
listing of all cash sale returns and credit sale return notes, which the Administrator inspects and files. On
a discretionary basis, Joy examines this file.
In accounting for returns, the system automatically accepts the item back into inventory, using the cost
per item on hand. The Supervisor or Mark or Joy then decides whether to put the item back on the shelf or
to return it to the supplier for a credit, in which case they put through a transaction as shown under returns
to suppliers (see below).
Till Controls
The till controls separate recording from custodianship of cash through the log of cash movements written
by the terminal to the system. Also, terminal operators are individually responsible in that they log into a
till machine with their own user ID and password and they remain the only user until clearance. One of
the terminals may be closed down temporarily and then restarted by the same operator.

402 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 403 — #23

At the close off for banking, the Supervisor clears the till with the operator. The system display is agreed
to the cash and dockets in the till. If there is a difference between amount recorded for sales and the increase
in amount in the till (including cash and dockets), the person doing the reconciliation counts a second time.
If the difference remains, he or she keys in the actual amounts and the system then prints a revised bank
deposit slip and also reports the difference on the back-office printer, for subsequent examination and
inquiry by the Administrator. The system keeps a running total of differences.
Then the Supervisor prints the close report, signs it and puts it in the box for the Administrator. The
Supervisor, who has the combination for the safe, puts the cash (including separately the $300 till float)
and card dockets in the safe. The tills are left open at night so that anyone breaking into the store would
see that they are empty and probably then not damage them.
The takings are collected for banking by two GardYou Ltd security company officers each morning.
The takings are formally handed over by the Supervisor. One later returns with the stamped bank deposit
slip, which he leaves in the box for the Administrator. Later, the stamped deposit slips are matched to the
system’s cash report and filed together by the Administrator.
Trade Debtors
An end-of-month job prints an aged listing; the total is agreed by the Administrator to the general ledger
control account. She then passes the listing to Mark, who scrutinises it for slow payers and telephones
them if he considers it necessary.
We have ascertained that on request the system will print letters to debtors whose accounts are overdue,
but the Valentis have chosen not to use this facility, preferring to use the friendly approach of telephoning
any slow paying debtors.
In the event that a debt has to be written off, this is input to the sales system, which updates the trade
debtors file and writes a debt write-off transaction for the general ledger.

Purchases, Purchase Returns, Trade Payable, and Cash Payments

Inventory Purchases — Ordering
The inventory system generates a requisition when balance on hand falls below reorder point. An end-
of-day job then displays a requisition list with the recommended order quantity taken from the inventory
file. Mark or Joy, or by arrangement the store Administrator, makes the decision whether to order and
how much, then inputs that decision and generates a Purchase Order, which is emailed to the supplier,
putting the original in the open order file in the Administrator’s desk. For the Tannam store, the ordering
can be done from Arnton by dial-up or from Tannam. On a discretionary basis, when one store runs low
the purchaser checks the quantity in the other store and if that is low may generate an order for deliveries
to both stores.
For new merchandise, Mark or Joy creates a new line on the system and then places the order. For some
products, particularly in the home ware division, there are ‘one-off’ purchases. When the quantity falls
below reorder point and a requisition list is generated, the purchaser inputs an indicator that the line is not
to be reordered.
Other Orders
These are created online by Mark or Joy or the Administrator and then printed and then mailed or faxed.
There is a purchase requisitions book for raising by staff and passing to the person raising the order, but
this is considered unnecessary and rarely used.
Quantity Purchase Discounts/Refunds
Westerways have been able to negotiate some purchase discount contracts with their major suppliers. Under
these contracts, the buyer receives a refund payment in accordance with a formula in the agreement, based
on total value purchased in the last month and for the year to date. The refund is received by cheque usually
late in the next month.
Westerways have no formal procedure for ensuring that all discount refunds due are received and banked
and are calculated correctly. The amounts have been small but are rising with increased business.
Receiving
When the items arrive and the delivery driver hands over a packing slip, one of the staff takes it, goes to
the back office and asks the Administrator (Tannam store, Assistant Administrator) for the purchase order,
checks the goods to the packing slip and purchase order, signs the driver’s delivery docket, initials and
dates the packing slip, attaches it to the purchase order and puts it in the in-tray for the Administrator, who

CASE STUDY 403

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 404 — #24

later inputs the receipt to the system. The system updates the inventory records, for cost using the purchase
order price, and creates a suspense liability.
Recording the Liability
The invoice may be handed over with the merchandise or sent later by mail. When it arrives, the
Administrator matches it to the purchase order copy and packing slip and keys the invoice, including
its payment date, into the system, which replaces the suspense liability with a liability.
Returns
Sometimes inventory has to be returned to suppliers, for example when the item is found to be faulty or
not in accordance with the order. The Supervisor is advised, she raises a return note in duplicate, writing
the reason on it, places one copy on the goods awaiting the next van from the supplier, and passes the
other copy to the Administrator. She raises a supplier debit note, attaches the return note to it, has it signed
for approval by one of the Valentis, keys it in to the system, and puts the two documents in a temporary
file. The supplier sends its credit note and when it arrives the Administrator pulls the note and debit from
the file, attaches the supplier’s note to them, and files them. We have been told that there have never been
rejections by suppliers of these requests.
Other Purchases
For items that are not ordered, such as power and telephone, and for the occasional verbally ordered service,
such as an electrical repair, Mark or Joy check the amount for reasonableness and write ‘pay’ and sign the
invoice before input by the Administrator. The same happens for purchases of non-current assets.
Payments
At the end of each week, the Administrator does a payment run. The system finds the due invoices in the
trade payable file, sorts them by supplier, and prints a payments’ report and remittance advices. Mark or
Joy scrutinises the payments’ report, on a discretionary basis asks to see an invoice and any supporting
documentation before approving the payments. Payments are then made by direct debit to the supplier.
The system itself handles automatic direct debit payments, such as the monthly rental liability, by
printing the remittance advice and activating the direct debit. All expenses are input to and paid by the
system — that is, there is no alternative ‘manual payment’ system. The system also credits the bank and
debits the loan account with the monthly repayments.
There are controls against duplicated payment (which is most likely when a supplier not receiving its
payment when expected sends a second copy of the invoice not marked ‘copy’. This cannot happen for
Westerways with purchases of inventory because of the need to match the invoice with a packing slip. For
most other payments it is also unlikely because of the need to match the invoice with a purchase order.
However, where the item is not purchased with a purchase order, it could happen. The Ourbiz trade payable
system reports any possibly duplicated inputs in accordance with criteria including same amount and
same date.

Inventory
The inventory is held ‘on the shop floor’ and in a store at the back and there is no formal procedure for
transferring them from the store to the shelves or bins. All inventory in the stores is recorded in the Ourbiz
system. We understand that there are no consignment arrangements and all inventory held should be owned
by Westerways.
At six monthly intervals (before opening for business on 1 July and 1 January), there are stock counts
at both stores, these being conducted by some of the staff supervised by the Supervisors, with Mark at
one store and Joy at the other, and the Administrators operating the computer systems. The counters work
from an Ourbiz system report that lists lines that should be on hand but gives no quantities. Westerways’s
counting procedures include: the holding of a count planning meeting beforehand; at the count, the
writing of the quantity on the listing and also on a card which is placed on the inventory (to show that
it has been counted), progressive input of count data to the Ourbiz system and printing of listings of
differences for immediate investigation; and subsequent accounting for cards together with scrutinising
of all areas to confirm complete coverage. To confirm that there has been no mistake in purchases cutoff,
the Administrator ensures that the last delivery before the count has been recorded and that if a delivery
is made during the count it is held at the loading dock until completion of the count and is then recorded
as a liability and a receipt of inventory; she writes comments about delivery and processing dates on the
packing slip and order copy. To confirm no mistake in sales cutoff, the shop is not open during the count
and no sales are recorded or deliveries made till it opens.

404 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 405 — #25

Wages and Salaries

Full and part time salaried staff include the Supervisors, the Administrators and Mark and Joy. Other staff
are employed on a per hour basis; they are required to sign on and off in a register, which is checked
daily by the store Supervisor and signed. The Administrator uses this to input hours worked to the payroll
system. When permanent staff are on leave or sick, the Administrator keys in the required information,
obtaining before or afterwards a signed approval form and filing it for review.
Pay for all staff is generated fortnightly and transmitted electronically, with the server dialling the
company’s bank to transmit the details. Before transmission, the Administrator presents a pay listing to
Mark or Joy for their approval signature. The Administrator then prints the pay slips and files the pay
listings. The bank automatically charges the total to the Westerways bank account.
Rates of pay for Mark and Joy are as agreed by the Board of Directors. Rates for other staff are decided
by Mark and Joy and they are given a written employment contract. For those on salaries, this gives their
rates and terms and expected hours of work. For casual staff, it gives their rate per hour and an indication,
but not a promise, of their expected hours of work per week, including seasonal expectations. The casual
rates are decided on by the Valentis, who advise the board of any major changes. There are no bonuses or
commissions for sales performance. Any deductions from pays requested by the employee are included
in the employment contract, of which Westerways keeps a signed copy; from this, Joy raises a payroll
deduction form and passes it to the Administrator. Input of standing data changes is handled by the system
in the same way as explained above for the other systems.
After calculating the pays, gross, deductions and net, the system writes transaction records which are
passed to the general ledger. The Administrator checks the daily update report from human resources
system to general ledger and files it, for discretionary review by Joy Valenti. Payment over of the amounts
deducted is done by the trade payable system.
At the end of the year, the system prints for each employee the forms required for taxation purposes.

Office Letting
The rooms above the Arnton store were let on the basis of a monthly rent. This is transmitted by the tenants
directly to the Westerways bank account. As stated above, the bank reconciliation process includes input
of the rent received as shown in the bank statement.

Financial Management
The Valentis apparently use the system to manage the business in the following ways.
• Monitoring the data processing through the accounting system. Since Joy Valenti acted as the Adminis-
trator in the early months of the business, and was trained for this purpose by CLT ICT division staff, she
is aware of the necessary checks and reviews, including for example the daily cash sales and receipts
put through the tills and banked to sales and receipts recorded in the system, and the monthly bank
reconciliation statement to the bank balance and the recorded account balance.
• Setting what they consider to be maximum attainable mark-ups on the merchandise by inputting the
sales prices and reducing these when they consider it necessary for quick sale.
• Monitoring the levels of the current assets and liabilities. Of these, they know the balance at bank level
every night, and the accounting record figures for this and for trade debtors, payable and inventory by
inquiry on the system and in report form at the end of each month.
• Monitoring merchandise age through stock turnover calculations by type calculations performed by the
system.
• Monitoring performance against budget using the quarterly budget data.
The Board of Directors, comprising Mark, Joy and Len Lewis, meets quarterly, when it considers a
number of financial reports as summarised above.

Fiona Kerr
20 October 20X9

CASE STUDY 405

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 406 — #26

APPENDIX 6: GENERAL AUDIT STRATEGY AND

RISK ASSESSMENT
PL5-GAS:
Client Westerways Pty Ltd
Audit for year ending 31 December 20X9
General audit strategy (to be reviewed at the audit team meeting)
COMPONENT STRATEGY
GENERAL Risks of material misstatement at the financial statements level
There do not seem to be significant risks of material misstatement, but these could be
considered.
• The joint CEOs do not appear to have an interest in overstating the profit, for
example to sell the business, because they are not apparently proposing to sell
it, nor an interest in understating the profit, for example to minimise taxation of
dividends paid to outside shareholders. Of the two alternatives, understatement of
profit seems more likely, effected through making extra sales after hours and not
recording them.
• Another apparently low risk of material misstatement is through deliberate or
accidental misstatement of inventory quantities (e.g. including inventory on
consignment as owned) or values (e.g. not reducing non-selling items to net
realisable value) or purchases cutoff.
• A further low risk is omission of liabilities for services to overstate profit.
• Over-investment in assets resulting in shortage of cash and going concern issues.
These risks are minimised through the Chairman’s apparently careful monitoring of
business performance.
Overall audit responses to address the risks
Our audit strategy needs to include the following.
• Tests to prove that there are no material exclusions of sales, by use of analytical
review.
• Careful testing of inventory quantities, values, and cutoff and obtaining explanations
for discrepancies between counted and recorded quantities.
• In the final review as well as in planning, consideration of business activities and
policies with particular reference to cash flows.
REVENUE • As stated above, a revenue component risk is not putting sales through the system,
effected by management after hours; however, this risk seems to be small.
• Our audit strategy should comprise substantive procedures, including analytical
procedures and tests of details of transactions and balances, particularly for the
completeness assertion.
• We have not identified any significant risks that should be reported to management.
• We have not identified any assertions for which the audit strategy must comprise the
testing of the relevant internal controls.
INVENTORY • As stated under General and Revenue, there is an apparently small risk of
overstatement of inventory quantities or values and of manipulation of cutoff.
• Our audit strategy should include careful testing of inventory for existence, rights and
valuation.
EXPENDITURE • As stated under General, there is a small risk of omission of liabilities.
• Our audit strategy should include careful testing for completeness of liabilities.
NON-CURRENT • There are no exceptional risks for this component and our audit strategy should be
ASSETS normal substantive testing.
LIQUID ASSETS • There are no exceptional risks for this component and our audit strategy should be
(cash, deposits) normal substantive testing.
INVESTMENTS Not applicable.
LOANS • There are no exceptional risks for this component and our audit strategy should be
normal substantive testing.
EQUITY • There are no exceptional risks for this component and our audit strategy should be
normal substantive testing.
Prepared by/Date Signature Reviewed by/Date Signature
F Kerr
12/10/X9
Fiona Kerr
406 CASE STUDY
 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 407 — #27

[!b] PL1-RMR:1
Client Westerways Pty Ltd

Audit for year ending 31 December 20X9

Risk of material misstatement and audit responses (Summary of audit risk assessment process and
conclusions)

FACTOR COMMENTS
Process in assessment Process was:
of risk of material • Toured Arnton store and interviewed Mark Valenti about business performance this
misstatement through year. Later toured Tannam store.
fraud or error • Performed planning analytical review procedures.
• Performed assessments of risk at the financial report level and the assertion level.
• With partner, Ray Campbell, interviewed Chairman, Len Lewis, about his governance
beliefs and procedures; discussed with him our assessments of risk and he agreed
with them.
• Updated our notes on the company’s systems and in the course of planning our
tests confirmed that our revised notes are accurate.

Audit team meeting Held team meeting in CLT office after the above work and discussed our preliminary
held to discuss risk of assessments of risk. Those present were the engagement partner, Ray Campbell, and
material misstatement all staff who would be working on the job: Senior, Fiona Kerr, and Assistants, Bruce
Banks and Gavin Lee.
All staff understood and agreed with the assessment of risks. We identified not
risks that might be regarded as significant and under Auditing Standards requiring
immediate reporting to management.

Revision of risk <This section will include a summary of any revisions to the initial risk assessments
assessments and comment on how the audit testing strategy was revised as a result of the
revisions.>

Summary of final audit Audit strategy is to rely on substantive procedures, including analytical review and
strategy tests of details of transactions and balances. There was considered to be no difficulty
in achieving the required audit evidence through substantive procedures alone — that
is, there were no areas requiring us to rely on, and therefore test, internal controls.

Prepared by/Date Signature Reviewed by/Date Signature

F Kerr
12/10/X9
Fiona Kerr

CASE STUDY 407

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 408 — #28

PL1-RMR: 2

Client Westerways Pty Ltd

Audit for year ending 31 December 20X9

Minutes of the meeting of the audit team to discuss the audit of the financial report of Westerways
Pty Ltd, held in the board room at Campbell Lee Taylor, High Street, Arnton, at 9 am on 12 October
20X9
Present: Ray Campbell Engagement Partner (Chairman)
Fiona Kerr Senior in charge
Bruce Banks Principal Assistant
Gavin Lee Junior Assistant

1. Presentation by audit team members on planning work done

Audit team members involved in the planning presented a summary of their work and conclusions,
referring to their audit working papers.
2. Summary of recommendations
Fiona Kerr, Senior in charge, recommended the following.
• As no staff had encountered what might be regarded as ‘significant risks’ that should be reported to
management, we did not need to submit a report on internal control immediately but should submit
the report as usual at the end of the interim audit.
• A substantive testing approach be used, as in previous years with maximal use of analytical
procedures. This strategy is appropriate because our assessment of risks of material misstatement
was favourable and also because extensive detailed testing of transactions would in any case not
be effective in this audit. Our detailed testing of transactions should be intended primarily to gain
comfort to support the analytical procedures. There should however be more extensive tests of details
of balances. Also, there were no areas where sufficient evidence cannot be obtained by substantive
testing and where there must be reliance on, including testing of, internal controls.
• Particular areas of audit attention be sales completeness, inventory existence, inventory valuation,
trade payable completeness and cash flows.
3. Discussion
There was general discussion of the Westerways Pty Ltd business, governance and management control,
and its financial reporting, including the interview with company Chairman, Len Lewis, who showed
that he recognised his responsibilities for governance but also made clear that he expected us, as financial
report auditors, to assist him with his responsibilities.
There was also discussion of Westerways Pty Ltd’s solvency situation and the tenability of the going
concern assumption in their financial reporting. The owners choose to pay large dividends relative to
profit and that means that there is less capital available for expansion. They borrow from the bank each
year to pay their company tax and dividend but repay the overdraft within a few months. This year,
they exacerbated the situation by purchase of a van and will have to borrow more from the bank early
in 20X0.
It was concluded that at the end of the audit, we should re-examine the solvency situation in case
there is a threat that the company will get into financial difficulties. The most likely cause of this would
be carrying excess unsaleable inventory and so our audit procedures on slow moving inventory were
particularly important. We should also confirm that the management had no immediate plans to expand
operations, or if they had whether they were going to raise additional equity capital.

4. Conclusions
The recommendations above were accepted by the engagement partner, Ray Campbell.
5. Next meeting
There would be a second planning meeting only if it is found necessary to make significant changes to
the audit strategy.
6. Close
The meeting was closed at 9.30 am.

408 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 409 — #29

APPENDIX 7: EXTRACT FROM AUDIT PROGRAMME

TE-ATP
Client Westerways Pty Ltd
Audit for the year ending 31 December 20X8
Audit programme
Audit Tests Risk Sample Working Done
assessment size (if paper by
references applicable) references
GENERAL

• Conduct analytical review procedures.

– Analyse trends of revenue, gross profits and
expense figures quarter by quarter, and compare
them with the previous year’s figures.
– Analyse rental income and expense figures
by quarter.
– Discuss significant variances with the
management.
– Corroborate management’s explanations by tests
of details.
– Further investigate by tests of details any
unexplained anomalies.

• From the population of journal entries reported by

the system as input, from feeder systems and as
direct general journal inputs.
– Scrutinise the higher value entries for propriety,
– On a discretionary basis evaluate the supporting
voucher and/or report
– As appropriate, discuss the entry with one of
the Valentis.

• Examine minutes of Board of Directors for any

matters relevant to the financial statements
(e.g. omitted liabilities and contingent liabilities,
general business activities, evidence of company
liquidity difficulties).

• Obtain management representation letter signed by

one of the CEOs.

• Prepare a letter for the company’s solicitors

confirming any matters (litigation, etc.) currently with
them, have it signed by one of the Valentis, evaluate
the response.

• Investigate possible after balance date events which

need to be adjusted or recorded.

• Ascertain the proposed dividend to be paid out

of year’s profits and ensure that the dividend is
declared by the directors and the liability is properly
recorded.

• Conduct final analytical review procedures to

evaluate overall reasonableness of the GPFR.

• For the purpose of confirming the validity of the N/A

going concern basis of accounting, obtain evidence
to confirm that the liquidity situation of the business
is satisfactory and that the business seems likely to
continue for at least the next twelve months.

CASE STUDY 409

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 410 — #30

• Scrutinise the draft financial report and confirm that:

– The sections audited by us comply with company
law and accounting standards.
– The sections that we do not audit (directors’
report, etc.) contain no information which conflicts
with information in the audited section.

INVENTORY

• Attend count planning meeting for each store and Identify

confirm adequacy of counters’ understanding of high value
count procedures. lines and
• Attend count and: conduct
– Observe procedures. test counts
– Do test counts (stock listings to stock and vice of them,
versa). with a
– Investigate for possible obsolete inventory by random
observation and inquiry. sample of
– Check cutoff by ensuring that: a few other
∘ For goods received, or transferred from one lines; do
Westerways store to the other, in few days over the same
count, obtain details of movements and confirm for tests
that they have been recorded in correct financial of costs
period. and tests of
∘ Sales do not occur during count, or if they extensions
do and sale is taken up, count records are
adjusted.
∘ For any goods received during count, ensure
that if these are to be taken up as inventory they
will be recorded as purchases in December.

• Follow up results of attendance by:

∘ Checking audit test counts to final inventory
report.
∘ Ensuring that stock identified at count as possibly
not saleable at listed price has been recorded at
net realisable value.
• Test unit costs of inventory per report to supplier
invoices.

• Examine management’s reports containing stock

turnover statistics and identify lines that may be
obsolete; discuss with one of the Valentis the need
for these to be reduced from cost to net realisable
value.
• Check stock sheet total to inventory control
account.

TRADE PAYABLE

• Obtain and scrutinise the listing of balances At 31 Dec

outstanding at 31 December and agree total to the
general ledger control account.
• For the major balances, obtain suppliers’ Largest 15
statements for end of December and reconcile them balances
to the trade payable balance.
• Scrutinise payments after balance date until end Payments
of audit and for all large payments (e.g. >$1000) over $1000
vouch to supporting documentation to confirm that
if the item is a purchase of pre 31 December it is
recorded as a liability at December.
• (For test of cutoff, refer audit tests for inventory.)

410 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 411 — #31

APPENDIX 8: DRAFT COMPARATIVE FINANCIAL

STATEMENTS
WESTERWAYS PTY LTD
Income statement
for year ending 31 December 20X9
20X9 20X8
$ $

TRADING REVENUE
Sales — cash 1 855 270 1 326 224
Sales — credit 199 240 132 202
2 054 510 1 458 426
Opening inventory 225 650 137 300
Purchases 1 260 508 936 748
Closing inventory (299 650) (225 650)
Cost of goods sold 1 186 508 848 398
GROSS PROFIT 868 002 610 028
Rates and water rates 3 218 2 840
Wages, salaries and on-costs 486 200 343 393
Power 45 212 32 700
Depreciation of non-current assets 21 981 16 255
Stationery and supplies 7 880 7 012
Interest on loans 12 880 15 505
Advertising and promotion 6 128 3 800
Travel and vehicle expenses 10 180 5 830
Rent on Tannam store 54 000 52 000
Other administrative expenses 5 612 5 360
Total Expenditure 653 291 484 695
NET PROFIT FROM TRADING 214 711 125 333
OTHER REVENUE
Rent 8 200 8 200
Payment discounts received 745 585
TOTAL OTHER REVENUE 8 945 8 785
NET PROFIT BEFORE TAX 223 656 134 118

Company tax 67 097 40 235

NET PROFIT AFTER TAX 156 559 93 883

Accumulated profit brought forward 50 251 26 369
Profit available for distribution 206 810 120 251
Proposed dividend 120 000 70 000
Accumulated profit carried forward 86 810 50 251

CASE STUDY 411

 “Case_Study_PrintPDF” — 2019/11/16 — 11:00 — page 412 — #32

WESTERWAYS PTY LTD

Statement of financial position
as at 31 December 20X9
20X9 20X8
$ $
Current assets
Inventory 299 650 225 650
Trade debtors 33 250 15 100
Prepayments 2 600 2 220
Cash and deposits 68 226 44 630
403 726 287 600
Non-current assets
Land, at cost 196 000 196 000
Buildings, at cost 100 000 100 000
Less: Accumulated depreciation (15 000) (11 000)
Store fixtures and furniture 49 700 49 700
Less: Accumulated depreciation (12 915) (7 945)
Equipment 22 400 12 920
Less: Accumulated depreciation (1 120) (5 066)
Delivery van 32 540
Less: Accumulated depreciation (4 881)
Accounting system 20 300 20 300
Less: Accumulated depreciation (15 169) (10 094)
371 855 344 815
TOTAL ASSETS 775 581 632 415
Current liabilities
Trade payable 103 420 71 822
Company tax 67 097 40 235
Proposed dividend 120 000 70 000
Employee and other liabilities 43 254 33 107
333 771 215 164
Non-current liabilities
Bank loan (secured) 155 000 167 000
TOTAL LIABILITIES 488 771 382 164
NET ASSETS 286 810 250 251
Share capital and reserves
Issued capital 200 000 200 000
Accumulated profits 86 810 50 251
TOTAL EQUITY 286 810 250 251

412 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 413 — #33

APPENDIX 9: WORKING PAPERS

Task 1.1 Working Paper
Ethical principles and independence IF1-EPI
Client

Audit for year ending

SPECIFIC ISSUE 1: CONFLICT OF INTEREST

Section of the Code Ethical principle Objectivity
Threat

Safeguards

Evidence provided

SPECIFIC ISSUE 2: PROFESSIONAL APPOINTMENTS

Section of the Code Ethical principle Integrity or professional
behaviour
Threat

Safeguards

Evidence provided

SPECIFIC ISSUE 3: PROFESSIONAL APPOINTMENTS

Section of the Code Ethical principle Professional competence
and due care
Threat

Safeguards

Evidence provided

CASE STUDY 413

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 414 — #34

SPECIFIC ISSUE 4: FEES AND OTHER TYPES OF REMUNERATION

Section of the Code Ethical principle Professional competence
and due care
Threat

Safeguards

Evidence provided

Prepared by/Date Signature Reviewed by/Date Signature

F Kerr XX/XX/XX
Fiona Kerr
Task 2.1 Working Paper
PL1-UCB:
Client
Audit for year ending
Understanding of the client’s business
FACTOR COMMENTS
Explain relevant industry, regulatory and other
external factors, including the applicable
financial framework

Explain nature of entity:

• operations

• ownership and governance

• investments made or planned

• structure

• financing

Explain and evaluate management’s selection

and application of accounting policies

414 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 415 — #35

Summarise entity’s objectives and strategies

and related business risks that may result in
material misstatement of the financial report

Evaluate the processes for measurement and

review of the client’s financial performance,
including their implications for risk of material
misstatement

Implications for the current year’s audit <include here comment on the risk of material
misstatements at the financial report level>

Prepared by/Date Signature Reviewed by/Date Signature

Task 2.2 Working Paper

PL2-ARP
Client
Audit for year ending
Analytical review procedures for audit planning
FACTOR COMMENTS
Discussion of analysis See the attached analytical review workings, based on
the audited data provided for previous two years and the
annualised data for the current year.

Implications for the audit <this section must include comment on the implications
for the current audit and where appropriate (e.g. where
the client seems likely to experience increasing liquidity
problems) on future audits>

Prepared by/Date Signature Reviewed by/Date Signature

CASE STUDY 415

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 416 — #36

Westerways Pty Ltd Ratio Analysis

Annualised Year ending Year ending 9 mths
year ending ending
31/12/20X9 31/12/20X8 31/12/20X7 31/12/20X6
FINANCIAL RATIOS
Solvency
Quick asset ratio Cash + Marketable
securities + Trade
debtors

Current liabilities

Current ratio Current assets

Current liabilities

Debt-equity Total liabilities

Shareholders’ equity

Number of times EBIT

interest earned
Interest expense

Efficiency
Debtors turnover Credit sales

Average debtors*

Inventory turnover Cost of goods sold

Average inventory*

Asset turnover Sales

Total assets

Profitability
Net profit margin Operating profit
before tax

Sales

Net profit margin Operating profit

before tax

Sales

Return on total assets Operating profit

before tax

Total assets

Return on shareholders’ Net profit after tax

equity
Ordinary sharehold-
ers’ equity

Gross profit Gross profit

Sales

416 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/16 — 11:00 — page 417 — #37

Percentage of expenses and net profit to sales

Rates and water rates
Wages, salaries and on-costs
Power
Depreciation of non-current assets
Profit (loss) on sale of non-current assets
Stationery and supplies
Advertising and promotion
Travel and vehicle expenses
Rent paid Tannam store
Other administrative expenses
Total expenditure
NET PROFIT FROM TRADING
* Care needs to be taken if using the 20X6 ratios for comparison purposes as the values for 20X6 cannot be averaged as this was the
first year of operation and ratios for this period are based on 9 months rather than a full year of operations.

Task 2.3 Working Paper

PL3-PMA
Client
Audit for year ending
Preliminary materiality
assessment

FACTOR COMMENTS
Discussion of source of <justify data used in calculations>
data
Operating profit base <calculate 5% and 10% of estimated before tax profit
method for the year under audit and discuss judgment of place
within range>
Judgment from profit base method $
Blended method 0.5% of total assets ($ )
0.5% of total revenue ($ + $ )
5% of net profit before tax ($ )
2% of gross profit after depreciation ($ – $ )
1% of equity ($ )
Total
Average /5
Judgment from blended method $
Planning materiality <explain decision on figure derived from the above> $
conclusion
Allocation of planning <comment on reasons for allocation of preliminary
materiality to materiality to components>
components
• discussion
• allocation Revenue/trade debtors
Expenditure/trade payable
Cost of sales/inventory
Non-current assets (tangible)
Non-current assets (intangible)
Cash/deposits etc.
TOTAL $
Prepared by/Date Signature Reviewed by/Date Signature

CASE STUDY 417

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 418 — #38

Task 2.4 Working Paper

PL4-CEE:
Client
Audit for year ending
Control environment evaluation
FACTOR COMMENTS
Communication and enforcement of
integrity and ethical values — means
Commitment to competence —
recognition of skill requirements for
jobs and implementation
Participation by those charged with
governance (e.g., activities of audit
committee)
Management’s philosophy and
operating style (including interest in
accounting)
Organisational structure (e.g. structure
for achievement of entity’s objectives)
Assignment of authority and <include comment on evidence of effective delegation
responsibilities and supervision>
Human resource policies and practices
— recruitment, training, evaluating,
compensation, etc.
Conclusion (e.g. potential for material <include comment on implications for risk of material
misstatement) misstatement at the financial report level>
Prepared by/Date Signature Reviewed by/Date Signature

Task 3.1 Working Paper

COST OF SALES
Assertion Test and sample size Comment
Occurrence
Completeness
Accuracy
Presentation

INVENTORY
Existence
Existence Tests of cutoff Satisfactory
Rights & Obligations
Completeness
Accuracy, valuation & allocation
Accuracy, valuation & allocation
Accuracy, valuation & allocation
Presentation

418 CASE STUDY

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 419 — #39

Task 3.2 Working Paper

Cycle Expenditure PL4-CEE:
Client
Audit for the year ending
Account balance risk assessment and testing
Account balance Trade payable
Assertions/Possible material Assessed risk of material Proposed substantive tests (analytical
misstatements misstatement after taking review procedures and tests of details)
into account transaction
class controls

Existence Medium Analytical procedures

• Recorded trade payable are not valid Tests of details

Completeness Medium Analytical procedures

• Trade payable at balance date are Tests of details
not recorded as liabilities

Rights & Obligations Medium Analytical procedures

• Recorded trade payable are not valid Tests of details

Accuracy, valuation & allocation Low Analytical procedures

• Trade payable are recorded at wrong Tests of details
amounts

Presentation Low Tests of details

• Trade payable in financial
statements are not presented
in accordance with Accounting
Standards

Prepared by/Date Signature Reviewed by/Date Signature

Cycle Expenditure PL-ART-Exp-Inv

Client
Audit for the year ending
Account balance risk assessment and testing
Account balance Inventory
Assertions/Possible material Assessed risk of material Proposed substantive tests (analytical
misstatements misstatement after taking review procedures and tests of details)
into account transaction
class controls
Existence Medium Analytical procedures
• Recorded inventory does not exist Tests of details
(e.g. has been recorded twice)

Completeness Medium Analytical procedures

• Inventory owned by company is not Tests of details
recorded

Rights & Obligations Medium Analytical procedures

• Recorded inventory is not owned Tests of details
(e.g. is on consignment

CASE STUDY 419

 “Case_Study_PrintPDF” — 2019/11/18 — 6:30 — page 420 — #40

Accuracy, valuation & allocation Medium (possibility of Analytical procedures

• Inventory is not recorded properly at obsolete inventory to be Tests of details
the lower of cost and net realisable reduced from cost to net
value realisable value)

Presentation Low Tests of details

• Errors in accounting system in
application of Accounting Standards

Prepared by/Date Signature Reviewed by/Date Signature

Expenditure TE-ATP-Exp
Client
Audit for the year
ending
Audit test programme
Audit Tests Risk assessment Sample size Working paper Done by
references (if applicable) references
TRADE PAYABLE
PL-ART -Exp-AcP
PL-ART -Exp-AcP
PL-ART -Exp-AcP
PL-ART -Exp-AcP
PL-ART -Exp-AcP
PL-ART -Exp-Inv
PL-ART -Exp-Inv
PL-ART -Exp-Inv
PL-ART -Exp-Inv
PL-ART -Exp-Inv
PL-ART -Exp-Inv
Prepared by/Date Signature Reviewed by/Date Signature

Task 4.1 Working Paper

Finding number and summary a) Audit test(s) that detected b) Discussion of possible action
the finding by auditors

1. Damaged inventory requiring

reduction from cost to net
realisable value
2. Injury to customer, resulting in
possible legal action, possibly
requiring disclosure of a
contingent liability.
3. Unsold inventory that might
need to be reduced from cost
to net realisable value.

420 CASE STUDY

SUGGESTED ANSWERS
REVISION QUESTION ANSWERS
MODULE 1
Question 1.1
1. Companies Auditors Disciplinary Board (CADB)
2. Financial Reporting Council (FRC)
3. Auditing and Assurance Standards Board (AUASB)
4. ASX (Australian Stock Exchange)
5. The Accounting Professional and Ethical Standards Board (APESB)
6. Financial Reporting Council
7. AUASB
8. CADB
9. AUASB
10. ASIC

Question 1.2
The importance of a profession is evident in its attributes, which include, (1) a systematic body of
theory, (2) authority, (3) community sanction, (4) ethical codes and (5) culture. It is acknowledged that
non-professionals also possess these attributes to a lesser degree. Professional organisations differentiate
themselves by emphasising the community sanction that they strive so hard to achieve. Professionals would
also claim that they benefit society by their superior performance in fulfilling a highly competent and
sophisticated role.
The accounting professional bodies have implemented a built-in regulatory code to compel ethical
behaviour on the part of its members. The profession would see this regulatory code as a key way of
differentiating itself from other organisations. Through its ethical code, the profession’s commitment to
social welfare becomes a matter of public interest, thereby helping to ensure the continued confidence of
society. Self-regulatory codes are characteristic of all occupations. However, a professional code is more
explicit, systematic and binding: it possesses altruistic overtones and is more public service orientated.
The code also provides the principles of competence and due care, and guidelines where accountants and
auditors should avoid performing tasks that they are not competent in.
Brenda should be advised that the exercise of due care and diligence is part of the duty of auditors. Where
there are doubts relating to the tasks, she should raise it with her seniors and seek independent advice
if necessary. She should be advised that it is not uncommon for auditors to consult others. Section 113
of the International Code of Ethics for Professional Accountants (Including International Independence
Standards) (the Code) refers to the requirement to maintain adequate professional knowledge and technical
skills regarding professional competence.
Brenda should take responsibility for making sure that she has the skills necessary to carry out her work,
and consult with others and request the necessary training where there are gaps. I would discuss with her
the steps to complete the current audit, assisting her in establishing steps to complete the necessary audit
work and I would also supervise her closely to ensure that her work is monitored and she has the support
she needs in order to not be afraid to ask questions, seek advice from others and ask for training to fill her
knowledge and skills gaps.

Question 1.3
1. The fundamental principles of the International Code of Ethics for Professional Accountants (including
International Independence Standards) are:
111 Integrity — should be straightforward and honest in all professional and business relationships.
112 Objectivity — not allow prejudice or bias, conflict of interest or undue influence of others to override
professional or business judgements.
113 Professional Competence and Due Care — a continuing duty to maintain professional knowledge
and skill at the level required of the professional accountant and to act diligently and in accordance with
Pdf_Folio:421

applicable technical and professional standards.

SUGGESTED ANSWERS 421

 114 Confidentiality — should respect the confidentiality of information acquired.
115 Professional Behaviour — should comply with relevant laws and regulations and should avoid any
action that might discredit the profession.

2. The following table discusses whether the effect on professional ethics is a violation, and why.
Effect Rule Reason

1. Violation 113 An accountant should only undertake work that he or she can expect to
complete with professional competence.

2. Violation 114 Only when there is no consent from the client. If client’s consent is obtained, it
can be part of the professional clearance procedures.

3. Violation 115 Any commission must be disclosed. Solicitation of client should not normally
be allowed.

4. Not a violation - Does not constitute incompatible business.

5. Not a violation - Reasonable courtesy or social commitments can be allowed. Disclosure is

required.

6. Not a violation - Commission should be disclosed. The client’s consent must be in writing and
the public accountant must take care to ensure that the advice is in the best
interests of the client.

7. Not a violation - Normal course of event allowed. Violation only if the loan is obtained using
favourable terms. (Note: The Corporations Act has a limit of $5000 on
non-housing loans)

8. Not a violation - An accountant has a legal right of lien, under certain conditions, over clients’
records in his custody in the event of non-payment of fees.

Question 1.4
Four factors that may indicate that additional client evaluation procedures are necessary when evaluating
the continuance of an audit client are as follows.
1. New legal, regulatory or professional requirements that alter reporting responsibilities and professional
risks.
2. A significant change in the nature, size or structure of a client’s business.
3. A significant change in a client’s management.
4. Particular audit findings for a client (e.g. become aware of a potential NOCLAR, committed by a client,
control weaknesses or proposed adjustments to financial statements).
Question 1.5
The following attributes should be included in the quality review program.
• Reviewers must be independent (e.g. selected from a different office).
• Reviewers must be senior and experienced auditors.
• Guidelines for the selection of partners and their engagements for review must be set out — for example,
a risk-based approach with a review at least every x years.
• The maximum period a partner can go without a review must be set out (e.g. two years).
• A strategy planning memorandum for the review must be approved by a senior partner.
• Documentation should be prepared detailing what action to take for unsatisfactory performance,
including follow-up reviews.
• Overseas reviewers should be involved (because of greater perceived independence).
• Training should be provided for reviewers.
• Criteria must be set out so that there is consistency in review ratings.
• A summary report should be prepared.
• Follow-up action should be taken on the summary report by senior partners.
• There should be written communication to senior partners about any more general problems found.
• When deficiencies are determined, training of audit staff should be provided to reinforce findings and
correct any problems.
• There should be a relationship between the outcome of the reviews and the reward systems.
Pdf_Folio:422

422 SUGGESTED ANSWERS

Question 1.6
A firm can implement the following procedures to demonstrate its commitment to quality above commer-
cial considerations.
• Incorporate quality in performance evaluation, promotion and compensation decisions.
• Establish a formal disciplinary statement to handle non-compliance that grades violations and associated
actions according to the seriousness of the non-compliance (e.g. for minor non-compliance a warning
letter may be issued, whereas serious non-compliance may result in dismissal).
• Ensure that the work performed by the practitioner in planning and carrying out the engagement is not
determined by the budget or expected fee but is consistent with the level of assurance required.
Question 1.7
(a) Attestation
(b) Direct
Note: Paragraphs 12 and 13 of the Framework distinguish the two engagements.
12. In an attestation engagement, a party other than the practitioner measures or evaluates the underlying
subject matter against the criteria. A party other than the practitioner also often presents the resulting subject
matter information in a report or statement. In some cases, however, the subject matter information may be
presented by the practitioner in the assurance report. The practitioner’s conclusion addresses whether the
subject matter information is free from material misstatement.
13. In a direct engagement, the practitioner measures or evaluates the underlying subject matter against the
criteria. In addition, the practitioner applies assurance skills and techniques to obtain sufficient appropriate
evidence about the outcome of the measurement or evaluation of the underlying subject matter against the
criteria. The practitioner may obtain that evidence simultaneously with the measurement or evaluation of
the underlying subject matter, but may also obtain it before or after such measurement or evaluation. In
a direct engagement, the practitioner’s conclusion addresses the reported outcome of the measurement or
evaluation of the underlying subject matter against the criteria and is phrased in terms of the underlying
subject matter and the criteria. In some direct engagements, the practitioner’s conclusion is, or is part of,
the subject matter information (see also Appendix 2).

Question 1.8
Reasonable assurance provides comfort that the subject matter is not materially misstated. The level of
work performed by the auditor will ensure that the risk of giving an incorrect opinion (engagement risk)
is reduced to an acceptably low level. The level of work will include detailed substantive testing and
testing of internal controls where they are being relied upon to provide evidence. Audits provide reasonable
assurance.
Limited assurance gives a lower level of comfort than reasonable assurance. Procedures are generally
restricted to obtaining representations and carrying out analytical procedures, rather than detailed substan-
tive testing. A review of a financial report is an example of a limited assurance engagement.
Question 1.9
There are multiple reasons why absolute assurance cannot be provided by auditors. Some of them are as
follows.
• There are inherent limitations of an audit, which result in most of the audit evidence on which the auditor
draws conclusions and bases the auditor’s opinion being persuasive rather than conclusive.
• Inherent limitations of internal controls.
• The use of selective testing.
• The use of professional judgment in gathering and evaluating audit evidence (The Framework, para. 73).
Question 1.10

Responsible party Intended users

1. Board of directors and/or the CEO Investors, creditors, employees and various
regulatory bodies

2. Management Board of directors

3. Management of the company providing cloud-based Management of the customer and the auditor of the
accounting services financial statements of the customer
P df_Folio:423

SUGGESTED ANSWERS 423

Question 1.11
Some examples of the effects of the use of digital information on an auditor’s professional scepticism are:
• being aware of the increasing complexity of the business model and the need to understand the entity’s
business model
• designing audit procedures to consider if there is evidence to challenge management assertions
• testing of the data analysis that management is relying on.

Question 1.12
Audit firms can play an important role in cultivating a sceptical mindset in auditors by:
• developing policies that promote a culture of scepticism being considered ‘essential’
• providing ongoing training and mentoring to emphasise the importance of scepticism and develop
the trait
• developing policies that rewards or provides incentives for the demonstration of scepticism either
through performance evaluations or engagement reviews (IAASB 2015, para. 30).

Question 1.13
Auditors apply an attitude of professional scepticism by being alert to conditions, circumstances and
information that may indicate the existence of material misstatements in the financial statements and to
critically assess the audit evidence. The auditor accepts the information obtained unless contradictory
evidence is obtained. As such, auditors use professional scepticism to assess the validity and reliability of
audit evidence obtained, and be alert to any contradicting evidence.
Auditors apply professional judgment to reach appropriate decisions during the engagement. It is a skill
that auditors acquire over time by obtaining relevant training, skill and experience to gain competence
making reasonable judgments. Professional judgment is demonstrated by using knowledge gained from
training and experience to make informed decisions such as whether sufficient appropriate audit evidence
has been obtained, the nature, timing and extent of audit procedures, and determining the materiality and
audit risk levels.

Question 1.14
(a) IAASB defines professional scepticism as an attitude that includes a questioning mind, being alert to
conditions which may indicate possible misstatement due to error or fraud, and a critical assessment
of evidence. Professional scepticism requires an ongoing questioning of whether the information and
audit evidence obtained suggest that a material misstatement due to fraud may exist.
(b) Professional scepticism relates to the identification and assessment of risk, including issues such as
(1) management integrity in relation to governance and oversight and attitudes towards risk and (2) the
implementation and monitoring of internal controls to minimise risk, improve financial controls and
ensure compliance with relevant legislation.
Accordingly, the auditor needs to plan and execute the assurance engagement to include corroboration
of management assertions and responses to enquiries, and resolve any inconsistencies. For an audit of
financial statements, in the presence of inconsistencies or anomalies, professional scepticism requires the
auditor to obtain sufficient appropriate evidence in order to provide reasonable assurance that the financial
statements do not contain material misstatements due to fraud.

Question 1.15
The IAASB provides different standards for different types of engagements. There are specific standards
for assurance engagements other than the audit and review of financial information. An assurance
engagement on controls would fall in the other category. As a result, assurance engagements on an internal
control system and the financial statement audit would be considered separate engagements. However, it
should be noted that as part of the financial statement audit, ISA 315 (Revised) requires auditors to carry out
risk assessment procedures to obtain an understanding of the entity and its environment, and this includes
the entity’s control system. However, the auditor does not provide any assurance on the appropriateness
and performance of the internal controls.

Pdf_Folio:424

424 SUGGESTED ANSWERS

Question 1.16

Review Audit

Level of Limited assurance Reasonable assurance

assurance

Opinion The opinion will state that nothing has
come to the practitioner’s attention to
suggest that the subject matter does not
comply with the criteria. This is negative
form assurance and gives a lower level
of comfort to the user than an audit.
The opinion will state that in all material respects
the subject matter complies with the criteria. This
is positive form assurance which clearly states to
the users that the subject matter is free from
material error.

Procedures Evidence gathered is largely restricted
to obtaining representations from the
management team, or other responsible
party and carrying out analytical
procedures rather than detailed tests of
control and substantive procedures. This
level of work will reduce engagement
risk to a level that is appropriate to
the engagement.
The auditor will plan the nature, timing and extent
of procedures to provide sufficient and appropriate
evidence to ensure that engagement risk is reduced
to an acceptably low level. These procedures include:
(1) obtaining an understanding of the engagement,
(2) assessing risk, (3) responding to those assessed
risk, (4) performing procedures such as substantive
tests and where necessary tests of the effectiveness
of internal controls and (5) evaluating the evidence.

Question 1.17

1. Preparation of a report giving This is a form of consultancy work providing recommendations and is
advice to a client on the therefore not an assurance engagement. No assurance is provided and no
introduction of a new system opinion given.
of internal controls.

2. A report giving an opinion
on a school’s responses to a
questionnaire required by the
auditor-general.
This is an assertion-based compliance engagement (ASAE 3100). The report
is providing information to the auditor-general indicating the extent to which
the organisation has complied with some regulatory requirements. It is likely
to be an audit rather than a review and therefore would require reasonable
assurance with a positive form opinion.

3. Preparation of the company’s This is a compilation of a return from information provided by the client. No
tax returns. assurance is provided and no opinion is given.

4. A report to management about
the success of a marketing
campaign.
It is likely that this will be a report of findings giving details of the extent to
which revenue has increased after the marketing campaign. It is unlikely
that an opinion would be given about success unless success is very clearly
defined to ensure that it is an objective criterion against which to measure
actual performance. Therefore, this is likely to be agreed upon procedures
engagement on which no assurance or opinion would be provided.

5. A report to directors in relation This is an assertion-based engagement providing an opinion on historical

to half-year financial report for
a listed company.
financial information and the work is likely to be a review rather than an audit.
These interim reports must be either audited or reviewed and therefore most
companies would have a review performed rather than a full audit. In the case
of a review there would be limited assurance provided in a negative form. The
review may be performed either by the company’s independent auditor
(ASRE 2410) or another assurance practitioner (ASRE 2400).

6. An audit of a management This is an assertion-based engagement giving an opinion on a report on the

report into the effectiveness of effectiveness of internal controls. This work could be a review or an audit.
a company’s internal control Many organisations have their internal control processes audited, in which
system. case reasonable assurance would be provided in a positive form referring to
the report rather than directly on the internal controls themselves.

7. A statement of findings to This is agreed-upon procedures. A statement of findings provides a statement

management in relation to the of the results of the procedures performed without giving an opinion as to
completeness and accuracy of whether the purchase ledger balance is or is not fairly stated. No assurance is
its purchase ledger balances. provided and no opinion will be given.

P df_Folio:425

SUGGESTED ANSWERS 425

Question 1.18
ISAE 3000 (Revised) Assurance engagements other than audits or reviews of historical financial
information is issued by the IAASB. It deals with assurance engagements other than audits or reviews of
historical financial information. It applies to both reasonable assurance and limited assurance situations.
Because ISAE 3000 (Revised) applies to assurance of information or reports other than historical
financial information reports, it does cover the situation where an entity has provided a CSR and wishes to
gain a review or audit of that information. Its application paragraph A8 specifically lists an engagement for
the assurance on a report of sustainability performance as an example where its use would be appropriate.
The Assurance Framework Appendix 4 contains examples of subject matters that are relevant to the type
of assurance engagements covered by the standard, it includes a list of reports containing non-financial
historical information:
• greenhouse gas statements
• sustainability reports
• KPIs
• statement on effective use of resources
• statement on value for money
• corporate social responsibility reports.

MODULE 2
Question 2.1

(a) A business has high volumes of low value revenue streams in multiple currencies. Inherent risk

(b) A business has limited segregation of duties in functional areas. Control risk

(c) The auditor of a business conducts inappropriate substantive testing. Detection risk

Question 2.2
(a) This is a situation where there is the possibility of earnings management using the capitalisation of
development costs to increase profits and therefore managerial bonuses. It is an ethical issue if the
auditor agrees with the ‘optimistic’ assessment of management without further verification work,
including assessing the reasonableness of the underlying management assumptions and estimates.
If the auditor agrees with the dubious numbers for fear of losing the client, it could be a self-
interest threat.
(b) The firm should consider the desirability of continued association with the client if there are doubts as
to the integrity of management.

Question 2.3
If management or those charged with governance impose a limitation on the scope of the auditor’s work
that will result in disclaiming an opinion (i.e. no opinion) on the financial statements, the auditor should
not accept such a limited engagement as an audit engagement unless required by law or regulation to do
so. See ISA 210, para 7.

Question 2.4
If inherent risk and control risk are high then the auditor must expect errors to occur (inherent risk) and
that those errors will not be detected by the internal control system (control risk). In order to ensure that
the overall audit risk comes to an acceptable level for the auditor the detection risk must be set low.
The audit risk model is a multiplication model so the two high values of inherent and control risk must
be multiplied by a low value of detection risk to get the overall result down to an acceptably low level.
In order for detection risk to be low the auditor must carry out extensive audit procedures. The more
and better quality the audit work done, the lower the detection risk. The auditor will not perform tests of
controls where control risk is high. High control risk indicates poor controls and therefore the auditor will
not seek to place any reliance upon them, and will move straight to substantive testing of transactions,
balances and disclosure.

Pdf_Folio:426

426 SUGGESTED ANSWERS

Question 2.5
No. It is not too late for the audit plan to be revised. ISA 300, para. 10, states that ‘the auditor shall update
and change the overall audit strategy and the audit plan as necessary during the course of the audit’ (see
also ISA 300, para. A15). Given there were incorrect assumptions in developing the original plan, it would
need to be revised.

Question 2.6
1. If there was concern about management override of internal controls, all parts of the financial
statements could be susceptible to misstatement. Therefore, this risk is considered to be at the financial
statement level.
2. If there was a concern about the possibility of some of the high-tech inventory becoming obsolete, the
risk relates to the accuracy, valuation and allocation assertion. Therefore, this risk is at the assertion
level.

Question 2.7

1. Management has a poor reputation If management lacks integrity, it is more likely that they might
in the business community over the be prepared to produce materially misstated or misleading
integrity of recent decisions. financial statements.

2. Repairs and maintenance accounts Accounts that were misstated in previous audits are more likely
were misstated in previous audits. to contain similar misstatements in the current year.

3. Management lacks experience. Lack of experience and knowledge may affect preparation of
the financial statements. Further, if poor business decisions are
made, this is likely to result in pressure to manipulate the results.

4. The entity is facing a cash flow If the entity is experiencing cash flow problems and poor
problem. liquidity, there may be an incentive to make the financial position
look better.

5. The inventory consists of a range of Small, high-value products are more likely to be stolen than
expensive jewellery. bulky, low-value items.

6. Taxation calculations are extremely Transactions that are subject to difficult calculations or have
complex. complex accounting standard requirements, such as tax-effect
accounting, are more likely to have errors than simple repetitive
transactions.

7. The entity is a computer manufacturer. Some businesses are inherently risky because the nature of their
products may mean that they are subject to the inherent risk of
obsolescence due to improvements in technology.

8. Management’s rewards are heavily
dependent on financial results.
If there is a management compensation scheme that is tied
to earnings or share prices, there is a clear incentive for
management to misstate the result so that they can get a bonus.
Similarly, if management has substantial shareholdings in the
company, they have a vested interest in reporting a good result
as it will affect the dividends they receive and the value of their
shares. Pressure may also be placed on management by head
office, major investors or lenders to meet budgets, forecasts
or targets.

9. Provisions are a material liability. The more judgment involved in determining an account balance,
the greater the possibility of an error. Accounting estimates,
such as provision for long service leave or provision for warranty,
are more likely to be subject to manipulation than routine factual
data.

10. The company has built a number
of office blocks, which it retains as
investments.
Decisions involving subjective judgments, such as whether to
capitalise development expenditure or whether an entity has
control of a subsidiary, also have a high inherent risk. Items
or events that require using the work of an expert, such as the
value of properties, are more susceptible to misstatement as it is
difficult for the non-expert to assess the true value.

(continued)
P df_Folio:427

SUGGESTED ANSWERS 427

 (continued)
11. The entity has a range of transactions Transactions that are not subject to normal processing are more
that are not part of normal processes. susceptible to misappropriation or errors.

12. The entity has just opened a major
retail outlet in the United States.
If the entity buys or sells goods in a foreign currency, inherent
risk will also increase as there is a risk of incurring foreign-
exchange losses due to changing exchange rates. If hedges are
taken out for those transactions, the hedging contracts may be
complex. The complexity of the recording of the transactions
under the relevant accounting standards also increases the
chance of an error.

Question 2.8
Some of the key points are:
• business risk is broader than the risk of material misstatement (ISA 315, para. A38)
• an understanding of business risk increases the likelihood of identifying risks of material misstatement
• most business risks eventually have financial consequences but these effects may not be immediate and
they may not result in material misstatement.
Question 2.9
One of the clear business risks facing the client is increased competition with a likely result of substantial
reductions in market share. There appear to be low barriers to entry because costs of adapting production
processes are likely to be relatively low for other manufacturers and, as bags with wheels attached are quite
common in the luggage industry, it is unlikely to be protected via patent, and so on. The risk is concerned
with market share and margins being affected by competition. This could have an impact on the valuation
of inventory and potential impairment of non-current assets including equipment and goodwill.
Question 2.10
The main factors that may result in an internal control system failing are as follows.
• Human judgments. The effectiveness of controls can be limited by the judgments made by individuals.
Even well-designed controls can break down (e.g. staff misunderstanding, being careless, fatigued).
• Management override. This refers to the overruling of prescribed policies and procedures by manage-
ment (e.g. ‘No need for credit clearance for X who is an excellent client’).
• Collusion. Individuals acting in collusion can often circumvent controls (e.g. separation of duties
becomes ineffective when collusion occurs).
• Cost versus benefit. Organisations have to consider the costs versus the benefits of establishing and
monitoring controls. Benefits, in particular, can be difficult to measure.
Question 2.11
Direct participation of an owner–manager in the record-keeping and other activities of the business
facilitates the monitoring of employee actions. Such effective involvement may compensate for the lack
of segregation of duties.
Question 2.12
During the discussion among the engagement team, potential ways to increase professional scepticism
related to fraud may include the following.
• Tell auditors to keep an open, questioning mind.
• Ask auditors to consider how someone could commit a fraud in particular circumstances.
• Remind auditors not to assume responses from clients are correct.
• Emphasise importance of verifying authenticity of documentation.
• Choose new and different procedures that have an element of surprise.
• Consider including individuals outside the audit team in the brainstorming session (e.g. industry experts,
forensic experts).
• Provide training, including in interviewing techniques.
Question 2.13
(a) The audit client narrowly missing a deadline for filing its tax return is an example of a trivial breach
that the auditor need not pursue further other than to obtain an understanding of the circumstances
for late lodgement and evaluate possible effects on the financial statements, which are likely to be
inconsequential (IESBA 2018).
Pdf_Folio:428

428 SUGGESTED ANSWERS

(b) The audit client has not been sufficiently accruing and paying its employees superannuation/pension
fund commitments. ISA 250 requires the auditor to obtain reasonable assurance that the financial
statements, taken as a whole, are free of material misstatement, whether due to fraud or error
(ISA 250, para. 5). In this case, the accrual or recognition of expenses of superannuation or pension fund
could be understated. Depending on the severity (systematic or once-off) and the nature (intentional or
unintentional) of the breach, the auditor is expected to respond accordingly.
• If further audit procedures found the breach to be material, in addition to obtaining an understanding
of the circumstances and evaluating possible effects on the financial statements, the auditor is also
required to discuss the matter with the appropriate level of management (ISA 250, paras 19–20).
The auditor must also evaluate the implication of NOCLAR for other aspects of the audit, including
the auditor’s risk assessment, reliability of written representation and auditor’s opinion (ISA 250,
para. 22).
• In addition to these responses, the auditor must also determine whether the law, regulation or relevant
ethical requirements require the auditor to report to an appropriate authority outside of the entity
(ISA 250, para. 29). For example, if the auditor suspects fraud, ISA 240 and ISA 250 require that
they consider reporting the matter to an appropriate authority outside the entity.
• Section 360 of the Code goes beyond ISA 250 where it calls for auditors to have regard to the
wider public interest implications of the matter in terms of potential substantial harm to stakeholders
whether in financial or non-financial terms. In Australia, the auditor has the obligation under
Regulatory Guide RG 34 Auditor’s Obligations: Reporting to ASIC to notify ASIC if the auditor
is aware of certain circumstances such as:
− suspected dishonest or misleading or deceptive conduct
− a breach that may cause a significant loss to any person or class of persons, in this case, employees
of the company (ASIC 2013).

Question 2.14
Audit procedures Examples

Observation of the entity’s operations Observe production processes, sales processes at

stores, stocktake procedures, operation of internal
controls such as gatekeeping, employee time recording

Inspection of documents Inspect business plans, strategy documents, records

such as fixed assets registers, internal control manuals

Inspection of reports prepared by management and Inspect monthly reports, balanced scorecard, variance
those charged with governance analysis, capital investment analysis, board minutes

Inspection of the entity’s premises and plant facilities Visits to the entity’s premises such as a factory or
retail outlet

Question 2.15
Based on the results of the analytical procedures the auditor would be likely to focus their audit effort on
the following.

Assertion Why Explanation

Accuracy, valuation and allocation Valuation of inventory would be The auditor needs to evaluate
at risk reasonableness of the remaining value
of inventory on hand.

Completeness Completeness of warranty May need rework and replacement.

provisions needs verifying

Accuracy, valuation and allocation Reasonableness of valuation Unhappy customers are less likely
of trade debtors merits to pay.
audit attention

Accuracy, valuation and allocation Valuation of PPE could be at risk May raise impairment issues if it has
an impact on the generation of cash
flows from equipment.

P df_Folio:429

SUGGESTED ANSWERS 429

Question 2.16
This information will affect the planning of the audit for the year quite significantly as a result of the
analytical procedures carried out (ASA 520). It indicates that there is a high risk of balances within the
financial statements being manipulated to ensure that the company achieves the requirements of the bank
covenant with regard to financial ratios. In particular, the comment that figures have been ‘gently massaged’
should be a cause for concern.

Area of audit Implication

Industry — computer hardware Potential risk of obsolescence in the inventory held because it is a
product that becomes obsolete very quickly.

Loan — current ratio requirements The company may attempt to overstate current assets and understate
current liabilities to comply with the loan agreement. They may do this
by not providing for doubtful debts or overvaluing inventory. Accruals
may not be completely recorded.

Loan — company has stated that the There is a risk that the cutoff for sales has not been properly effected.
gross profit was increased by 25% This should be carefully reviewed in the audit at the year-end.

Loan — debt to equity ratio This is more difficult to manipulate; however, the auditor should look
for potential misclassification.

It is important for auditors to evaluate the compliance of companies with financial ratios. The
implications of a lack of compliance may be quite severe for the company, including potential going
concern problems.

Question 2.17
A knowledge and understanding of the internal and external environment of the audit client may uncover:
• incentives or pressures
• opportunities and attitudes
• rationalisation to engage in fraudulent activity or the misappropriation of assets.
For individuals, incentives or pressures may be personal circumstances or unrealistic expectations
of management. Incentives or pressures for management are often associated with financial goals set
by the organisation or market expectations. Opportunity usually arises when there is an absence of
adequate or effective internal controls. Internal control deficiencies are often related to positions held by
trusted employees. Rationalisation is the process of neutralising or justifying fraudulent activities or the
misappropriation of assets.

Question 2.18
1. Factors affecting preliminary assessment of inherent risk include the following.
• Wine is vulnerable to storage conditions (temperature), suggesting high risk of spoilage, affecting
inventory valuation.
• Boutique wine operation — highly skilled processes requiring skilled staff (winemaker); reliant on
few customers?
• Export sales, foreign exchange transactions — complicated transactions with risk of incorrect pricing,
risk assessment.
• Tourism based sales at shop and café — fluctuating demand?
• Competing incentives for export sales and café consulting businesses.
• Heavy reliance on export sales increases vulnerability of business to this source of revenue, and
making product available to meet this demand.
Factors affecting preliminary assessment of control risk include the following.
• Effectiveness over quality control over wine production and storage, affecting saleability of product
(although quality control is apparently high).
• Risk of product spoilage, affecting value of inventory.
• Controls over sales made by Jim, documentation, pricing, sales allowances.
• Lack of communication between Jim and brother Bob and other staff — affecting efficiency and
effectiveness of management.

Pdf_Folio:430

430 SUGGESTED ANSWERS

 2. Lower assessed level of control risk approach is appropriate when control risk is assessed as low, while
a predominantly substantive approach is appropriate when control risk is assessed as high and it is more
efficient not to rely on controls.
For sales
The poor communication between Jim and other management and staff, plus his competing incentives
and the lack of control over his actions, means that control risk in these areas would be considered high.
The validity of sales transactions, including the amounts and terms of the sale, is at risk. There is also
a risk that sales made to customers are not entered correctly in the accounts.
Control risk for sales and debtors is high, meaning that the predominantly substantive approach would
be adopted in these areas.
For inventory
Control over production appears to be good, and inventory quality seems to be high. However, the
inherent risk of inventory spoilage is reasonably high. This suggests that a lower assessed level of control
risk could be adopted for inventory. Testing the controls over inventory, and obtaining satisfactory
results, would mean that less substantive testing would be required.
For debtors
A predominantly substantive approach for sales is more appropriate because the adjustments to debtor
accounts do not appear to be adequately controlled. Rather than developing and implementing a policy
and procedures on credit notes, Jim frequently issues credit notes to clients who complain about their
statement without investigating it. Also the lack of resources to follow company’s protocol (i.e. Jim is
to too busy to respond to customer complaints) increases the control risk.

Question 2.19
1. The balance sheet account and the relevant assertion most at risk given the information provided is as
follows.

Balance sheet account Assertion Why?

Trade debtors Accuracy, valuation Without appropriate credit checks there is a high
and allocation likelihood of debtors not paying.

2. Less reliance would be placed on tests of controls and more substantive testing would be required.
The substantive testing would be more tests of details as analytical procedures are less reliable when
internal control weaknesses exist (this will be discussed more in module 3).

Question 2.20

Test of controls or If substantive test —

Procedure substantive test? key assertion being tested

1. Examine high-value invoices for the two days Substantive test Cutoff
prior to year end to determine if sales are
recorded in the correct period

2. Compare inventory turnover across products Substantive test Accuracy, valuation

using monthly data for the last two years and allocation

3. Select a sample of trade debtors to be confirmed Substantive test Existence

and follow up on non-replies

4. Attend the annual inventory stocktake and ensure Test of controls

all procedures are complied with

5. Review any changes to the staff involved in Test of controls

authorising fixed asset purchases and disposals

(continued)

P df_Folio:431

SUGGESTED ANSWERS 431

 (continued)
Test of controls or If substantive test —
Procedure substantive test? key assertion being tested

6. For a sample of fixed assets, determine if the Test of controls

depreciation rates used are consistent with the
approved depreciation policy of the client

7. Check arithmetic on a sample of Substantive test Accuracy

sales invoices

8. Check authorisation signatures on a sample Tests of control

of travel reimbursements

MODULE 3
Question 3.1
Tests of controls provide evidence on the effectiveness of the design and operation of internal controls and
identify deviations where transactions tested have not been processed in accordance with control policies
and procedures, such as petty cash safety boxes not being locked and kept in a secure location. On the other
hand, substantive tests of details provide evidence whether an account balance is materially misstated, such
as trade debtors being overstated by $50 000. That is, the error being sought in substantive testing are errors
or misstatements in recorded transactions or balances.

Question 3.2
Identifying material misstatements is an objective of substantive testing. Errors and exceptions to the tests
undertaken as tests of controls are referred to as control deviations. When designing tests of controls,
auditors need to define what will constitute an error or exception as the audit team may otherwise waste
time on minor exceptions.

Question 3.3
A predominantly substantive approach may be more suitable to this audit engagement because:
• SMEs may not have adequate resources to implement all appropriate internal controls
• controls may not be as effective due to the lack of segregation of duties
• the size of the entity may make it inefficient for the auditor to rely on controls in performing the audit.

Question 3.4
1. Input a negative order of goods. This order should be rejected because only positive numbers of goods
should be accepted.
2. Input an order for 100 (or similar high value) items. There should be a reasonableness test performed
by the system either rejecting this order as too large or creating an on-screen message to warn the user
of the amount. This will highlight quantity errors.
3. Input a request for an inventory code that does not exist. This will ensure that only valid inventory codes
can be input — a warning should be displayed asking for a re-input.
4. Input an invalid delivery address. The system should be programmed to recognise invalid addresses
such as postal codes that don’t agree with suburb name.
5. Attempt to make changes on screen to billing address, contact name, unit prices, discount rates, payment
due dates, and so on. These data should be fixed in the master files and not be available to be changed
in the ordering system.

Question 3.5
Yes, it is an example of haphazard sampling and while it may appear to be random it is susceptible to
human bias.

Question 3.6
The audit evidence is that there is one instance of a part-time staff member being paid an incorrect hourly
rate. The fact that the payment was incorrect is evidence that the procedures for calculating and checking
the payments have failed in some way. The client’s controls for preventing the error should have stopped
Pdf_Folio:432

432 SUGGESTED ANSWERS

the incorrect payment being made. An example of such a control would be a step in the system that would
not have allowed the payroll clerk to select the incorrect rate when calculating the payment. The detecting
controls have also failed. For example, it could be the payroll manager’s job to review and approve the
payments for the month. The incorrect pay is evidence of a control exception or deviation because if the
controls had been designed and executed correctly the incorrect pay would not have occurred, or would
have been detected and corrected before the auditor found it.

Question 3.7
(a) This could indicate misappropriation of assets.
(b) The relevant assertion would be existence.

Question 3.8
(a) A reasonableness test would be as follows.
Square metres per floor rented on lower 10 floors × charge per square metre for 10 lower floors × 10
floors + square metres per floor on top 5 floors × charge per square metre for top 5 floors × 5 floors.
If the floors are not fully occupied, then adjustments need to be made for occupancy rates.
(b) This method will be preferred to the substantive testing of transactions or balances because it will give
a more precise expectation of the revenue of the property lessor. If the auditor sampled for tests of
transactions or balances and verified these individual transactions or balances (of which there could be
many if there are many tenants on each floor or if the company leases out space in numerous buildings),
it would not be possible to verify a large part of the total balance substantively.
(c) Yes.
(d) For the revenue of an airline, a reasonableness test can be developed, but it would be complicated. It
would be related to the load factor of the flights (percentage of seats occupied), the type of aircraft that
is being flown, the number of flights and the types of tickets sold. If the auditor can gain confidence
in the systems that produce these statistics, they can get a good approximation of the total revenue for
the airline. In this case, the reasonableness test would be less accurate than for the property lessor, but
it could still be useful.

Question 3.9
External debtors’ confirmations are received from customers in response to a specific request from the
auditor to confirm the balance outstanding at the year end. The confirmation provides assurance in relation
to existence of balances owed as well as cutoff confirming amounts are recorded in the correct period.
Although generally considered to be an excellent form of evidence, these do not provide comfort that the
amount will be paid and therefore give no evidence as to valuation. Some customers may also respond
without fully understanding what they are confirming. In addition, if the customer is a related party to the
organisation their independence may be in doubt.

Question 3.10
Some of the steps that the auditor could undertake are outlined in GS 016, paras 62–66 and ISA 505,
para A12.
The auditor may design and perform tests of controls as to the operating effectiveness of controls over the
electronic confirmation process. If the auditor is satisfied that the process is secure and properly controlled,
the reliability of the related responses is enhanced.
For the risks of proving the origin of the response, whether the respondent was authorised to respond
or whether there were any unauthorised alterations to information transmitted, the auditor may verify the
source and content of the response by contacting the bank.
Often, a bank uses a third-party service organisation to respond to a confirmation request and the auditor
plans to rely on the service organisation’s internal control process. If this is the case, it is important that the
auditor be satisfied with the controls over the information sent to the service organisation and the controls
applied during data processing and sending the confirmation response to the auditor. A service auditor’s
report on the internal controls at the service organisation may assist the auditor in evaluating the controls
with respect to that process.
The auditor may also be able to rely on various techniques incorporated in the electronic confirmation
process that could help validate the sender of electronic information’s identity and authority to confirm the
requested information. These would include the use of data encryption and electronic digital signatures.

Pdf_Folio:433

SUGGESTED ANSWERS 433

Question 3.11
Assertion(s) Type of procedure

(a) Accuracy, valuation and allocation Analytical procedure

(b) Completeness Tests of details of transactions

(c) Existence and Completeness Tests of details of balances

(d) Accuracy, valuation and allocation Tests of details of balances

Question 3.12
Procedures using CAATs could include the following.
• Calculate days in debtors and compare to prior periods — this could also be done for each month end
to establish how typical the year end is and also how Fitzroy is controlling debtors through the year.
• Check that the total on the list of trade debtors balances extracted from the debtors ledger agrees to the
debtors balance in the nominal ledger.
• Check the additions on the list of debtors’ balances.
• Compare individual debtors’ balances to the customer credit limit and investigate those balances that
exceed the credit limit.
• Compare for individual customers the trade debtors’ balance to sales for the year. Further investigation
of customers where there are high levels of sales but low receivables balances at the year end. It is
possible that the low balance at the year end is an attempt to prevent the customer being selected by
the auditor for testing, this can be avoided by selecting items for testing based on sales level rather than
year-end balance.
• Extract all balances over a certain age, say 90 days, for discussion in relation to the adequacy of
provisions for doubtful debts.
• Stratify the list of balances in order to extract samples for further testing, this may include extracting all
material balances, random sampling of other balances, monetary unit sampling may be used, also credit
balances can be identified.

Question 3.13
(a)
Total Population = $1 600 000
Sample value = $295 000 Errors in Sample = $18 408
% errors in sample = 18 408 / 295 000 = 0.0624 = 6.24%
Projected error = % sample error × Population = 0.0624 × 1 600 000 = $99 840

(b) No, as the amount is less than the set materiality level, the projected error is immaterial. The projected
misstatements would need to exceed $100 000 before it would be classed as materially misstated.

Question 3.14
Answer: (b) The auditor has assessed a high risk of undisclosed related parties.
ISA 550, para. A32 outlines procedures that the auditor may perform when the auditor has assessed a
significant risk that management has not appropriately accounted for or disclosed specific related party
transaction. Therefore, the answer is option b.

Question 3.15
The important differences between internal audit and the external audit functions are as follows.
Independence
As the internal audit function is a part of the entity, no matter how autonomous and objective it is, it cannot
reach the level of independence enjoyed by the external auditors.
Objectives
The objectives of internal audit function vary according to management’s requirements, whereas the
primary objective of external auditor is to determine whether or not the financial statements are free of
material misstatements.

Pdf_Folio:434

434 SUGGESTED ANSWERS

Reporting
The external auditors address their report to the members/shareholders/owners/those charged with gov-
ernance of the entity. On the other hand, internal audit reports are addressed to the management and
those charged with governance. The reporting requirement of the external auditor is determined by the
framework under which the audit is being carried out and by applicable legal and regulatory requirements.
Reporting requirements of internal audits are based on the objectives/scope of work determined by the
management and those charged with governance.

Question 3.16
(a) Existence / Accuracy, valuation and allocation.
(b) In this case an independent expert has performed the work on the key risk areas. The auditor would
need to consider ISA 620, Using the Work of an Expert.
• The auditor should assess the appropriateness of the expert’s work.
• The auditor should review the source data used by the expert and ensure that it is sufficient, relevant
and reliable. The auditor should also test the data used by the expert.
• If the results of the expert’s work do not provide sufficient appropriate audit evidence, or if the results
are not consistent with other audit evidence, the auditor should resolve the matter (e.g. more work
or audit qualification etc.)
Other work: Select a sample of fixed asset additions and disposals and vouch to supporting
documentation.

Question 3.17
The audit assistant has documented that there were no replies to certain trade debtor’s positive confirmation
letters. Jackie’s review has shown that the decision to take no further action after non-reply from customers
is not appropriate. According to para. 12, ISA 505 External Confirmations, the auditor shall perform
alternative audit procedures to obtain relevant and reliable audit evidence for each of non-responses.
Jackie should note that further audit work is required and the specific audit work to be done. Examples of
alternative audit procedures the auditor can perform are: a) examining specific subsequent cash receipts;
b) shipping documents and c) sales near the period end for the non-response customers (see para. A18
ISA 505).
Specific consideration should be given to the implication of the non-responses to audit risk for trade
debtors. These conclusions would need to be documented accordance with paras 8–12 of ISA 230 Audit
Documentation.

Question 3.18
At the planning stage the main focus is to ensure an efficient and effective audit and ensure that audit
attention is devoted to appropriate areas. The auditor will carry out a preliminary assessment of the risks
and establish a level of materiality which will determine the nature, timing and extent of audit procedures.
The level of materiality is a matter of judgment and may change as the audit progresses.
At the final review stage the auditor will determine the final materiality figure and be focussed on
evaluating misstatements that may have been found during the audit. The auditor then aggregates the total
identified misstatements and determines if it causes the financial statements to be materially misstated
(compared to the final materiality figure). Where material errors remain in the financial report the auditor
will request that management make the necessary amendments. If management refuse to change the
financial statements the auditor will need to modify the audit opinion. If the misstatements are immaterial
then the auditor will not need to amend the audit opinion.

Question 3.19
Materiality judgments involve an assessment of both the amount (quantity) and the nature (quality) of the
misstatements.
An auditor determines the overall quantitative materiality level for planning purposes by selecting a base
and applying a percentage to that base. For profit-maximising companies, the most commonly used base is
profit before tax and materiality is usually set between 5% and 10% of this base. Other bases and applicable
percentages may be used, depending on a company’s circumstances. Thus, quantitative materiality is the
dollar level used to determine if misstatements are material (either individually or aggregated).

Pdf_Folio:435

SUGGESTED ANSWERS 435

 Qualitative factors are also applicable to materiality levels for particular classes of transactions, account
balances or disclosures. The auditor must consider the nature of, and other related matters about, the
items that might give rise to the risk of material misstatements. Qualitative considerations relate to the
causes of misstatements or to misstatements that do not have a quantifiable effect. A misstatement that is
quantitatively immaterial may be qualitatively material, such as when the misstatement is attributable to
a control weakness, an irregularity or an illegal act by the entity. Discovery of such an occurrence could
lead the auditor to conclude there is a significant risk of additional similar misstatements.

Question 3.20
There are a number of factors that will determine whether the auditor has obtained sufficient appropriate
evidence to support a particular control risk assessment. The auditor requires stronger evidence if the
assessed level of control risk is low rather than medium. If control risk is high, the auditor does not have to
gather evidence to support this assessment, as they do not intend to rely on controls. They will gather their
evidence via substantive testing. Other factors that the auditor considers in determining whether the tests
of controls have yielded sufficient appropriate evidence include: type and source of evidence (some types
of audit tests provide stronger evidence); timeliness of evidence; and interrelationship with other evidence
(does all evidence point to the same conclusion?).

MODULE 4
Question 4.1
Data analytics should uncover the following five indicators of payroll fraud.
1. Multiple employees with the same information in the payroll system such as bank account routing
number, social security number, or same home address.
2. Employees on the payroll register prior to their start date or after their termination date.
3. Multiple paychecks issued to an employee within a single pay period.
4. Bonuses paid to employees who are not eligible.
5. Inappropriate wage levels given the employee’s classification.
The auditor uses their knowledge of the entity to identify potential anomalies bearing in mind legitimate
business reasons for any of the anomalies. However, the auditor would need to use professional scepticism
when investigating items flagged for further investigation.

Question 4.2
A written representation is required in the absence of clear evidence one way or the other. The evidence
to support the claim is the claim itself from BlueHound. This evidence against the claim is the director’s
assertion that the food is safe. The solicitors have not been able to clarify the position.
On that basis the auditors should seek representations from management along the following line.
‘There has been a claim for compensation made against the company from BlueHound Ltd in relation
to a product supplied by Ruff Racers Ltd. The directors are of the opinion that the claim is not justified.
Disclosure in relation to this claim contained in the financial statements is adequate and no further claims
of this nature have been received.’

Question 4.3
1. (a) The auditor has a responsibility for identifying and evaluating events up until the date of the audit
report.
(b) This is a subsequent event affecting the value of a debtor’s balance at year-end that will require
adjustment to the provision for doubtful debts (unless it has already been included).
2. (a) The auditor was made aware of this event after the financial report has been issued. In this case the
event occurred after the audit report was signed so the auditor has no responsibility in relation to
the event.
(b) No disclosure required.
3. (a) This is an event occurring after the financial report has been issued. It existed at the date the audit
report was signed. The auditor has no responsibility to look for these events but must consider them
if he or she becomes aware of them. The auditor should discuss with management the possibility of
recalling and revising the financial report, as the debtor is very material.
(b) This is a subsequent event affecting the value of a debtor’s balance at year-end that will require
adjustment to the provision for doubtful debts.
Pdf_Folio:436

436 SUGGESTED ANSWERS

Question 4.4
(a) The auditor applies analytical procedures at or near the end of the audit in order to do the following.
• Form an overall conclusion as to whether the financial statements as a whole are consistent with the
auditor’s understanding of the entity.
• Corroborate the conclusions formed through other procedures performed during the audit of
individual components or elements of the financial statements.
• Identify previously unrecognised risk of material misstatement. In such circumstances, the auditor
may:
– revise the assessment of the risk of material misstatement
– modify the further planned audit procedures accordingly.
(b) If the final analytical review results are inconsistent with the auditor’s expectations, the auditor should
investigate the differences. These fluctuations can be investigated by the following.
• Inquiring of management and obtaining appropriate audit evidence relevant to management
responses. Audit evidence may be obtained by taking into account:
– the auditor’s understanding of the entity and its environment
– other audit evidence obtained during the course of the audit.
• Performing other audit procedures when:
– management is unable to provide an explanation
– management’s explanation together with the audit evidence obtained is not considered adequate.

Question 4.5
In formulating an opinion on the financial statements, the auditor should assimilate all the evidence
gathered during the examination. An essential prerequisite in deciding on the opinion to express is a final
assessment of materiality and audit risk. The auditor should assess whether the aggregate of the uncorrected
misstatements identified during the audit is material. Normally the aggregate of uncorrected misstatements
will be recorded on a summary schedule at the front of the audit file.
The data that have been accumulated on the summary schedule are then compared with the auditor’s
preliminary judgments concerning materiality. Any adjustments in planning materiality that have been
made during the course of the examination should be included in this assessment. If the aggregate level of
uncorrected misstatements is material, then the auditor needs to consider reducing audit risk by extending
audit procedures or requesting management to adjust the financial statements.

Question 4.6
Impact
Population Sample Sample Expected population on profit
Working $’000 size $’000 error $’000 error $’000 before tax

Trade debtors 4122 770 +60 +60 / 770 x 4122 = +321 ↑

Inventories 3589 223 –8 –8 / 223 x 3589 = –128 ↓

Warranty provision 1788 1064 +96 +96 / 164 x 1788 = +161 ↓

When the sample results are extrapolated to the population, the overstatement for trade debtors is $321,
which is 7.8% (321 / 4 122 x 100%) of total trade debtors and is therefore materially misstated.
Likewise, inventory is understated by $128 which is 3.6% (128 / 3 589 x 100%) of total inventory and
is therefore not materially misstated.
The overstatement of the warranty provision is $161 or 9.0% of total warranty and is therefore materially
misstated.
The overall misstatement to profit is an overstatement of $32 ($321 – $128 – $161: note the 161 is
deducted because it is overstatement of a liability). This is an error of 0.6% of the profit and is therefore
not material at the profit level.
The trade debtors’ balance and warranty provision should be adjusted but the inventory does not need
to be adjusted. If management were to refuse to make the necessary amendments to trade debtors and
warranty provisions then the auditor’s report would contain a qualified opinion.
Note: It is not acceptable to offset the errors and state that no adjustments are required because the profit
effect is immaterial.
Pdf_Folio:437

SUGGESTED ANSWERS 437

Question 4.7
Sally’s conclusion is incorrect, for the following reason.
The error in the sample is $72 400 out of a sample size of $1 672 000 which is 4.3%. This is below
the threshold based on the property, plant and equipment values. The errors in the sample are systematic,
suggesting that they would be repeated throughout, so when extrapolating this error to the population as a
whole an error rate of 4.3% would give an misstatement of $712 000 (16 564 000 x 4.3%).
The testing is in relation to depreciation so any error would affect the profit for the period. The error of
$712 000 is 26% of profit before tax ($712 000 / $2 737 000 x 100%) and is therefore above the tolerable
error from a profit perspective.
Further testing may be necessary to be confident that the error extrapolated is reasonable. If the initial
results are confirmed the financial statement would be considered to be materially misstated in relation
to profit. Management would be requested to make the necessary adjustment to correct the depreciation
errors.

Question 4.8
(a) Yes, disclose as a KAM. This is likely to be disclosed as a KAM because it is a complex judgment
involving a higher assessed risk of material misstatement, (significant risk), and it will have a significant
effect on the audit.
(b) No. This will not be disclosed as a KAM because it involves a disclosure that is industry wide and a
well-known risk that is recognised by the broader community.
(c) Yes, disclose as a KAM. This is likely to be disclosed as a KAM because it is a complex judgment about
the most appropriate basis for revenue recognition and is a matter of audit significance that meets all the
requirements for disclosure. It is an area of higher assessed risk of material misstatement, significant
auditor judgment relating to disclosures that involve significant management judgment, and it will have
a significant effect on the audit.
(d) No. This will not be disclosed as a KAM as it involves a disagreement with management about the
carrying value of an asset that will result in a modified auditor’s opinion.

Question 4.9
(a) Even though the auditor was unable to attend the physical count of inventories, they were satisfied as to
the existence/condition of inventories by other means. This is in accordance with ISA 501, paras 6–7,
with some of these other means including inspection of the subsequent sale documentation of specific
inventory items that were purchased prior to the physical inventory counting, as spelled out in ISA 501,
para. A13.
(b) For the auditor to have given an unmodified opinion, they would have had to be satisfied with the
appropriateness and adequacy of the disclosure by management of these circumstances. In effect, the
disclosure would have to show the nature and amount of the claim against the company as a contingent
liability in the notes to the financial statements.
(c) Again an unmodified opinion could be given in these circumstances provided the total claim against the
company is appropriately and adequately disclosed as a contingent liability in the notes to the financial
statements. Also, if the auditor is satisfied in all other respects, the auditor’s report will not be modified
for the non-provision of the amount of $100 000 (the amount for which the directors hope they will be
able to settle out of court) on the grounds that the misstatement of the item in isolation is considered
immaterial (it is significantly less than 5% of net operating profit). (Because of the nature of these
circumstances, it may be argued that these circumstances are qualitatively material.)
(d) An unmodified opinion is given because the potential understatement is not in isolation considered
material.

Question 4.10
(a) No. This will result in the disclosure of a KAM, rather than the inclusion of an Emphasis of Matter
paragraph.
(b) Yes. This is a significant subsequent event that occurs between the date of the financial statements and
the date of the auditor’s report and will result in the inclusion of an Emphasis of Matter paragraph.
(c) No. This will result in the auditor issuing an unmodified opinion and including a separate section under
the heading ‘Material Uncertainty Related to Going Concern’, rather than the inclusion of an Emphasis
of Matter paragraph.
Pdf_Folio:438

438 SUGGESTED ANSWERS

Question 4.11
This is an instance of auditing comparative financial statements because the auditor’s report explicitly
refers to the prior year financial information. (Note: this is the usual practice in the United States.)
Question 4.12

Appropriate types of modifications to the

Material misstatement or scope limitation? audit opinion

(a) Scope limitation If material, but not pervasive, it will result in

An evidence limitation is an example of a scope limitation the issuing of a qualified opinion; if material
resulting from a circumstance relating to the nature or and pervasive, it will result in the issuing of a
timing of the auditor’s work (refer to ISA 705, para. A11). disclaimer of opinion.

(b) Material misstatement If the issue remains unresolved and material it

In relation to the method by which selected accounting
policies have been applied. Sampling and extrapolation
of sample results is a legitimate audit approach. Dis-
agreements with management may arise if the auditor’s
figure is materially different from management’s figure.
will result in the issuing of a qualified opinion.
Such an issue isolated to inventory would not
be expected to be pervasive.

(c) Scope limitation — imposed by management If the issue remains unresolved and is material
it will result in the issuing of a qualified opinion.
Such an issue isolated to a specific debtor
would not be expected to be pervasive.

Question 4.13

What type of audit

opinion should be issued? Why?

(a) Standard (unmodified)
Material Uncertainty
Related to Going Concern
The auditor should express an unmodified opinion and include a separate
section under the heading ‘Material Uncertainty Related to Going Concern’
(ISA 570 (Revised), para. 22).
The auditor is satisfied that there is adequate disclosure about the
uncertainty in the notes to the financial statements but wishes to bring this
to the attention of the user of the financial statements.

(b) Qualified or Adverse The auditor should express a qualified or an adverse opinion (ISA 570
(Revised), para. 23).
The auditor still has concerns about the adequacy of disclosure, which
means they are required to modify their opinion.
(c) Adverse The auditor should express an adverse opinion (ISA 570 (Revised), para. 21).
The basis of accounting used in the preparation of the financial statements
is inappropriate and will have a pervasive effect, meaning that an adverse
opinion is appropriate.

Question 4.14

Type of audit opinion Justification

(a) Disclaimer of opinion Due to the flood destroying all the accounting records towards the end of
the financial year, I would be unable to obtain sufficient appropriate audit
evidence on which to base an opinion. This would result in a disclaimer of
opinion as it would have a pervasive impact on the financial statements. This
is in accordance with ISA 705 (Revised).

(b) Unqualified opinion with As this is adequately disclosed in the notes to the financial statements an
an emphasis of matter unqualified opinion is appropriate. However, as the entity is facing significant
paragraph litigation, an emphasis of matter paragraph will bring to the users attention.
This is in accordance with ISA 706 (Revised).

P df_Folio:439
(continued)

SUGGESTED ANSWERS 439

 (continued)
Type of audit opinion Justification

(c) Unqualified An unqualified opinion is justified because the misstatement is not material.
This is in accordance with ISA 700 (Revised).

(d) Adverse An adverse opinion is justified as sufficient appropriate audit evidence has
been obtained and I have concluded that the uncorrected misstatement is both
material and pervasive to the financial statements. This is in accordance with
ISA 705 (Revised).

(e) Qualified This is an example of a disagreement with management resulting in the brand
names being materially misstated. A qualified audit opinion is justified because
sufficient appropriate audit evidence has been obtained, and I have concluded
that the uncorrected misstatements are material but not pervasive to the
financial statements. This is in accordance with ISA 705 (Revised).

(f) Unqualified This situation is an example of when an unmodified audit opinion is justified.
Therefore, an unqualified audit opinion is appropriate in accordance with
ISA 700 (Revised).

Question 4.15
(a) Qualified opinion. The audit opinion should be modified due to understatement of the provision for
long service leave being a material (affecting profit before tax by $30 million) but not pervasive
misstatement (affecting only the long service leave expense and the provision for long service leave).
Unless management agrees to the change, the material under-provision for long service leave will result
in a qualified opinion.
(b) Adverse opinion. Having identified this misstatement as material, the auditor must then further consider
whether the misstatement is of such a magnitude or so pervasive in the financial statements that an
adverse opinion needs to be expressed (the impact cannot be effectively communicated in a qualified
opinion). This is primarily due to the materiality of the trust liabilities and asset deficiency that have
not been reflected in the financial statements, meaning that multiple accounts in the balance sheet
and income statement are materially misstated, and therefore will result in an adverse opinion. The
seriousness of this qualification can be seen as the auditor, in issuing this form of modified opinion,
is effectively communicating that, in its present form, the entire financial statements are unreliable or
misleading.

Question 4.16
Some types of evidence are less prone to distortion by management. That is, if fraud were to exist, all
evidence controllable by management may contain similar distortion. It is therefore important to obtain
external evidence that is less likely to be controllable by managers — for example, evidence from sources
outside the entity, such as information on market share from industry groups, government data on tenders
granted, and so on.

Question 4.17
In this case the auditor needs to include the effect on their assessment of the risk of material misstatement
and their ability to obtain sufficient appropriate evidence (ISA 260 (Revised), para. 22).
If the situation of inadequate two-way communication cannot be resolved then the auditor needs to
take appropriate action, which could include modifying the audit report (scope limitation), obtaining legal
advice, communicating with third parties (e.g. regulator), and even withdrawing from the engagement
(ISA 260 (Revised), para. A53).

MODULE 5
Question 5.1
• A review provides limited assurance. The auditor does adequate work to report whether or not anything
came to their attention, which would lead them to conclude that the information being assured is not
Pdf_Folio:440

440 SUGGESTED ANSWERS

 true and fair. Less work is done for a review than for an audit. The auditor provides a negative opinion
(nothing came to their attention … not …) for a review.
• To be able to comment on the appropriateness of a review for half-yearly reports, the differences between
an audit and a review (and annual and half-yearly reports) should be identified.

Audit Review

Assurance Reasonable Limited

Opinion Positive Negative

Procedures Nature, timing and A subset of those performed for an audit

extent

Half-yearly reports

Reports IAS 34 (AASB 134) requires a limited set of disclosures

ISRE 2410 requires a limited level of work for a review of

interim reports

• Most entities choose to have the half-yearly report reviewed rather than audited. The half-year review
is not as extensive as the annual audit. It involves limited procedures consisting mainly of enquiries of
selected management and staff of the entity, and some analysis of financial information. As the half-
yearly reporting is more limited than annual reporting, a lower level of assurance is appropriate.
• In reviewing the half-year financial report, auditors must follow those auditing standards applicable to
reviews. The review is undertaken so that auditors can report to members on whether they are aware of
anything, based on the review procedures they performed, that would suggest that the financial report
does not, in all material respects, meet legal requirements and financial reporting standards.
• When the review is completed, auditors write a review report explaining what they have done, giving
a statement drawn from their work. As a review requires less work than an audit, it would cost less for
the service, making it more cost effective for the entity.

Question 5.2
1. A review engagement is required because the bank requires a certain level of assurance, but it has
already been agreed that an external audit will not be required. A review provides limited assurance.
The auditor does adequate work to report whether or not anything came to their attention, which would
lead them conclude that the information being assured is not true and fair.
2. The title of the report or communication that Smith & Jones will prepare is an ‘INDEPENDENT
PRACTITIONER’S REVIEW ENGAGEMENT REPORT’
3. The types of procedures that Smith & Jones would be required to conduct in this review engagement
would be inquiry and analysis to address high risk areas where it was determined material misstatements
could arise and to address all material items in the financial statements. Some of the procedures
performed will be to compare year over year balances, considering the relationships between financial
statement data, and calculation of various financial statement ratios. Once unusual or significant
fluctuations are identified, the auditor then inquires and discusses with the client whether these
fluctuations and changes are plausible.

Question 5.3
ISAE 3000 International Standard on Assurance Engagements (Revised) Assurance engagements other
than audits or reviews of historical financial information is issued by the IAASB, and the most recent
revisions apply for assurance reports dated on or after December 15, 2015. It deals with assurance
engagements other than audits or reviews of historical financial information. It applies to both reasonable
assurance and limited assurance situations.
Because ISAE 3000 applies to assurance of information or reports other than historical financial
information reports, it does cover the situation where an entity has provided a CSR and wishes to gain
a review or audit of that information. Its application paragraph A8 specifically lists an engagement for the
assurance on a report of sustainability performance as an example where its use would be appropriate.

Pdf_Folio:441

SUGGESTED ANSWERS 441

 Appendix 4 contains examples of subject matters that are relevant to the type of assurance engagements
covered by the standard, it includes a list of reports containing non-financial historical information:
• greenhouse gas statements
• sustainability reports
• corporate social responsibility reports
ASRE 2405 Review of Historical Financial Information Other than a Financial Report is issued by the
AUASB. It establishes mandatory requirements on an assurance practitioner when engaged to undertake
a review of historical financial information other than a financial report.
It is relevant to reviews (that is, not audits) of financial information and therefore relate to the situation
where there is a limited assurance rather than reasonable assurance of financial information.
ASRE 2405 is specifically relevant to financial information, rather than social or environmental
information. It would be relevant to financial metrics that are included in a sustainability report.

Question 5.4
With respect to assurance on carbon issues, Huggins and Green et al. provide a discussion of the reasons
why accountants are well placed to deliver this service.
• Education and experience benchmarks for entry to the profession.
• Ongoing continuing professional development requirements.
• Competency requirements for providing particular services.
• Performance standards for particular engagements (in the case of emissions assurance: ISAE 3410,
which was approved in 2012).
• Quality assurance policies and procedures at both the engagement level and the firm level.
• A strong and detailed Code of Ethics.
• Public confidence in assured emissions information may further be enhanced by the reputations of the
leading accounting firms.
• The global reach of the multinational audit firm networks provides a logistically streamlined option for
multinational companies (Huggins & Green et al. 2011 pp. A5–A6).

Question 5.5
Providing assurance on environmental information differs from auditing financial statements in several
significant ways.
• In many environmental assurance engagements, it is not possible to prepare a verifiable assertion,
meaning it is difficult to prepare environmental information that is assurable, as there are no records
of events and operations to examine.
• There are few generally recognised standards for systems and controls to serve as criteria in evaluating
environmental management systems.
• As the concept of evidence in the area of environmental assurance engagements is not well developed,
assurance practitioners carrying out the same assessment separately would not necessarily carry out
similar procedures, or require the same amount or types of evidence to develop their findings. This
reflects a lack of generally accepted standards for the conduct of such services, and a lack of consistency
in the procedures of those who perform them.
• The results of such environmental assessments are commonly expressed as detailed reports of findings
and deficiencies, rather than as overall conclusions as to the extent that the stated subject matter
information conforms with certain criteria. This reflects a fact-finding, investigatory type of service,
as distinct from an assurance-providing service.

Question 5.6
As discussed in detail in module 5 of the study guide, there are potential conflicts of interest if an audit
firm also performs other work for a client. For example, an accounting firm could provide consulting
services on installation of a computer system, and then be engaged to audit the client’s accounting records
that were produced by that system. There is potential for the auditor to miss mistakes in the accounting
reports through either ignorance (not realising there was a fundamental error in the system that affected
the accuracy of the accounting reports) or bias (deciding not to pursue an issue that potentially was caused
by the accounting firm’s consulting work not being sufficiently rigorous).
Sustainability reporting (preparation of the report or assurance) would not create a conflict of interest
in most cases because the information being provided in the sustainability report is not integral to the
financial report being assured.
Pdf_Folio:442

442 SUGGESTED ANSWERS

 However, companies could prefer to engage another consulting firm to prepare or assure a sustainability
report because the other firm could be an expert in that type of service, or a greater expert than the audit
firm engaged to do the financial report assurance.

Question 5.7
The auditor would:
• review the client’s implementation plan and the roll-out of the program
• review related training plans and programs
• interview key staff responsible for the implementation
• review compliance structures in place
• check the reports of internal compliance procedures relating to the Code of Conduct
• interview compliance officers
• check the implementation of the Code of Conduct at a sample of sites (through interviews with
management and employees).
To provide reasonable assurance under ISAE 3000 Assurance Engagements Other than Audits or
Reviews of Historical Financial Information on this type of claim, there would need to be a well-
developed internal compliance mechanism that the assurance practitioner could test at various levels in
the organisation. Otherwise, the auditor must cover a very large proportion of the company’s sites to feel
comfortable in providing a positive assurance of the client’s assertions.
The auditor needs to undertake a range of detailed data analysis procedures at the corporate level to
check the completeness and accuracy of the ‘total’ numbers, as well as check the reliability of the reported
data at a sample of sites. The number of sites increases substantially if the internal review process for the
sulphur dioxide data is weak. The auditor should review the text that accompanies the data to ensure that
the explanations given for the reduction in emissions reflect the evidence collected. For example, is the
reduction caused by a change in measurement technique rather than a real change in actual emission?
Question 5.8
A wide range of KPIs could be suggested, a key issue to consider is what the performance of the
organisation will be compared to and how can improvement be measured. Possible KPIs could include
the following.
Staff
• Staff turnover levels — high staff turnover indicates unhappy staff.
• Staff absentee rates — happy staff will be happy to come to work.
• Spending on staff training — improving staff skills.
• Mix of fulltime to part time staff — compared to industry averages, other organisations.
• Level of salaries and other benefits — compare to industry averages.
• Staff satisfaction surveys.
Customers
• Levels of repeat business.
• Customer satisfaction surveys.
• Levels of customer complaints.
Wider Community
• Donations to local not-for-profit enterprises.
• Sponsorship of events.
• Making the restaurants available for events at no cost to charities.
Environment
• Levels of recycled waste.
• Amount spent on energy bills.
• Capital investment on energy reducing equipment.

Question 5.9
In these circumstances, the disclosures should cover:
• sources of uncertainty (i.e. whether or not regulatory approval will be obtained)
• assumptions made relating to uncertainties (i.e. that regulatory approval will be obtained by the end of
the current financial year)
Pdf_Folio:443

SUGGESTED ANSWERS 443

• determining factors that will affect whether the assumptions will be borne out:
– meeting technical requirements
– passing relevant tests
– obtaining expert support.
Alternative outcomes as a result of assumptions not being borne out (e.g. no sales of the product) should
also be described and explained. In this example, the failure of an assumption to be fulfilled will have a
simple consequence. However, in some cases, the issuer of the prospective financial information may need
to provide a sensitivity analysis to explain the consequences of failed assumptions in terms of alternative
outcomes.

Question 5.10
An internal audit’s key functions in risk management include:
• providing assurance on the design and effectiveness of risk-management processes
• evaluating risk management processes
• evaluating the reporting of key risks and controls
• evaluating the management of key risks, including the effectiveness of the controls and other responses
to them.

Question 5.11
• Although it is management’s responsibility to design internal controls to prevent, detect and mitigate
fraud, internal auditors can assess the effectiveness of the procedures that management has implemented.
• Internal auditors help management evaluate internal controls used to detect or mitigate fraud, and the
organisation’s assessment of fraud risk, and are involved in any fraud investigations.
• Establishing a culture of integrity is a critical component of fraud control, and management must set the
tone at the top. Internal auditors may advise management on methods to inculcate this culture.
• Internal auditors watch for potential fraud risks, assess the adequacy of related controls and make
recommendations for improvement.
• Internal auditors can benchmark statistics related to the probability of occurrence and consequences of
fraud.
• Internal auditors play an important role in fraud detection. For example, when developing their annual
audit plan, internal auditors consider the organisation’s assessment of fraud risk, and may periodically
make assessments of management’s fraud-detection capabilities.
• Internal audit skills relate to gathering evidence, analysing the breakdown in controls that could enable
a fraud, and making recommendations for improvement.
• Internal auditors may have a direct role in investigating fraud incidents or act as a resource to those
responsible for investigating.

Question 5.12

COSO (2013)
Activities components Justification

(a) Management’s commitment Control environment This demonstrates a commitment to attract,

to competence develop and retain competent individuals in
alignment with the organisation’s objectives,
which is part of the control environment
(see principle 4).

(b) Separation of duties Control activities This is a control activity that helps to keep
risks in an organisation to an acceptable level
(see principle 10).

(c) Expanded foreign operation Risk assessment This is an example of where the organisation
identifies and assesses changes that could
significantly impact the system of internal
control (see principle 9).

(d) Management’s questioning of
reports that are different from
their knowledge of operations
Pdf_Folio:444
Monitoring activities This is an example of where the management
of the organisation performs ongoing
evaluations to ascertain whether the
components of internal control are present
and functioning (see principle 16).

444 SUGGESTED ANSWERS

 (e) Corporate restructuring Risk assessment This involves the organisation identifying and
involving staff reductions assessing changes that could significantly
impact the system of internal control
(see principle 9).

(f) Establishment of a compliance Information and This is an example of where the organisation
register for improprieties communication generates relevant, quality information to
support the functioning of internal control
(see principle 13).

(g) The role of the internal auditor Monitoring activities This is an example of monitoring activity over
other controls. It involves the organisation
performing ongoing and separate evaluations
to ascertain whether the components of
internal control are present and functioning
(see principle 16).

(h) How authority and responsibility Control environment This shows how the organisation holds
for operating activities are individuals accountable for their internal
assessed control responsibilities (see principle 5).

(i) Gatekeeper at a factory Control activities This is an example of where the organisation
selects and develops control activities that
help to keep risks to the achievement of
objectives at acceptable levels (see
principle 10).

(j) Communication channels with Information and This is an example of where the organisation
customers communication communicates with external parties regarding
matters affecting the functioning of internal
control (see principle 15).

Question 5.13
(a) Confidentiality of information.
Controls could include:
• logical and physical security measures; for example, password (with regular password-changing
control and encryption of data
• information protection to safeguard the integrity of the files
• privacy issues relating to customer information.
Risks include:
• corrupt information being processed
• breach of confidentiality.
(b) Transaction integrity.
Controls could include:
• identity controls for authorised personnel
• processing controls to ensure accuracy and completeness
• authenticity, accuracy and reasonableness controls.
Risks include:
• unauthorised transactions being processed
• transactions processed incorrectly.
(c) Authorisation of payments.
Controls could include:
• established levels of approval for expenditure
• reconciliations of payments with creditor records
• identity and credit verification checks to prevent unauthorised use of credit cards.
Risks include:
• unauthorised payments made to unauthorised personnel
• incorrect payments made.
(d) Assurance of business credibility.
Controls could include:
• review processes to ensure changes to the business system accommodate all aspects of commercial
activities
Pdf_Folio:445

SUGGESTED ANSWERS 445

 • management’s awareness of the risks involved in the management of data and associated security
issues
• monitoring of the performance of the sales and accounting systems through parameters agreed by
management.
Risks include:
• breach of confidential commercial agreements
• loss of business credibility.

Question 5.14
This engagement is a compliance engagement — giving assurance that required processes have been
complied with. The following procedures should be carried out to check that the tender process has been
followed.
1. Full detailed project specifications should be produced. Obtain a copy of the project specifications and
review its contents to ensure that the scope of the engagement is sufficient to cover all aspects of the
project.
2. Invitations to tender must be publicly advertised. Obtain details of when and where the advertisement
was published and obtain a copy of the publication.
3. The receipt of tenders submitted must be documented and all submissions opened at the same time.
Request documentary evidence of the tender opening processes. It would be expected that the project
team would all be present at the opening of the tender submissions and would all sign the document
indicting their presence.
4. A project team of at least three must review and assess submissions, one of who must have appropriate
expertise, in this case IT project management experience. Obtain a schedule of the team members,
ensuring there are at least three people on list. Obtain copies of the resumes of the team members and
copies of appropriate IT qualifications.
5. Contracts will be awarded based on an assessment matrix which gives a score weighted across various
factors of functionality, financial stability of the supplier, track record, price, and future support. Obtain
copies of each of the tenders submitted and the appraisal documents used to assess each tender. Ensure
the appraisal documents are in line with the project’s specifications and ensure that each tender is scored
for each of the assessment areas. Check that the overall score has been correctly computed and that the
highest scoring tender was selected. Review minutes of team meetings to ensure the decision of the
team has been finalised in accordance with the required processes.

Question 5.15
An assurance engagement is defined as ‘an engagement in which an assurance practitioner aims to
obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree
of confidence of the intended users other than the responsible party about the outcome of the measurement
or evaluation of an underlying subject matter against criteria’.
In the case of Bravo Bags, Brad Pope, CPA was engaged to issue a written conclusion. In order to express
that conclusion, he must obtaining sufficient and appropriate evidence in order to determine whether the
actual results indicated by Bravo Bags meets the lease agreement criteria. The results of the conclusion
will enhance the landlord’s confidence that Bravo Bags has met the requirements of the lease. Therefore,
the requirements of an assurance engagement are met as there is a practitioner (Brad Pope, CPA), who will
issue a conclusion on the subject matter (the lease agreement) to a user (the landlord).

Question 5.16
The Expense Report
Note the change in role here to internal auditor. This is a fairly simple compliance audit.
There are two different things that are being asked.
1. Design procedures for a compliance audit.
2. Perform an audit on the roll-out of the procedures.
Possible Approach to Compliance Audit
The main control objectives related to the compliance audit are to ensure that:
1. reimbursements are for legitimate and allowable purchases
2. purchases are supported by receipts
3. purchases are appropriately approved
4. purchases are recorded properly in the appropriate general ledger accounts.
Pdf_Folio:446

446 SUGGESTED ANSWERS

We will need to review the policies and procedures in detail. The audit will be performed on a random
sample of expense claims.

For Roll-Out
1. Enquire as to how roll-out of procedures was communicated to employees.
2. Interview a sample of employees to:
• verify the roll-out communication
• confirm that they are aware of the types of expenditures that are permitted under the policy.
3. Did they require all employees to sign the policy as written acknowledgment of their review. Can we
test this?
4. How are new employers handled?
5. Check that the accounts payable department and managers are aware of the policy.
6. Ensure that the policy has been kept current. The policy should be updated for any changes and reviewed
at least annually to ensure it is still valid. Is this being done?

Question 5.17
(a) Assurance could be provided on either:
• the systems that generate the briefing papers (these systems may be part of the information systems
that are evaluated as part of the financial statement audit)
• the contents of the briefing papers themselves.
(b) Some of the difficulties of providing assurance include the following.
• There would be a short time frame between the time the information is generated and the time by
which the assurance is required (before the board of directors’ meeting).
• Much of this information could be forward-looking (future-oriented) and would be hard to provide
assurance on.
• Such an assurance service would be costly.
• There would be comparative advantages for the financial statements auditor providing this assurance,
but independence concerns may arise with the auditor also providing these other services.

Question 5.18
1. Preparation of a report giving advice to a client on the introduction of a new system of internal controls.
This is a form of consultancy work provided recommendations and is therefore not an assurance
engagement. No assurance is provided and no opinion given.
2. A report giving an opinion on a school’s responses to a questionnaire required by the auditor general.
This is an assertion-based compliance engagement (ASAE 3100). The report is providing information to
the auditor general indicating the extent to which the organisation has complied with some regulatory
requirements. It is likely to be an audit rather than a review and therefore would require reasonable
assurance with a positive form opinion.
3. Preparation of the company’s tax returns. This is a compilation of a return from information provided
by the client. No assurance is provided and no opinion is given.
4. A report to management about the success of a marketing campaign. It is likely that this will be a report
of findings giving details of the extent to which revenue has increased after the marketing campaign. It
is unlikely that an opinion would be given about success unless success is very clearly defined to ensure
that it is an objective criterion against which to measure actual performance. Therefore, this is likely to
be agreed upon procedures engagement on which no assurance or opinion would be provided.
5. A report to directors in relation to half-year financial report for a listed company. This is an assertion-
based engagement providing an opinion on historical financial information and the work is likely to be
a review rather than an audit. These interim reports must be either audited or reviewed and therefore
most companies would have a review performed rather than a full audit. In the case of a review there
would be limited assurance provided in a negative form. The review may be performed either by the
company’s independent auditor (ASRE 2410) or another assurance practitioner (ASRE 2400).
6. An audit of a management report into the effectiveness of a company’s internal control system. This is an
assertion-based engagement giving an opinion on a report on the effectiveness of internal controls. This
work could be a review or an audit. Many organisations have their internal control processes audited,
in which case reasonable assurance would be provided in a positive form referring to the report rather
Pdf_Folio:447
than directly on the internal controls themselves.

SUGGESTED ANSWERS 447

 7. A statement of findings to management in relation to the completeness and accuracy of its purchase
ledger balances. This is agreed-upon procedures. A statement of findings provides a statement of the
results of the procedures performed without giving an opinion as to whether the purchase ledger balance
are or are not fairly stated. No assurance is provided and no opinion will be given.

Question 5.19
(a) Indicators for:
• Economy
– cost of buses
– cost of hourly maintenance service
– drivers’ salaries.
• Efficiency
– cost per bus service
– cost per client service
– cost per kilometre
– cost per client kilometre
– cost per bus hour.
• Effectiveness
– proportion of target population whose needs have been met
– proportion of clients satisfied with the service
– service reliability and on-time running.
(b) Criteria:
– targets against which results can be compared
– trends over time to see improvements
– comparative figures from similar organisations.

Question 5.20

(a) Possible effectiveness indicators (b) Comments

Output indicators include: Issues to consider in evaluating the effectiveness

• number of RBTs
• number of drunk drivers detected
• number of DUI (driving under the influence
of alcohol)-related deaths.
Outcome indicators include:
• changes in attitudes to drink driving
• reduction in the road toll.
of the program could include the following.
• Many of the outcome measures are difficult to
measure; for example, number of drivers who still
drive while under the influence of alcohol.
• There are likely to be problems in attributing
outcomes to this particular program rather than other
programs; for example, there may be many different
programs operating that attempt to reduce the road
toll (e.g. improved roads). If there is a reduction in the
road toll, it is difficult to determine to which program
the improvement should be attributed.

Question 5.21

Measurement Source

(a) Efficiency
Gross/net cost per available hour/day Internal records/financial information
Gross/net cost per user Internal records/financial information
Labour hours per visitor Internal records
Labour hours per available hour/day Internal records

(b) Effectiveness
Total attendance/capacity Internal/box office records
Total days used/available days Internal records
Percentage increase in ticket revenue Box office records
Percentage increase in numbers attending Box office records

Pdf_Folio:448

448 SUGGESTED ANSWERS

 Percentage increase in hours/days used Internal records
Number of injuries/accidents per number of participants Accident reports
Number of criminal incidents per days used or number Police and internal records
of participants or attendees
Percentage of user households who give a satisfactory User survey
rating on cleanliness, attractiveness, condition of
equipment, safety of facilities, hours of operation
and variety of activities

Question 5.22
You might have listed any two of the following factors that may affect the selection of performance audits.
• Potential benefits, which can take many forms and include improvements in service/program delivery,
administrative and financial efficiencies, accountability and transparency, and performance assessment.
• Financial materiality related to annual expenditure, annual revenue and total assets.
• Risks to reputation and service delivery, including the visibility of the proposed audit topic and the
importance of its operations to parliament and the public.
• Priorities and capacity of the public sector auditor.

Question 5.23

Management system
Audit question or process Type of data

What is the wait time in the Patient management systems Time between patient registration (triage
emergency department? assessment) and examination (admission)
and discharge.

How is the customer call
centre performing?
Call logs • Timeliness of answering incoming calls (wait
times).
• Median duration of calls (top 5% and
bottom 5%).
• Percentage of calls not answered.

Note that there may be other systems, processes or sources of data that may be available to answer the
audit questions.

Question 5.24
1. TCSL must comply with the Department’s ‘Guidelines for procurement of medical equipment’ when
purchasing the accelerator. We are not provided with this document, but it is likely to contain rules
about approved suppliers, the tendering/purchasing process (including the type of supplier/equipment
documentation required), and so on. The auditor will gather evidence about TCSL’s purchases of the
linear accelerators and assess whether the guidelines were followed. If the guidelines are specified with
a great deal of detail, the audit will focus on ensuring that these guidelines were followed as specified.
If the guidelines are expressed loosely (e.g. ‘the firm should obtain a number of quotes’), the auditor
will need to use more judgment to assess compliance than if the guidelines are expressed precisely (e.g.
‘the firm will obtain three quotes’). The auditor will have to decide if the number of quotes obtained in
those circumstances is sufficient to satisfy the loosely expressed guidelines. Are two quotes sufficient?
If three quotes are required, the auditor could decide that two quotes are not sufficient, unless there are
extenuating circumstances (e.g. there are only two possible suppliers worldwide).
2. The performance audit examines economy, efficiency and effectiveness. The Auditor General would
consider criteria across all three dimensions. Some possibilities include the following.
• Economy. Cost of disposing of waste, cost of employees in waste disposal area; cost of transport of
waste; tipping fees; partition into general and clinical waste.
• Efficiency. Waste by weight, volume, and/or cost per patient, per department or ward (general and
clinical)
• Effectiveness. Extent of achievement of hospital’s planned improvements; total reduction in general
and clinical waste (volume, cost, method of disposal); effectiveness at sorting general and clinical
waste.
Pdf_Folio:449

SUGGESTED ANSWERS 449

Question 5.25
(a) ISRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information,
para. 9, states that ‘the auditor should ensure with representatives of the entity, and, ordinarily,
other specified parties who will receive copies of the report of factual findings, that there is a clear
understanding regarding the agreed procedures and the conditions of the engagement.’
Although the standard does not outline how this should be done in relation to the recipients of the
report, any one of the following measures could be used:
• comparing the procedures to be applied to any written requirements of the recipients
• discussing the procedures to be applied with an appropriate representative group of the recipients
• reviewing correspondence from the recipients.
(b) To ensure that there is no misunderstanding, the auditor should include in the engagement letter
‘a listing of the procedures to be performed as agreed upon’, and should consider attaching to the
engagement letter a draft of the type of report of factual findings that will be issued (ISRS 4400,
para. 12/ASRS 4400, para. 24).

Question 5.26
Compilation
• Level of assurance: None
• Opinion: There may be a report prepared to accompany the compiled statements which will state that the
information has been compiled from information and explanations provided, that the work performed
does not constitute a review or audit and that no opinion is given.
• Procedures: Compilations involve taking information provided by a client and summarising and
formatting the presentation of the information to meet a particular need. Examples of compilations
include the preparation of a financial report from a trial balance or other books and records for an
organisation or the compilation of a tax return from information provided.

Review
• Level of assurance: Limited assurance
• Opinion: The opinion will state that nothing has come to the practitioner’s attention to suggest that the
subject matter does not comply with the criteria. This is negative form assurance and gives a lower level
of comfort to the user than an audit.
• Procedures: Evidence gathered is largely restricted to obtaining representations from the management
team, or other responsible party and carrying out analytical procedures rather than detailed tests of
control and substantive procedures. This level of work will reduce engagement risk to a level that is
appropriate to the engagement.

Audit
• Level of assurance: Reasonable assurance
• Opinion: The opinion will state that in all material respects the subject matter complies with the criteria.
This is positive form assurance which clearly states to the users that the subject matter is free from
material error.
• Procedures: The auditor will plan the nature, timing and extent of procedures to provide sufficient
and appropriate evidence to ensure that engagement risk is reduced to an acceptably low level. These
procedures include: (1) obtaining an understanding of the engagement, (2) assessing risk, (3) responding
to those assessed risk, (4) performing procedures such as substantive tests and where necessary tests of
the effectiveness of internal controls, and (5) evaluating the evidence.

Pdf_Folio:450

450 SUGGESTED ANSWERS

EXAMPLE BOX ANSWERS
MODULE 1
Example 1.1

Fundamental principle under threat Details

(a) Integrity Outsiders might associate you with the illegal business.

(b) Objectivity There is a self-interest threat to objectivity. In Australia, given that the
fees generated by the audit client exceed 15% of the firm’s total fees,
an additional independent professional accountant must review the
work (APES 110, para. AUST 290.217).
The high fee revenue represents a self-interest threat.

(c) Objectivity Familiarity may be a threat to your objectivity.

The relationship may represent a familiarity threat.

(d) Professional competence and Self-interest threatens your professional competence.

due care

(e) Professional competence and There may be a reason that this item is in a different location
due care (e.g. obsolescence).

(f) None If the loan is on normal lending procedures, terms and requirements,
it is immaterial to the audit client.
The loan may comprise an independence threat if it is made on
favourable terms.

(g) Objectivity This may lead to self-interest, familiarity and intimidation threats to
the objectivity of the assurance provider.
The practitioner’s relationship with the ex-colleague may comprise a
familiarity threat.

(h) Objectivity Self-interest and intimidation threaten objectivity — a bonus for early
completion is not allowed.
The bonus payment comprises a self-interest threat.

(i) Objectivity Self-review threat (for information system) and advocacy (for hiring
financial accountant) both threatening objectivity.
The practitioner has been involved in the selection of accounting
staff. Independence is compromised should those staff prove to be
incompetent or dishonest.

(j) Confidentiality Confidentiality has been broken.

The audit manager’s friendship with the financial manager may
constitute a familiarity threat as in (c) and (g).

(k) Professional behaviour This is unacceptable professional behaviour that may bring other
member firms into disrepute.

Example 1.2
1. • Detailed independence policies that are documented and easily available in electronic format.
• Policies encouraging staff to consult on independence matters with relevant independence experts.
• Electronic databases of restricted investments (for staff members and their immediate families) —
staff and professionals to search their databases before acquiring a financial interest or financial
product.
• Partners and professional staff to confirm annually in writing that they have followed these policies
Automatic independence monitoring systems — partners and managers to regularly update their
investments, and those of their immediate family, into the monitoring system.

Pdf_Folio:451

SUGGESTED ANSWERS 451

 2. • Face-to-face and online training.
• Attending training courses.
• New staff to familiarise themselves with and sign documents stating they understand and will comply
with the requirements.
• Online testing of knowledge.
• Regular written updates.
• Annual declaration that confirms compliance with all independence policies.
• Maintenance of adequate records with respect to independence.
3. The firms should have monitoring systems that record all public company investment transactions and
holdings of partners/managers and compare them with lists of prohibited securities that would affect
the independence of the firm. Where any holding creates an independence problem, the relevant staff
need to dispose of those investments.

Example 1.3
In this situation the auditor should exercise professional scepticism and perform appropriate follow-up
work. ISA 200, paragraph A24 notes that the auditor must not be satisfied with less-than-persuasive audit
evidence because of a belief that management and those charged with governance are honest and have
integrity. The representations of management are not a substitute for sufficient appropriate audit evidence,
and follow-up procedures should be carried out on these debtors.

Example 1.4
The following factors will affect the audit plan.
• Products such as computer parts may become obsolete due to changes in technology. This will result in
increased risk associated with inventory valuation.
• The bank loan being dependent on achieving a profit creates an incentive for management to make the
financial result look better than it is.
• Moving the manufacturing to China will mean that there will be additional foreign currency issues to
consider. Transportation costs must be correctly accounted for in inventory valuation, and goods in
transit might create some cut-off problems.
• The loss of sales due to poor quality might affect stock obsolescence and saleability of inventory.
• The small profit, combined with lost sales and Galaxy Ltd.’s dependence on earning a profit to maintain
its loan, indicate a potential going concern risk.
• The sales commission creates an incentive for sales staff to overstate sales by processing fictitious sales
or recording the next period’s sales in the current period.
• Converting the computer system increases the risk of errors through incorrect conversion or rejection of
data by the new system. Completing the conversion only one month before year-end increases the risk
of errors in the financial statements.

Example 1.5
• Performance audit
• Performance audit
• Performance audit
• Financial statement audit and/or performance audit
• Financial statement audit and performance audit†
• Performance audit
Note: It is worth noting that compliance with legislative and other requirements could be included in
either the financial statement audit or the performance audit, depending on the legislation or requirement.
If the legislation or requirement is related to financial reporting, then it will be included in the financial
statement audit report; if it is not, it would be included as part of the performance audit.

Example 1.6
While automation can represent opportunities for efficiency and effectiveness, unintentional or intentional
human errors in the implementation of automation represent risks that an auditor must understand and
address. For example, based on the inconsistencies and obstacles described above, the auditor needs
to consider the impact of potential failure of internal controls, specifically those controls related to IT.
Auditors should focus on understand the nature and impact of API/RPA, including through communica-
tions with management, so that audit planning could focus on risks identified.
Pdf_Folio:452

452 SUGGESTED ANSWERS

Example 1.7
Concur and its competitors such as Expensify are also using artificial intelligence to better monitor
expenses and detect potential fraud. Auditors should check if their client’s accounting software vendor
provides similar functionality that can be used in invoicing, bill payments and payroll. Having this
functionality would reduce the risk of fraud, which the auditor needs to assess as part of the risk assessment
during the planning stage of the audit. As such, audits would become more efficient.

MODULE 2
Example 2.1
The following factors impact on the inherent risk of LRS Ltd.

Factors that increase inherent risk Factors that decrease inherent risk

• CEO wants more aggressive accounting policies • Significant experience in the hotel industry
• Wide disparity of operations • Existence of audit committee and independent
• Chairperson is also CEO chairperson
• Board and shareholders dominated by one family • Low debt–equity ratio
• Only one independent board member
• Credit restrictions
• Depressed share market
• Future public offering

Example 2.2
(a) The following facts increase inherent risks at the financial statement level.
• History of cutoff errors and there may be similar errors this year.
• Bonus scheme that is closely related to profitability.
• Going concern issues related to cash shortages, build-up of accounts payable and collection problems
with debtors.
• Pressure to improve balance sheet to make the organisation look more attractive in order to obtain
credit.
• Impact of drought and water restrictions on sales and profitability.
(b) The inherent risks at the assertion level for inventory are:
• slowdown in demand can cause a drop in prices and cause inventory write-downs
• incentives to overstate inventory numbers and valuation
• theft during the year and the implications for existence
• foreign exchange implications for valuation of inventory.
The inherent risks at the assertion level for trade debtors are:
• slowing in debtors collection and implications for the allowance for doubtful debts
• incentives to overstate debtors to increase profits and bonuses.
(c) The following facts increase control risk.
• Move away from centralised purchasing and the problem of different stores following different
policies.
• Making the control environment more complex with the range of different purchases.
• Reduced size of the internal audit department.
• Thefts during the year — control policies may not be working for part of the year.
• Credit controls over debtors not always operating.
The following facts decrease control risk.
• Improvements in security of inventory and policies related to goods received and releasing goods
from the storeroom.

Example 2.4
ISA 210 paragraph A30 outlines the circumstances when it is appropriate to remind the entity of the existing
terms of the engagement. The factors relevant to this case listed in ISA 210, paragraph A30 are:
• a significant change in nature or size of the entity’s business
• any indication that the entity misunderstands the objective and scope of the audit.
Therefore, it is necessary to send out an engagement letter because the company is expanding and the
statement by the CEO referring to the auditor’s ‘preparation of our financial statements’ indicates that
management misunderstands the objective and scope of an audit.
Pdf_Folio:453

SUGGESTED ANSWERS 453

Example 2.5

Assertion Justification

1. Completeness The account balance is inventory, and an amount that should have been
recorded in inventory has not been included.

2. Existence As the items have been mistakenly counted twice, some items included in the
inventory sheets do not exist.

3. Completeness The definition of completeness as per ISA 315 includes ‘all related disclosures
that should have been included in the financial statements have been included’
(ISA 315, para. A129). The presentation assertion refers to ‘appropriately
aggregated’, ‘clearly described’ and ‘relevant and understandable’. If the
disclosures had been included, the presentation assertion would have been the
correct assertion.

4. Rights and obligations In this case, the company does not hold or control the asset (ISA 315,
para. A129). Existence is not the correct assertion as the inventory does, in
fact, exist.

5. Accuracy, valuation In this case, the inventory has not been included at an appropriate amount as
and allocation the resulting adjustment to net realisable value has not been made.

6. Occurrence This is a transaction, and as the items had not been shipped, the sale has not
yet occurred.

7. Accuracy This is a transaction that has not been recorded appropriately (see definition of
accuracy in ISA 315, paragraph A129).

Note that the first five parts of the question relate to assertions about account balances, and related
disclosures at the period end (ISA 315, para. A129(b)). The last two parts of the question relate to changes
of transactions and events, and related disclosures (ISA 315, para. A129(a)).

Example 2.6
When companies are close to break even, and there are large fluctuations in net profit, it is unlikely that net
profit before tax is the appropriate benchmark. Given sales or total assets are much less likely to fluctuate,
one of these can be a more appropriate benchmark.

Example 2.7
1. The audit plan will need to allow for additional testing of the monthly data sent to head office. The
materiality of the areas affected by the poor quality reporting needs to be determined as this will affect
the audit plan.
2. The audit plan should reflect that these facts could affect the nature, extent and timing of audit
procedures related to PPE and liabilities related to potential redundancies. In particular, the auditor
would need to consider how far these plans have gone and the implications for the valuation of PPE in
those countries. Potential employee costs, including redundancy payments, need to be considered.
3. The auditor would need to review the contract to assess the impact on the audit plan. Is the entity
complying with the contract and are there penalties for non-compliance? Are there exchange rate
implications?
4. The implications of these facts would need to be considered in revising the audit plan related to
contingent liabilities, inventory valuation, collection of debtors, brand name valuation and going
concern.

Example 2.9
• The members of the engagement team to be included when the meeting occurs.
• The extent of the discussion which will be affected by the roles, experience and information needs of
the engagement team.
• Determining whether the meeting should be face-to-face, by telephone or computer link.
• Preparation expected prior to the meeting.
• Determining whether the meeting should be a brainstorming session or a presentation by a senior staff
member with follow-up discussion.
Pdf_Folio:454

454 SUGGESTED ANSWERS

Example 2.10
Specific business risks identified include the following.
1. Operating in many locations makes it difficult to ensure that all management policies and controls are
implemented consistently across all parts of the business.
2. The main source of finance is from individuals who have personal loans, which would suggest it might
be difficult to obtain additional finance if it was required.
3. Aiming for floating on the ASX may lead to expanding too quickly and overtrading.
4. Charging lower prices than competitors is high risk in that reduction in price might not lead to a sufficient
increase in customer numbers, so there is a risk that revenue and profits might fall.
5. There is a risk that the directors pay too high a price for the new centres.
6. If the new acquisitions don’t perform as well as expected, there is a risk that the profits will not be
sufficient to pay the interest on the new loans.

Example 2.11

Technique to assess
General control Specific control Purpose of control control

Organisational Separation of duties Avoid incompatible Observation of operations

between analyst, functions, prevent or review organisational
programmers, operators, manipulation charts
library function, and central
control group

System develop- • User participation in • Assure that system meets • Review manuals
ment system design user needs • Review the system
• Preparation of documenta- • Provide explanation of documentation
tion on system description system design

Operations • Operator manuals and
instructions
• Control features to monitor
data and system changes
• Ensure proper and efficient
use of IT
• Ensure that data are
controlled and changes
authorised
• Review manuals and
observe operations
• Review organisational
functions and
procedures

Data processing • Physical measures • Limit physical access • Attempt access

• File protection • Limit access to file data or • Verify procedures for
manipulation passwords, locks,
badges or guards

Example 2.12
General Control Concerns
Segregation of Functions
The use of IT generally implies that, due to increased processing speed, fewer people will be required to
carry out data-processing activities. In CWC’s case, there is a concentration of functions and knowledge,
which means many conventional controls, based on the segregation of incompatible functions, are no longer
possible. In particular, Jing has too much control and a significant amount of authority over the IT system
and individual e-commerce application programs. Jing seems to be performing the role of an IT manager
who is also responsible for writing application programs. Jing also seems to be performing the tasks that
would normally be carried out by a systems analyst. These functions are incompatible and should be
segregated. It represents a serious control problem that can only be corrected by employing more staff.
People involved with running IT systems should be organisationally independent of user departments.
Jing wrote the application programs that initiate the transfer of credit card receipts to CWC’s bank account
and reconcile credit card deposits with individual customer sales accounts. When one considers that Jing
is also expected to manually prepare and complete CWC’s bank reconciliation, a control issue again arises
regarding incompatible functions.
Jing should not be involved in maintaining the local area network and the website. This represents a
serious control issue — especially given Jing’s other duties.

Pdf_Folio:455

SUGGESTED ANSWERS 455

Location of Computers
The location of the computers above the cafeteria could present a significant security risk should there be a
fire. Also, the fact that staff need to open windows in summer raises issues regarding unauthorised access
to the computers and staff safety.
Backup and Recovery Concerns
Backup copies should be taken on a regular basis (more frequently than monthly) and stored at a commer-
cial offsite location. Other standard backup protocols should also be introduced.
Staff Issues
Jing is working extremely long hours, which could ultimately lead to health and safety concerns. There
appears to be a fairly strong argument to employ additional staff to support the work currently done by
Jing and Melissa.
Angie is relying on the fact that Melissa and, in particular, Jing are honest people who would not take
advantage of their positions. Given the size of Jing’s mortgage this issue becomes all the more significant.
Environmental Conditions
CWC should install central-heating and air-conditioning systems, which can reduce the risk of damage to
its IT systems from environmental hazards.
Specific Control Concerns
Dual System
It is of concern that no attempt has been made to protect the reputation of CWC by running together the
phone sales-ordering system and the internet sales-ordering system for a period of 6 to 12 months. This
would provide a backup arrangement should any teething problems with the internet sales-ordering system
arise.
Documentation
The systems documentation that does exist is poor and difficult to understand. It is essential for Jing to
maintain up-to-date documentation of the new system that is complete and accurate. All of the application
programs and interface issues seem to be in Jing’s head, which is of little use to CWC should anything
happen to Jing.
Physical Security Over Data and Programs
Staff are allowed to play games on their computers at work. Computer viruses probably represent the
greatest single threat in a personal computer environment. It is therefore essential that controls be put in
place to restrict and scan all input for viruses. The practice of allowing operators to bring in their own
computer games to play should cease immediately.

Example 2.15
Risks include:
• decreased profitability
• holding excess inventory
• potential for slow collection/recovery from debtors (there is strong competition among suppliers, so
retailers have more choice, and the suppliers may have to accept slower payments from them as a result).
From an audit planning perspective, this has implications for the valuation of both inventory and trade
debtors. There are also potential going concern issues to be considered.

Example 2.16
Failure to deliver products on time is likely to cause loss of customer satisfaction and erosion of market
share in a competitive market. This is likely to lead to a loss of revenues and profits. From an audit
perspective, it may lead to going concern problems. It also has implications for the impairment of non-
current assets and collectability of trade debtors.

Example 2.17
From the above ratios, it can be seen that the ROA has increased from 10% to 12%. In general, this could be
due to either an increase in asset turnover or net profit margin. In this case, it must be net profit margin (as
asset turnover is constant). The increase in net profit margin is not due to a higher gross profit margin
(i.e. constant at 30%), so it must be due to reduced operating expenses. In this case, it is likely the
Pdf_Folio:456

456 SUGGESTED ANSWERS

auditor would do a comparison of the key operating expenses to see what the changes are and consider the
likelihood of understatement of these expenses.

Example 2.18
• There is a trend upwards for both trade debtors and inventory as a percentage of total assets, and both
figures are higher than for competitors. Inventory and debtors turnover rates should be followed up.
• COGS is higher than for competitors but it is improving for MNO Ltd over the four-year period.
• Interest is a higher percentage than for competitors but non-current liabilities are generally smaller.
• Depreciation is decreasing and is lower than for competitors but so are non-current assets.
• Profit after tax is considerably lower than for competitors (as a percentage of expenses). This should be
considered in relation to the information obtained as part of the strategic analysis of MNO Ltd.
• There has been an increase in returns. The reasons should be ascertained.

Example 2.20
The outliers significantly above the straight line may indicate overbillings and those below the straight line
may represent underbillings. These outliers represent items of interest to be investigated. The ADA links
each invoice to the underlying data which will enable efficient and effective follow-up by the auditor.

Example 2.21
This scenario is a good example of the types of problems faced in a small business environment. The
following issues have been identified as issues of relevance to the auditor.
• One of the main issues is clearly segregation of duties. Elizabeth undertakes all of the accounting-related
tasks. She has little accounting training, and there are not many checks on her work.
• The company uses a reputable software package, but there must be concerns about the general
control environment, which may override any controls built into the software. Many people use easily
recognisable passwords, such as their children’s or their pets’ names. Thus, it is possible that people can
get onto the system. The manuals are there for all to use. These should be stored securely.
• The accounting records are not well safeguarded. The office is behind temporary partitions, and all staff
and customers would potentially have access to the computer and supporting documents that would be
maintained in the office.
• Inventory, which is likely to be their major asset, is not well safeguarded. Additional stock is sitting
on shelves behind temporary partitions, and again would be accessible to all staff and any customers
wandering through.
• It is not very clear from the case study as to how much reliance can be placed on the integrity
and competence of the husband and wife owners/managers.
The audit approach that would most likely be undertaken is a primarily substantive audit. The weak-
nesses in the general control environment would be considered to be pervasive, which means that the
control environment would not be considered reliable for providing audit evidence, and therefore tests
of application controls will not be undertaken. The auditor will extend their level of substantive testing,
particularly in the area of their major asset, inventory.

MODULE 3
Example 3.1
1. The assertions at most risk of material misstatement will be existence and accuracy, valuation and
allocation.
2. The overstatement can only be achieved by including debtors that do not exist in the trade debtors’
balances or by overstating the valuation — for example, by understating the allowance for doubtful
debts.
3. The appropriate response will then be to gather evidence that the trade debtor exists (e.g. an external
debtor’s confirmation) and that the client has valued these correctly (e.g. undertaking procedures such
as concentrating the auditor’s attention on amounts that are well overdue). This will enable the auditor
to see whether there should be an allowance for these in determining the appropriate amount for the
allowance for doubtful debts.

Pdf_Folio:457

SUGGESTED ANSWERS 457

Example 3.2
1. Sales transaction control examples are as follows.
• Rejection of transactions above a specific limit (to prevent incorrect data for sales amount).
• Inclusion of inventory item ID in sales transaction so that sales are automatically priced.
• Include customer number in sales transaction so that sales to customers who have exceeded their
credit limit are rejected.
2. Possible tests include the following.
• Test data — the auditor prepares some data to process through the client’s computer system. The data
would have valid and invalid types of transactions. The auditor would try to prepare enough invalid
transactions to mimic all types of errors (e.g. if the client does not sell items with values greater
than $1000, the auditor could prepare a transaction with $1 000 000 as the value to test if the client’s
system will reject the transaction).
• Process the client’s actual transactions through another software package controlled by the auditor.
The auditor would test if the output from the client’s software is the same as the output from the
auditor’s software. This would require the auditor to have software that would be similar enough to
the client’s systems.
• Interrogation software — the auditor would have special software to interrogate the client’s systems
to request reports of transactions with certain parameters. The audit software could also search for
evidence of changes, which could be unauthorised, made to the client’s software. The audit software
could also search for likely problems with the client’s software.

Example 3.5
Using CAATs testing for all transactions would look better.
As you can see from this example, a major benefit of using CAATs is that you can now test the total
population, allowing you to claim this in your report. This can add more weight to your observations and
make it easier for you to communicate to the business how you reached your conclusion.

Example 3.6
If the software control is working, employee A’s transaction will be accepted, and employee B’s transaction
will be rejected and written to an error or exception report.

Example 3.7
Test data could be used to do the following.
• Identify the controls contained in the program (program controls).
• Prepare transactions designed to test the program controls. These transactions should contain errors such
as invalid employee numbers, incorrect pay rates, calculations contrary to the union agreement, negative
leave entitlements and abnormally large entitlements.
• Process transactions using the client’s annual leave pay program. Ensure that the version of the program
the client usually uses in production is tested. The auditor should consider the adequacy of library
controls and other general controls that ensure the correct version of the program is used.
• Obtain a printout of the details of the processing of the transactions through the client’s program. It is
expected that transactions containing errors will be excluded from processing and written to an error or
exception report for follow-up.
• Compare the auditor’s prior expectations and check that the errors were all identified. If the output is
in accordance with the auditor’s expectations, then this gives the auditor greater confidence that the
program is working as they believe, and that they can rely upon key controls.

Example 3.8
Order Order Order Unit Vendor GL
number type date Store Quantity Unit Description price Received code code

9126 N 6/5 nn 2013 10 1000 Small bags 28.50 y CON249 7893

5896 N 21/5/nn 3067 1 1000 Large bags 36.00 y CON249 7893
5 1000 Small bags 28.50 y CON249 7893
2148 S 1/5/nn 5790 1 1 Security alarm 225.00 y CON077 5847
monitoring

dPf_Folio:458

458 SUGGESTED ANSWERS

 9132 N 8/5/nn 2013 12 200g bags Fine 58.45 n CON305 5034
Ground
5801 S 1/5/nn 3067 1 Telephone rental 125.00 y CON021 5697
4944 N 28/5/nn 8702 1 1 Security alarm 225.00 y 5847
monitoring
4059 N 18/5/nn 2103 1 12 200g bags Fine 58.45 y COF305 5034
Ground
7855 N 11/5/nn 1038 5 1000 Small bags y CON249 7893
5592 N 6/5/nn 2013 10 1000 Small bags 28.50 y CON249
9132 N 8/5/n 2013 2 12 200g bags Fine 58.45 y COF305 5039
Ground

Note: Shaded cells contain missing or invalid data

Example 3.9
Company That Rents Storage Space
1. In this situation, multiplying the number of square metres available by the charge per month per square
metre would provide an accurate estimate of revenue.
2. When the storage space is not fully occupied, then it is necessary to adjust each month’s estimated
revenue by the occupancy rate, which is likely to be based on past history.
Hotel in a Tourist Destination
1. Due to the variability, the construction of the model for the reasonableness test becomes much more
complicated.

Example 3.10
1. It first needs to be acknowledged that the numbers used in calculating the 20X9 ratios are unaudited,
so they need to be interpreted with caution.
From Table 1, ‘Huggins Ltd results for 20X6–20X9’: An improvement in company trends between
20X6 and 20X9 is shown. Net profit as a percentage of sales increased in 20X8 and 20X9 after a drop
from 20X6 to 20X7.
However, there are large changes between 20X6 and 20X7 in all the other ratios, except for inventory
as a percentage of sales and sales commission as a percentage of sales.
Further, abrupt changes occurred between 20X7 and 20X8 in:
• debtors turnover
• PP&E as a percentage of sales
• inventory as a percentage of current assets
• PP&E as a percentage of total assets
• working capital.
Abrupt changes occurred between 20X8 and 20X9 in:
• debtors turnover
• the current ratio
• repairs expense as a percentage of sales.
Gradual trends or small changes in these ratios, but not the fluctuations shown in Table 1, would
be expected. Trade debtors, inventory and PP&E should be given special audit attention for 20X9.
From Table 2, ‘Competitor analysis for 20X8’: The competitor analysis is undertaken on 20X8
data, as these are the latest competitor data available.
Inventory turnover is slower than for competitors.
Also, debtors turnover is slower than for competitors, raising potential issues related to the
accuracy, valuation and allocation assertion for receivables.
Inventory as a percentage of sales, inventory as a percentage of current assets, and PP&E as a
percentage of total assets appear high for Huggins Ltd compared to its two competitors.
Huggins Ltd’s ratio for PP&E as a percentage of sales appears unusually high.
These ratios may be indicative of overstated inventory and PP&E accounts.
2. (a) It would be very unlikely that substantive analytical procedures could be used to eliminate tests
of detail for trade debtors. It is unlikely that substantive analytical procedures will be sufficiently
effective in assessing the risk of material misstatements for specific assertions for this account
Pdf_Folio:459
balance. It is also very unlikely that a sufficiently precise expectation or an acceptable amount of

SUGGESTED ANSWERS 459

 difference from an expectation can be developed. For this reason, tests of detail for trade debtors
are usually undertaken, including debtors’ confirmations and subsequent receipts’ testing.
(b) It is likely that sales commission expenses could be appropriately tested by substantive analytical
procedures. From the data, it appears that sales commission expense is a fixed percentage of all sales,
and the data show that this level has been maintained — at 8% for 20X8 and 20X9 and at 6% for
20X6 and 20X7. The auditor will have to verify that this percentage is accurate and then undertake
testing to verify sales commission expense. However, the auditor would not have to undertake any
further testing of details to verify sales commission expense.
(c) It is unlikely that substantive analytical procedures could be used to eliminate tests of detail for
repairs expense. It is unlikely that a sufficiently precise expectation or an acceptable amount of
difference from an expectation could be developed. Also, given the more discretionary nature of this
expense (compared with sales commission expense) and the higher risk of material misstatement
in practice (expensing repairs versus capitalising assets), it is more likely that an auditor would
undertake substantive tests of details.

Example 3.11
1. Bonus plans and share ownership can create incentives for managers and other employees to manage
earnings. The fact that the CEO is concurrently chairperson of the board of directors is likely to
exacerbate the situation. Auditors need to be aware of the motives of potential employees when such
incentives are in place.
2. (a) This method overstates inventory, reduces cost of goods sold and increases profit.
(b) This method overstates sales and trade debtors, and increases profit.
(c) This method understates liabilities and expenses/inventory and increases profit.
(d) This method understates cost of goods sold and liabilities (accounts payable) and increases profit.
3. (a) (i) Check the pre-numbered stock count sheets.
(ii) Observe the physical stocktake and compare the perpetual inventory records to the count sheets.
(b) (i) List the sales transactions of a few days before and after the financial year-end, and check that
the accounting entries associated with them are recorded in the correct period.
(ii) Check the debtors’ confirmations.
(c) (i) Examine the subsequent payments to suppliers.
(ii) Examine the orders not matched with vendor invoices.
(d) (i) Examine the creditors’ confirmations.
(ii) Examine the subsequent payments to suppliers.

Example 3.12
There are two issues with inventory valuation; firstly confirming that the inventory physically exists and
that the count is correct, and secondly verifying that the inventory is correctly valued and that adequate
provision has been made for damage or obsolescence.
The generalised accounting software (GAS) package can assist with both of these tasks. Audit team
members will check the client’s count of some inventory items. Time and cost reasons mean that it is only
economic for the auditors to check a sample, and provided that there are not a significant number of errors
and other problems, then the auditor may assume that the other item counts are also correct. The GAS
package can be used to identify the sample to check. This would normally be the items with the x% of
highest unit values and those with the highest y% of total values.
Similarly, it may be used to identify irregularities in the inventory master file, for example, items with
negative quantity or negative unit value, and slow-moving items or items which have not been issued for
(say) two months, which may indicate that they are out of season and possibly may be no longer fashionable
next (say) winter.

Example 3.13
The auditor will probably undertake a positive debtors’ confirmation procedure to obtain evidence relating
to the accuracy, valuation and allocation assertion for the trade debtors’ balance.

Example 3.14
Under MUS, the understatement would have reduced the number of sampling units from 1000 to 10.
Therefore, this debtor is less likely to be selected than it would if there was not an understatement error.
Pdf_Folio:460

460 SUGGESTED ANSWERS

 Note: At the extreme, if an item has a zero balance, it cannot be selected under MUS. If the sampling
application does require identification of understatements, MUS would not be seen as an appropriate
sampling approach.

Example 3.16
1.(a) General controls, particularly access controls, are especially important in a business-to-business e-
commerce system. Access can be limited to those approved suppliers, and the performance of the
hub manager is important. If the accepted supplier is not doing their job (e.g. not delivering on time
or goods delivered are not up to the expected standard) the risk is limited, as Pet Ltd would not
transfer payment until it was satisfied that it had received what it had ordered. If Pet Ltd was not
satisfied with what it was receiving, it would withdraw from using this hub.
(b) Greater. The risks are much lower in being associated with a business-to-business e-commerce hub
than with a business-to-consumer e-commerce system, especially in relation to controls over access.
This is because of the hub manager’s control procedures and the fact that Pet Ltd will become familiar
with the reliability of the suppliers, as there will be an expectation of a continuing relationship
with the suppliers that are approved for a business-to-business e-commerce hub. With business-to-
consumer e-commerce, the likelihood of continuing business is significantly less.
2.(a) Test data involve the auditor preparing simulated transaction data. This is designed to test the program
controls in the system. The test data will include both correct data and incorrect data. The test
transactions can be entered through the system in an online mode, or more commonly, they can
be run through the program in an offline environment on a copy of the client’s inventory file.
(b) The easiest way to discuss test data is through the program controls that should be resident in such
systems. Such program controls include terminal device edit, reasonableness and other validation
tests, for example:
i. checking inventory number to authorised list of inventory numbers
ii. a reasonableness check on agreed cost price, number of inventory items on hand or total cost.
3. You might have included any three of the following exception reports relating to accuracy, valuation
and allocation assertion for inventory:
i. total cost significant, date of last usage greater than x months ago
ii. total cost significant, total usage year-to-date small
iii. total cost significant, date of last purchase greater than x months ago
iv. total cost significant, total purchases year-to-date small.
Note that there may be other exception reports that relate to the accuracy, valuation and allocation
assertion.
These reports would be used to help the auditor identify inventory that has a higher risk of obsolescence.

Example 3.17
1. On the basis of the information provided, the auditor would reassess the risk of material misstatement,
from ‘low’ to ‘high’, for Clark Ltd in relation to related party transactions. The reason for this is that
information gathered during the course of the audit suggests that Clark Ltd may be selling profitable parts
of the business (lucrative segment) to related parties, specifically the joint venture between Wing Chan
and the Clark family. At the same time, they are bringing into Clark Ltd additional ventures that are risky
and for which the business rationale is unclear. (The synergies between a company importing swimming
pools and pool chemicals and uranium exploration are unclear.) It is also possible that the parties involved
with this transaction are associated with related parties, as Wing Chan has a number of mining interests in
Australia (the owners of these mining interests need to be identified by the auditor). The incentive to do this
appears to be the fact that the Clark family is considering selling their shareholding in Clark Ltd to China
Overseas Company. Therefore, the possibility is that the family is going to strip the company of lucrative
assets and load it up with assets and ventures that have been unprofitable.
2. The auditor needs to understand the rationale for the transactions that have occurred, which appear to be
outside the normal course of the Clark Ltd business, and not just accept management’s suggested business
rationale. The auditor should carefully consider the terms of the sale of the pool chlorine line segment and
carefully examine any records, documents and/or contracts of sale that can be provided about this matter.
In particular, the related parties’ auditing standard (ISA 550, para. A22) requires the auditor to concern
themselves with any contracts and agreements that are not in the entity’s normal course of business.
This may also lead the auditor to re-evaluate fraud risk factors that may be present in the form of
fraudulent financial reporting and may have been undertaken to deceive. The auditor should enquire
Pdf_Folio:461

SUGGESTED ANSWERS 461

 of management regarding the nature of these significant transactions and obtain an understanding of
the business rationale behind the transactions and the terms and conditions under which they have been
entered. This also involves significant transactions, not only by direct influence on a transaction by being
a party to that transaction, but also by indirect influence through an intermediary (as may be the case
with the purchase of the mining tenement). In particular, the auditor should confirm or discuss specific
aspects of the transactions with the intermediaries, including the banks and solicitors, and confirm the
purposes, specific terms or amounts of the transactions with the related parties. Additionally, the auditor
should attempt to determine whether the related party transaction was conducted at arm’s length.
Management support for such an assertion may include (ISA 550, para. A43):
• comparing the terms of the related party transaction to those of similar transactions that have taken
place
• engaging an external expert to determine market value and to confirm market terms and conditions
for the transaction
• comparing the terms of the transaction to known market terms or broadly similar transactions in
another market.
Because of Australian requirements, the auditor’s response would also need to consider any Corpora-
tions Act 2001 (Cwlth) requirements for special permissions from shareholders before undertaking such
significant transactions, and the assessed risk of any required disclosures of related party transactions
(assertions about both classes of transactions and events, and account balances including reference to
‘related disclosures’ — see ISA 315 (Revised), para. A129) that are not conducted on terms equivalent
to those prevailing in arm’s length transactions. As outlined in ISA 550, paragraph A45, in those
circumstances, if management has not disclosed a related party transaction in the financial statements,
there may be an implicit assertion that the transaction was conducted on equivalent terms.
In evaluating these related party disclosures in the context of the disclosure requirements, the auditor
would consider whether the facts and circumstances of the entity’s related party relationships and trans-
actions have been appropriately summarised and presented so that the disclosures are understandable.
These disclosures may not be understandable if the business rationale and the effects of the transactions
are unclear, or the terms and conditions of the transaction are not appropriately disclosed.
The auditor should also consider if it is appropriate to obtain a written representation from those
charged with governance, which would include circumstances where they have (ISA 550, para. A48):
• approved significant related party transactions that materially affect the financial statements or
involve management
• made specific oral representations to the auditor regarding details of the related party transactions, or
• financial interests in the related party transactions.
As some of the transactions are outside the normal course of business, including exploration work
for uranium, and given the approach of the takeover offer, the auditor would need to consider their
responsibilities under ISA 250 (Revised), paragraph 13. In particular, the auditor would need to
obtain a general understanding of takeover legislation involving overseas companies and mining and
environmental laws. ISA 250 (Revised), paragraphs 13–18, sets out the auditor’s consideration of
compliance with laws and regulations.

MODULE 4
Example 4.1
(a) Adjust. The financial statements for the year ended 30 June 20X9 should be adjusted. The circum-
stances making up this event occurred before balance date. The company now has a quantifiable amount
that it can include as an expense and a liability, and this should be included in the accounts.
(b) Disclose. The financial statements for the year ended 30 June 20X9 should disclose the intention to
take over the private engineering partnership. This is a significant event that could be expected to affect
the decision-making process of the financial statements user, and as such, it needs to be disclosed.
(c) Disclose. It could be expected that this fire and the potential financial loss (which may be material)
would be a significant event that could be expected to affect the decision-making process of the
financial statements user. As such, it needs to be disclosed.
(d) None. Neither adjustment nor disclosure is appropriate. Company plans are not an explicit part of the
financial statements. Selective disclosure of goals and plans would be misleading.

Pdf_Folio:462

462 SUGGESTED ANSWERS

Example 4.2
(a) 20X9 20X8
$m $m % change
Income statement
Revenue 18.6 19.7 (5.6%)
Gross profit 7.4 9.3 (20.4%)
Profit before tax 0.4 2.6 (84.6%)
Gross profit margin 39.8% 47.2% (15.7%)
Profit before tax/revenue % 2.2% 13.2% (83.3%)
Statement of financial position
Non-current assets
Property, plant and equipment 11.8 8.7 35.6%
Current assets
Inventory 2.7 1.2 125%
Trade debtors 1.4 0.8 75%
Cash - 0.4 (100%)
Current liabilities
Bank overdraft 0.7 - -
Trade payables 1.9 0.9 111.1%
Bank loan 4.8 0.2 2300%
Total current liabilities 7.4 1.1 572.7%

(b) 20X9 20X8 % change

Current ratio 0.55 times 2.18 times (74.6%)
Quick ratio 0.19 times 1.09 times (82.7%)
Days in debtors* (average debtors x 365 / credit sales) 21.6 days 14.8 days
Debtors turnover (credit sales / average debtors) 16.9 times 24.6 times
Days in inventory* (average inventory x 365 / cost of
goods sold) 63.5 days 42.1 days
Inventory turnover* (cost of goods sold / average
inventory) 5.7 times 8.7 times
Days in payables* (average accounts payable x 365 /
credit purchases) 45.6 days 31.6 days
*
Average values could not be calculated for 20X8 so limited for comparison purposes.

Profitability
Revenue has fallen by approximately 6% which may reflect difficult trading circumstances, but gross profit
margin has fallen significantly from 47% to 40% and profit before tax to revenue has fallen from 13% to
2%. This indicates that at the gross profit level the company is struggling to maintain margins either through
maintaining selling prices or controlling costs. This will put significant pressure on cash flows. This has
translated into lower profit before tax. More detail on specific expense categories is required to complete
the analysis.

Non-Current Assets
There has been significant expenditure on non-current assets (increase of 35.6%) which has not been
translated into higher sales (reduced by 5.6%), again putting pressure on cash flows. The details contained
in the audit file with regard to the specific assets purchased, their timing and how they were financed is
needed to get an understanding of the new assets. Depreciation policy should be carefully reviewed to
ensure useful lives appear appropriate.

Liquidity
The current ratio indicates that the company may not be able to meet its short-term commitments when
they fall due as it has declined from a healthy 2.18 times to 0.55 times. It should be maintained above 1.
The quick ratio indicates that the entity’s liquid assets no longer cover current liabilities (reduced from
1.09 times to 0.19 times). It appears that the entity’s liquidity situation is deteriorating, indicating that the
future viability of the company may be in doubt. The auditor should compare the entity’s ratios with the
industry average to assess Jobstone’s liquidity relative to close competitors.

Pdf_Folio:463

SUGGESTED ANSWERS 463

 There has been an increase in both days in debtors (up from 14.8 to 21.6 days) and days in inventory
(up from 42.1 to 63.5 days). Debtors turnover has reduced from 24.6 times to only 16.9 times per year,
indicating that it is taking longer to turn over trade debtors. Likewise, inventory turnover shows that
inventory is being turned over only 5.7 times compared to 8.7 times in the previous year. Increasing
inventory puts pressure on cash flows. This may be finished goods that cannot be sold or holding levels of
raw materials that are too high. High levels of trade debtors suggest difficulty in recovery of funds from
customers, which again places pressure on cash flows. High levels of both inventories and trade debtors
may also indicate a risk that both contain amounts that are not realisable and the provisions for inventory
write-downs and doubtful debts may be inadequate. The entity has made only a small operating profit and
may be avoiding writing down balances as this would create a loss that would not look good when talking
to the bank about its loan. The detailed work on both these areas needs to be carefully reviewed to ensure
there is not a risk of inventories and trade debtors being overvalued.
The days in payable have also increased significantly (up from 31.6 to 45.6 days), this would suggest
that the entity is delaying payment to suppliers in order to manage cash flows. This is a dangerous strategy
as suppliers may choose to no longer trade with the company, which could significantly affect operations.
When looking at current assets and liabilities, it is clear that the entity has moved from a cash positive
position to an overdraft and now has a significant loan balance possibly as a result of the asset purchases.
The fact that the entity has breached the terms of the bank loan puts them at significant risk.
Whether the entity is a going concern risk depends on its future prospects, in particular, whether it can
retain support from the bank. In addition, the entity will need to take control of the falling margins; maybe
the new equipment will create efficiencies. Levels of inventory holding and the recoverability of trade
debtors will need to be carefully reviewed.
Example 4.3
$ error in fin Total
statements Projected estimated Adj to Assets Adj to Liabs Adj to Profit
Description (A) error (B) error (A) + (B) dr/(cr) dr/(cr) dr/(cr)
1. Cutoff incorrect 5 600 5 600 (5 600) 5 600
Inventory adjustment 3 294 3 294 3 294 (3 294)

2. Year-end stocktake 11 250 11 250 (11 250) 11 250

3. Debtors
(i) 2 510 2 510 (2 510) 2 510
1 476 1 476 1 476 (1 476)
(ii) 2 080 2 080 (2 080) 2 080

4. Loan confirmation 1 000 1 000 (1 000) 1 000

TOTAL (16 670) (1 000) 17 670

5. Does not affect the profit — only a recommendation for disclosure in the notes.
6. Does not affect the profit — just a differing disclosure category.

The objective of the summary schedule is to be able to assess the aggregate errors to compare them to
materiality. This also has a benefit in that some of the errors may offset one another, and the summary
schedule enables the auditor to gain a better overall perspective.
In relation to a determination of whether the financial statements are materially misstated, a determi-
nation of final materiality would firstly need to be performed. The most common method would be by
using final net profit. Assuming 5% of net profit was appropriate, then materiality would be set as $5000.
In this case, it is the same as planning materiality which was determined during audit planning. As the
total misstatements are more than $5000, the total aggregated misstatements indicate that the financial
statements are materially misstated.
Example 4.4
(a) Factors that should be taken into account by the auditor in forming an opinion include:
• other current and non-current liabilities (including contingent liabilities) besides the disputed bank
loan
• the likelihood of receiving regulatory approval for sale of the anti-obesity drug within the coming
12 months
Pdf_Folio:464

464 SUGGESTED ANSWERS

 • the probability of access to alternative means of financing
• budgeted sales on existing products for the coming 12 months
• management’s plans for bringing forward any other products in the development pipeline.
(b) The materiality of the loan in relation to the disagreement with management over its disclosure is less
important than it would be in the absence of the problems with approval for the anti-obesity drug and
the threat to going concern arising from that situation. Bringing forward payment of the loan, together
with foregone revenue on what had been expected to be a strongly demanded product creates concern
over the going concern status of this company. That is, it is going concern issues rather than disclosure
issues that have become the primary audit focus and, as such, the materiality of the disputed portion of
the bank loan recedes in importance compared with assessing the likelihood of the company remaining
viable for the next 12 months.
(c) Since the primary audit risk is related to the going concern status of the company, the auditor will
issue an unmodified opinion and include a separate section under the heading ‘Material Uncertainty
Related to Going Concern’ in the auditor’s report with respect to the going concern issue if this material
uncertainty is adequately disclosed, and the auditor believes it is appropriate that the entity prepare the
financial statements on the basis of the going concern basis of accounting. If the material uncertainty is
not adequately disclosed, the choice is between a qualified or adverse opinion. If the auditor judges that
it is inappropriate for the entity to prepare the financial statements on the basis of the going concern
basis of accounting, they will have to issue an adverse opinion (ISA 570 (Revised), para. 21).

Example 4.6
The events or conditions are as follows.
• Paying suppliers late. This suggests cash flow problems and/or poor management of creditors.
• Demands from suppliers for cash on delivery. This creates additional cash flow problems because SS
does not have the ability to receive and sell goods before paying suppliers. The additional cash flow
problems will require SS to raise or source cash (probably at a cost) from a bank (i.e. requesting bank
overdrafts or increasing it) or by delaying payments to other parties and/or accelerating cash receipts by
discounting goods. These actions are likely to increase costs and reduce profits.
• Correspondence between SS and the bank. The cash flow problems appear to be ongoing since 20X6.
SS’s cash position appears to be deteriorating, with no positive action taken.
• Change of auditor. A change in auditor is not by itself a sign that there are going concern problems.
However, one possible reason for the change in auditor is difficulties between the client and the previous
auditor about the appropriate treatment of certain items and/or audit report qualifications. The change
in auditor might be late in the year, hampering the audit firm’s ability to conduct appropriate procedures
for client acceptance (such as conversations with SS’s bank and previous auditor).

Example 4.12
(a) The auditor would have to be satisfied with all the disclosures contained in the financial statements of
Idealic (Australia) Pty Ltd. Although the auditor may not be able to confirm balances that Idealic
(Australia) Pty Ltd have with Idealic (SA) Pty Ltd, they should attempt to gain evidence from
alternative procedures. In particular, the auditor would need to gain evidence to support the related
party transactions (the significant inter-entity transactions), ensure that the related party disclosures
were appropriate, and expect that the entity would disclose, as an after balance-date event, that one of
their major trading partners had been required to halt operations as a result of the withdrawal of staff
for a period of time after balance date. If the auditor is satisfied in all these areas, they may be in a
position to issue an unmodified opinion.
(b) Disclaimer of opinion. On the basis of the information provided, it does not appear that the consolidated
entity will have access to the accounts of the South American subsidiary in order to prepare
consolidated accounts. Because of the significance of this scope limitation, which has occurred as
a result of circumstances beyond the control of the entity, the auditor will have to issue a disclaimer
of opinion. This is despite the fact that Idealic (SA) Pty Ltd is in a break-even situation and, therefore,
not contributing to consolidated profit.

Example 4.19
(a) Suggested improvements are as follows.
• Letter should be addressed to the audit committee with copies to Ms Poon and Mr Sullivan.
• Letter refers to ‘major weaknesses’; however, in reality, all weaknesses are usually reported. The
matters in this letter do not appear to be particularly ‘major’.
Pdf_Folio:465

SUGGESTED ANSWERS 465

 • Matters noted could be written in bullet point or tabular form to make them easier to read. The letter
should also include recommendations as well as implications for the client in relation to each matter
noted.
Some information was omitted from the letter, such as following.
Trade debtors
• How often was the reconciliation late? Letter should include the facts.
• Reference to difficulties for audit staff should be removed, and the implications for the client should
instead be described.
• Reconciling items — examples should be given or a list provided.
Cash payments
• Details of the cheques should be given.
Petty cash
• Statement regarding tax deductions is speculative and should probably be removed.
• Comments regarding staff member should be re-written in a less accusatory tone.
• Details of the expenditure making up the amount should be included.
Request for response in writing.
Reference to ‘undiscovered weaknesses’ sounds negative and could be removed.
It is usual etiquette to end the letter by thanking the client and staff for their assistance during the
audit.
(b) Whether or not the minor errors were included in the letter would depend on whether or not they
were considered matters of governance interest. Matters of governance interest would normally include
ASA 260 (ISA 260):
The auditor’s responsibilities in relation to the financial report audit.
The planned scope and timing of the audit.
Significant findings of the financial report audit, including: significant qualitative aspects of the entity’s
accounting practices, significant difficulties encountered during the audit, significant matters discussed
with management, any written representations requested, and any other matters of the audit that, in the
auditor’s professional judgment, are significant to the oversight of the financial reporting process
Audit independence, which includes statements that the engagement teams have complied with
relevant ethical requirements, all matters that may reasonably be thought to bear on independence
and safeguards that have been applied to eliminate identified threats to independence or reduce them
to an acceptable level.

Other matters that the auditor may consider to include in the communication with those charged
with governance are:
The general approach and overall scope of the audit
The selection of, or changes in, significant accounting policies and practices that have, or could have,
a material effect on the entity’s financial report
The potential effect of any significant risks and exposures
Audit adjustments
Material uncertainties that may cast doubts on the entity’s ability to continue as a going concern
Disagreements with management
Expected modifications to the auditor’s report
Any other matters agreed on in the terms of the audit engagement.

(To reduce the risk of litigation some firms report all matters, even though some may be minor.
Minor matters are generally included in an appendix to the main body of the letter.)

MODULE 5
Example 5.1
Note: The following answer is constructed on the basis of the Diabetes Victoria’s 2018 concise financial
report. The independent auditor’s report on this concise financial report is standard and so this suggested
solution will apply to most independent auditor reports on concise financial reports.
Pdf_Folio:466

466 SUGGESTED ANSWERS

(a) The basis on which the audit of the concise financial report has been conducted is typically described
in the basis for opinion and/or auditor’s responsibility sections of the independent auditor’s report, and
it uses words to the effect that:
We conducted our audit in accordance with Australian Auditing Standards … We are independent of
the Company in accordance with the ethical requirements of … APES 110 … our audit of the concise
financial report in Australia. We believe that the audit evidence we have obtained is sufficient and
appropriate to provide a basis for our audit opinion.

In the auditor’s opinion section, it is stated that ‘in our opinion, the accompanying concise financial
report of … complies with Australian Accounting Standard AASB 1039 Concise Financial Reports’.
Therefore, the auditor will be undertaking the audit in order to determine any material non-compliance
with this standard.
(b) The procedures that will be undertaken in respect of the audit of the concise financial report will usually
be of three forms. For information that is taken directly from the full annual report, such as financial
information, the procedures will include testing that the information in the concise financial report
is derived from, and is consistent with information contained in the full financial report. For other
information that was not directly derived from the full financial report, such as the accompanying
discussion and analysis of the financial information, the procedures will include examination, on a
test basis, of evidence supporting the amounts and other disclosures. Third, other information in the
annual report will be read to determine whether it contains any material inconsistencies with the
concise financial report. For the Independent Auditor’s report to the members of Diabetes Victoria,
the auditor’s procedures are outlined in the third paragraph under the subheading ‘Information Other
than the Financial Report and Auditor’s Report Thereon’.
(c) The opinion that will be offered is that the concise financial report of the audit client complies with (or
departs from) Australian Accounting Standard AASB 1039 Concise Financial Reports.
(d) Compliance framework. It can be seen that the form of the audit opinion (i.e. it includes the words
‘complies with’) is that which is issued under a compliance framework rather than the type of opinion
that would be issued under a fair presentation framework. Compliance engagements will be discussed
later in this module.

Example 5.2

Criteria Meets criteria? Justification

Relevant Partly This relates to what the organisation is trying to achieve, which is to
improve the quality of service to emergency patients. It is important to
find measures that fully capture the ‘quality’. There is a need to measure
the effectiveness of the treatment beyond asking the patient for an
assessment. While there are difficulties in measuring the effectiveness
of the treatment (e.g. correctness of diagnosis, quality of bandaging or
survival/improvement in condition of heart-attack patients), it is often better
to try to measure important objectives imperfectly rather than ignore them.

Quantifiable Partly Yes/No questions for satisfaction fail to register differences between
someone just satisfied compared to someone very satisfied. While such
questions can be quantified as 0/1, this is probably inadequate to provide
the information required. Additionally, the customer satisfaction questions
are not well defined. For example, what is meant by ‘quality of treatment’?
Attributes may be interpreted differently by different people.

Verifiable No Are the measures collected in such a way that allows other people to
check or validate the measures? Given the data is collected by different
staff, depending on who is on duty, comparison over time may be difficult
because of inconsistency in the method of recording. It is unlikely that the
measures would be statistically valid as any two or more days each week
can be used to collect the data. Busy days are probably avoided. The data
is likely to be unreliable

(continued)

P df_Folio:467

SUGGESTED ANSWERS 467

 (continued)
Criteria Meets criteria? Justification

Free from No There are no independent reviews of the performance measures and,
bias depending on how the measures are used, there may be incentives to bias
the results. Some of the measures (e.g. patients seen within 30 minutes
of arrival) can lead to dysfunctional activities (e.g. treating less critical
cases first as they may take less time to assess). The length of time to
discharge may result in early discharge, telling patients to go home and
return if symptoms return or sending patients in wards home earlier to
allow emergency patients to go to the wards.

Balanced No While the questions asked are relevant to the hospital’s service provision,
it is likely that other measures could be introduced for the sake of
completeness. Outcomes other than satisfaction are probably relevant. The
measures should probably be reviewed and revised at the end of the first
period. It would be difficult to attribute improvements in life expectancies
to changes in the hospital emergency procedures, as many other hospital
and community programs could influence life expectancies.

Cost-effective No While measures are collected only two days per week, time data on service
must be collected and customer satisfaction questions must be asked
and the answers recorded. The system is time-consuming and likely to be
uneconomical. Existing information should be considered for suitability
before designing new measures.

Time-based Partly The data is reported only every six months, making it difficult to take timely
and timely corrective action. Two of the questions are time-based.

Example 5.3
The following report draws on the case facts to provide an assurance report in accordance with ISAE 3000
(Revised), paragraph 69. Items in the following list are cross referenced to the standard.
(a) Independent Assurance Report
(b) To the Management of RST Ltd
(c) We have reviewed RST Ltd’s disclosure of its balanced scorecard targets and actuals for each of its
divisions and the reliability and relevance of the financial and non-financial performance measures
presented for each division, for the year ended 30 June 20X9. This assurance engagement was designed
to provide reasonable assurance.
(d) The balanced scorecards of RST Ltd were examined for conformity with criteria provided by
International Performance Management Ltd.
(e) N/A
(f) N/A
(g) The determination of the measures to include in each division’s scorecard report, and the completeness
and accuracy of the reported results, are the responsibility of RST Ltd’s management. Our responsibil-
ity is to express an opinion, based on our assurance engagement, of the conformity of the performance
measures with the relevance and reliability criteria of the International Performance Management Ltd.
(h) Our assurance engagement was performed in accordance with the International Standards on Assurance
Engagements (ISAE 3000 (Revised)).
(i) The assurance firm applies an International Standard on Quality Control (ISQC), ISQC 1 Quality
Control for Firms That Perform Audits and Reviews of Financial Statements, and Other Assurance
and Related Services Engagements.
(j) The assurance firm complies with the independence and other ethical requirements of the International
Ethics Standards Board for Accountants’ (IESBA’s) Code of Ethics for Professional Accountants.
(k) Our assurance engagement included:
1. obtaining an understanding of the strategic objectives and goals of RST Ltd and each of its divisions
2. assessing whether the selected performance measures relate to the chosen strategy for each division
3. assessing the procedures used to produce the reported results
4. selectively testing the reported results
5. performing such other procedures as we considered necessary in the circumstances.

Pdf_Folio:468

468 SUGGESTED ANSWERS

 (l) As a result of the procedures performed, we conclude that, in all material respects, the financial and
non-financial performance measures included and the balanced scorecard targets and actuals for each
of the divisions of RST Ltd for the year ended 30 June 20X9 are relevant and reliable in accordance
with the criteria of the International Performance Management Ltd.
(m) John Smith, FCPA
(n) 31 August 20X9
(o) Melbourne
Source: Adapted from International Auditing and Assurance Standards Board (IAASB) 2018, ISAE 3000 (Revised) Assurance
Engagements Other than Audits or Reviews of Historical Financial Information, para. 69, in Handbook of International Quality
Control, Auditing, Review, Other Assurance, and Related Services Pronouncements, 2018–19 edn, vol. 2, accessed July 2019,
https://www.ifac.org/publications-resources/2018-handbook-international-quality-control-auditing-review-other-assurance.

Example 5.4
There needs to be:
• an executive summary that includes:
– the audit objectives and coverage
– the audit criteria used
– the overall conclusions
– a list of specific recommendations.
• an introduction that includes:
– the audit content
– the audit approach
– the audit criteria
– the audit scope.
There should also be a separate section on planning procurement activities, conducting procurement,
record keeping, monitoring and reviewing. Each section should systematically set out the issues addressed,
the audit work done, the conclusions reached and specific recommendations. Examples of best practice
should likely be included in each section. Subsections could be used where appropriate; for example,
conducting procurement could have tender processes, ensuring non-discrimination and procurement
support.
A final section should outline the main findings and conclusions of the audit. Any assumptions made
should be included. For example, the conclusion that a costs swing of between 10% and 40% can be made
is very broad. Where exactly will the savings be made and what are the circumstances/assumptions for a
specific amount of savings?

Example 5.5

Risks Improvements

(a) Systems are inadequate to keep pace with
growth, and risk in the business has increased
with the taking on of more debt. Not severe
in the short term but, in the longer term, may
lead to difficulties in recording and managing
the business’ transactions, activities and
growth. This may, therefore, cause the collapse
of this business.
Review the current systems in place and establish
areas for improvement. This could include
considering implementing a new and more suitable
system. The COSO framework and/or the AS/NZS
ISO 31000 Risk Management — Principles and
Guidelines framework could be used to aid this
review.

(b) There is no management agreement in place Implement a management agreement to manage the
to manage the arrangement with the building arrangement with the building manager.
manager. As a result, the business manager
may fail to perform according to expectations.
This risk could be classified as severe because
the management of the buildings is a key source
of revenue. This could also cause damage
to reputation.

(c) Current KPIs do not address student complaints. Introduce KPIs around student complaints, and
This risk will be severe in the medium to introduce mechanisms to action performance below
longer term because students will seek other target. Produce a communications plan to manage
accommodation. relations and expectations.

P df_Folio:469

SUGGESTED ANSWERS 469

Example 5.6
(a) Auditors of financial statements should already be familiar with control environment factors such as
management style, philosophy and organisation structure. However, these matters would need to be
reconsidered where they are likely to affect the risk of material misstatements in the weekly report of
inventory. For example:
• Is management committed to accurate and complete weekly reporting?
• Has management taken appropriate steps to plan for the weekly reporting process and made
necessary changes to the controls and systems?
The continuous audit will not be viable if key detection controls only function well after inventory
data has been processed.
As a further example, a detection control that is a review of output, and reconciliations done at month
end, may be effective enough for an annual financial statements audit but for a continuous audit and
reporting of inventory amounts on a weekly basis, there is a need for:
• immediate update of sales and purchase transactions affecting inventory
• more powerful controls.
(b) The auditor will need to have access to the following data in order to undertake the continuous audit.
• The cost of the purchased inventory in local currency — therefore, the terms of sales agreements
will need to be identified as to who bears exchange rate risk.
• The average selling price for each inventory item will need to be calculated for the week — in order
to calculate the lower of cost and net realisable value.
• The drawn-down value of the additional loan facility — in order to identify whether the total cost
of inventory has fallen below the drawn-down value of the facility.

Example 5.10
It appears that ‘yes’ or ‘no’ judgments were made as to relevance and appropriateness. As it could be
argued that there are degrees of relevance and appropriateness, these judgments could have been made on
a finer scale (e.g. a seven-point scale moving from ‘highly relevant’ to ‘not relevant’).

Example 5.15
(a) Accountability in the public sector requires the parliament to allocate resources to departments and
government agencies. It then approves the uses to which these resources are put and specifies the
expected outcomes of the programs or initiatives. The accountability process also includes the relevant
departments and agencies reporting back to parliament on the use of the allocated resources and
results achieved.
Performance audits are carried out by or on the behalf of the auditor-general to provide assurance to
parliament that public resources have been used appropriately.
(b) The audit objectives in these circumstances would be:
• to assess the economy, efficiency and effectiveness of supplying food and food distribution services
to SDF personnel to identify possible areas of improvement.
(c) The audit criteria for assessing the economy, efficiency and effectiveness of current administrative
arrangements would include the:
• clarity and comprehensiveness of the SDF policy guidelines
• adequacy of SDF’s coordination of food rationing and distribution arrangements
• adequacy of procedures and planning guidelines for food rationing and distribution at the three
service levels
• extent to which performance information and benchmarking would assist with the management
of messes — whether managed internally or provided by private contractor’s existence and adequacy
of management systems to evaluate SDF’s catering contracts.
(d) Economy. In this instance, economy is concerned with the purchase and supply of the appropriate
quantity and quality of food, and the use of human and physical resources at the appropriate times and
at the lowest reasonable cost. Some of the indicators that would help ensure economy would include:
• reduction in cost per unit measure of food provisions and food-related services provided
• benchmarking of SDF’s food provisioning costs against the costs of private providers and against
providers that have contracts outside the SDF
• reduction in cost of contracts with private providers.
Efficiency. In this instance, efficiency is concerned with the productive use of financial, human and
physical resources to both purchase and supply food to SDF personnel. In effect, efficiency is trying to
Pdf_Folio:470

470 SUGGESTED ANSWERS

 maximise the outputs and outcomes for any given set (financial, human or physical) of resource inputs.
Some of the indicators that would help ensure efficiency would be:
• delivery of food on time to the appropriate location
• minimal use of human and physical resources, irrespective of their source
• number of food provisioning staff per SDF personnel reduction in food wastage.
Effectiveness. In this instance, effectiveness is concerned with determining whether SDF’s food
provision and distribution arrangements adequately meet the needs of SDF staff. Some of the indicators
that would help ensure effectiveness would include:
• supply of food of high dietary quality
• SDF personnel satisfaction
• range of food choice
• number of staff complaints
• time taken to supply food to combat zones.
(e) The key recommendations that could be included in the report are the:
• development and use of an integrated SDF food rationing and distribution policy that is reviewed
and updated annually or as required
• development of consistent and comparable performance information
• development of a cost-effective performance indicator of food rationing and distribution
• development of a policy and procedures that would reduce the potential for duplication of effort
and lack of coordination
• benchmarking of SDF food provision and catering services against other similar services
• ordering of food using a demand-driven system rather than it being supplied on a full usage
assumption
• the amalgamation of the three divisions and rationalisation of the food supply contracts, where
feasible
• supply of cost information and other performance data from contractors to enable catering services
to be compared and evaluated across the three divisions
• training of relevant SDF staff in contract formulation, evaluation, negotiation and administration
of service contracts.

Example 5.16
(a) This is a matter of judgment; arguments can be extended both for and against the proposition that Peter
has cast the scope of the examination too widely. For instance:

Peter’s argument Counterargument

Not all grounds/games/rest spells
are comparable (e.g. roofing,
lighting, temperature) and, so,
there is inequity in the draw.
This would be so even if all teams played each other twice, and
variation in playing conditions would be present even if only one
location was used. Perhaps there is more validity to the argument
concerning the need for an equal number of rest days between matches
for all teams, as this is something within the league’s control.

Certain dates exist when
particular teams have to play
each other, so the draw is not
random.
There is transparency about the dates and teams involved in that these
are annual events, and presumably the draw, leaving aside these special
circumstances, is random. Although it is likely to be within the league’s
control to abandon these special events, the public interest in creating a
random draw in its purest sense would need to be balanced against the
tradition, rivalry and spectacle that likely builds around these ‘special
events’.

(b) Peter might have examined past statistics relating to the frequency of particular teams playing each
other, correspondence from the league’s constituents, its motives for retaining rules that give other
than a random chance of each team playing other teams at particular locations, an inventory of the
various characteristics of available grounds, press coverage of the issues and any litigation surrounding
the draw. This evidence is all of a non-financial nature, whereas in a traditional audit, the majority
of evidence is financial in nature. Peter would need to consider the specific types of evidence
available upon which to base his opinion, and this type of evidence might be appropriate only for
Pdf_Folio:471

SUGGESTED ANSWERS 471

 this engagement. In a traditional audit, the type of evidence on which to base the opinion is more
conventionally known and applicable to many engagements.
(c) Peter is new to Trivoria and, so, is perhaps less informed (compared with a long-standing Trivorian)
about the culture and environment in which kneeball is played. As with the more traditional audit,
there is an argument that the fresh, objective approach Peter is likely to bring to the assurance task
has advantages. On the other hand, there is an argument that a more familiar, experienced approach —
that is informed about the constituents, politics and other important aspects of the subject matter — is
likely to be best

Example 5.17
Note: The reporting requirements for Manna Pty Ltd are consistent with the practitioner’s compilation
report set out in Appendix 2, Illustration 1, of ISRS 4410 (Revised) Compilation Engagements with the
exception of the following three requirements.
1. A description of the practitioner’s responsibilities in compiling the financial information, including that
the engagement was performed in accordance with ISRS 4410 (Revised). There should be a statement
to the effect that:
We performed this compilation engagement in accordance with ISRS 4410 (Revised).
2. Explanations that, since a compilation engagement is not an assurance engagement, the practitioner is
not required to verify the accuracy or completeness of the information provided by management for the
compilation, and accordingly the practitioner does not express an audit opinion or a review conclusion
on whether the information is prepared in accordance with the applicable financial reporting framework.
There should be a statement to the effect that since a compilation engagement is not an assurance
engagement, we are not required to verify the accuracy or completeness of the information you provided
to us to compile these financial statements. Accordingly, we do not express an audit opinion or a review
conclusion on whether these financial statements are prepared in accordance with IFRS for SMEs.
3. A report title is another element that is missing and should be clearly identified.

Pdf_Folio:472

472 SUGGESTED ANSWERS

WESTERWAYS CASE STUDY SOLUTIONS
MODULE 1
Task 1.1: Ethical principles and independence
Professional Accountants in Public Practice IF1-EPI
Client Westerways Pty Ltd
Audit for year ending 31st December 20X6
SPECIFIC ISSUE 1: CONFLICT OF INTEREST
Section of the Code 310 and Part 4A Ethical Objectivity
principle
Threat Ethical principles and independence
Safeguards The firm has policies on assignment of staff; for example, staff in Audit Division may
perform assurance or other compliance services, such as taxation work, but do not
perform consulting services. (Source: Professional integrity and independence—M01
information)
Each six months, the firm circulates a document containing a list of all audit clients,
and all partners and staff are required to respond by submitting a statement of any
financial or other interests (e.g., a relative working for a client) that might threaten
the firm’s independence or appearance of independence with respect to any of the
clients. (Source: Professional integrity and independence—M01 information)
Evidence provided
• Len Lewis asked CLT to assist in the protection of his investment by helping Joy and Mark Valenti
implement an accounting system, review their financial plans, and prepare the final accounting and
taxation work and the audit. (Source: Appendix 1: Memorandum) Ray Campbell passed the company
establishment services to his partners. (Source: Initial services for the new company — M01 information)
• Ray Campbell informed Joy and Mark Valenti that CLT’s corporate planning partner might be able to work
with them to improve their business plan. (Source: Appendix 1: Memorandum)
• The discussion on the additional services provided to Westerways demonstrates that Ray Campbell and
his audit team members were not involved in these additional services. (Source: Initial services for the new
company—M01 information)
• The partners of CLT are very conscious of their need to be, and to appear to be, independent of the
companies they audit. They know that in their audit work they must be entirely objective with respect to
the company and its management. (Source: Professional integrity and independence—M01 information).

SPECIFIC ISSUE 2: PROFESSIONAL APPOINTMENTS

Section of the Code 320 Ethical Integrity or professional behaviour
principle
Threat Ethical principles
Safeguards Ray Campbell should obtain knowledge and understanding of Westerways
management to assess whether they are likely to be involved in any unethical
practices or lack integrity (the Code).
Evidence provided
• Threats to professional behaviour may be created from behaviours of the client (its owners, management or
activities). Ray asked Len whether Joy or Mark Valenti had any criminal records, or misdemeanours. (Source:
Appendix 1: Memorandum) This would have helped Ray to assess whether taking Westerways on as a client
would be likely to bring discredit to the firm and/or profession.
• Professional accountants must have a high degree of integrity based on the principle that, as professional
accountants in public practice, their task is to serve the community and for that purpose to put service before
profit. (Source: Professional integrity and independence—M01 information)

SPECIFIC ISSUE 3: PROFESSIONAL APPOINTMENTS

Section of the Code 320 Ethical Professional competence and due care
principle
Threat Ethical principles
Safeguards Ray Campbell and the audit team should acquire knowledge of the hardware
industry and its regulatory requirements (the Code). CLT are aware that they must
be competent to perform the audit, possessing both the skills required and the staff
available at the times required. (Source: Professional integrity and independence
section provided with M01 tasks)

P df_Folio:473

SUGGESTED ANSWERS 473

 Evidence provided
• Ray Campbell explained to Joy and Mark Valenti the services CLT provides to their clients, conscious that the
firm is not as good as they should be in the provision of services in retail. (Source: Appendix 1: Memorandum)
• The partners lead their staff by themselves participating in staff development seminars containing discussion of
ethical issues. (Source: Professional integrity and independence—M01 information)

SPECIFIC ISSUE 4: FEES AND OTHER TYPES OF REMUNERATION

Section of the Code 330 and 410 Ethical Professional competence and due care
principle
Threat Self interest and Independence
Safeguards As general safeguards, the partners of CLT never allow themselves to rely on one
client or set of related clients (including staff of an audit client) for more than 10%
of their fee income in a year. (Source: Professional integrity and independence
section provided with M01 tasks)
Evidence provided
• Ray Campbell claims the total fee from Westerways will be a fraction of their practice’s income, less than 1%.
The total work for Len Lewis including the Westerways work will bring their dependence on Len’s business to
about 8% of CLT’s income. Ray goes on to explain that even though the firm will be performing other services
for Westerway initially, these will soon cut back to annual compliance work. Ray also mentions that they may still
get the occasional financial planning or systems advice job, and perhaps some tax return work for the owners
(Joy and Mark Valenti). (Source: Appendix 1: Memorandum)
• Ray believes that there will be no threat to their audit independence. This is because an auditor, even though
dealing from day to day with the management, and in practice normally agreeing the audit fee with the
management, is actually working primarily for the benefit of the shareholders and other parties external to the
company, such as lenders to it. (Source: Professional integrity and independence—M01 information)

Prepared by/Date Signature Reviewed Signature

by/Date
F Kerr
XX/XX/X6
Fiona Kerr
Task 1.2: Essential elements of the Westerways assurance engagement
The International Framework for Assurance Engagements (para. 7) defines assurance engagements as:
an engagement in which a practitioner aims to obtain sufficient appropriate evidence in order to express a
conclusion designed to enhance the degree of confidence of the intended users other than the responsible
party about the outcome of the measurement or evaluation of an underlying subject matter against criteria.

The five essential elements of the Westerways assurance engagement are provided in the table below.
Element Westerways assurance engagement
Three-party • Assurance practitioner — Ray Campbell, Audit specialist for Campbell Lee Taylor (CLT)
relationship • Users — shareholders of Westerways — Len Lewis, Joy and Mark Valenti, Ms Verity
Samson and Mrs Bambi Bagg; creditors/suppliers of finance — Westerways Bank
• Responsible party — Board of directors of Westerways — Len Lewis (chairman), and Joy
and Mark Valenti

Underlying Financial statements

subject matter
Criteria International financial reporting standards (IFRS)
Evidence Ray Campbell has to gather sufficient, appropriate audit evidence to form an opinion as
to whether the financial statements comply with the financial reporting standards i.e. the
financial statements are presented fairly, in all material respects, or give a true and fair view in
accordance with the financial reporting framework.
Assurance A written audit report containing a clearly expressed conclusion (audit opinion) about the
report subject matter information.

dPf_Folio:474

474 SUGGESTED ANSWERS

MODULE 2
Task 2.1: Understanding the client’s business
PL1-UCB
Client Westerways Pty Ltd

Audit for year ending 31st December 20X9

Understanding of the client’s business

FACTOR COMMENTS

Explain relevant The company is in the retail industry and is governed by the companies legislation and
industry, regulatory other standard legislation for retail, such as occupational health and safety legislation
and other external and trade practices legislation. Its financial reporting framework is the standard
factors, including the framework for limited companies.
applicable financial In fact, the company is in at least two different sections of the retail industry,
framework homemakers’ hardware and domestic-ware, including gifts. The industry is not
changing other than through changes in technology, for example in the release of new
merchandise for gardening. In hardware, it competes with the big hardware stores in
the capital city, with the supermarkets, which sell only some of the merchandise, and
with the large stores that focus on industry and agricultural buyers. In its domestic-
ware, it is in competition with various small specialty shops for gifts, china, cutlery, etc.
Westerways has an unusual mix of merchandise and has no direct competitors.
The business depends heavily for its success on the particular talents of its owner-
managers, particularly in the domestic-ware division. As the business expands, they will
have to employ staff with the appropriate skills in selection of appropriate merchandise.

Explain nature of entity: The company buys from wholesalers and manufacturers, locally and overseas. In its
• operations domestic ware side, its buyer influences the suppliers through her interest in design.
The company sells the merchandise and it provides sales support services in the form
of advice in the store to customers. It has just made available a delivery service, using
a new van, for favoured customers.

• ownership and Westerways is a limited company with only five shareholders, executive directors
governance Mark and Joy Valenti, who hold 50% jointly, chairman Len Lewis with 30% and two
private investors with 10% each. There are no known related parties, other than the
companies of Len Lewis. The board of directors comprises Len Lewis, Chairman, and
Mark and Joy Valenti, executive directors. Under an arrangement, the Secretary of one
of Len Lewis’s companies acts as Secretary to the Westerways Board.

• investments made or During the year the company purchased a delivery van. There are apparently no
planned immediate plans for major investments, but we should expect the expansion to a third
store in the next two years.

• structure Mark handles management of the hardware division and Joy the domestic-ware
division. In each of the two stores, in charge of the sales and inventory function there is
a Supervisor and a Deputy Supervisor. There is an Administrator at the Arnton store
in charge of accounting and an Assistant Administrator at the Tannam store. The
effectiveness of management must be dependent to some extent on the cooperation
between Mark and Joy, who are effectively joint managing directors.

• financing There is a loan with the company’s bank secured on the Arnton premises and a leasing
agreement with the landlord of the Tannam premises, which are rented. There is an
agreement with the bank to go into overdraft when needed, as for example for the
payment of taxes and dividends in March.

Explain and evaluate There have been no unusual features of the company’s accounting policies.
management’s Accounting estimates include depreciation and net realisable values of slow-moving
selection and inventory, and with increasing credit sales a need for an estimate of the allowance for
application of doubtful debts.
accounting policies However, the company is now receiving refunds on purchases under bulk purchase
agreements with an increasing number of suppliers. Under these agreements, they
receive about a month in arrears credit for refund of part of the cost of purchases in
accordance with formulae. These amounts are checked roughly by the Administrator.
They are brought to account on a cash basis.

P df_Folio:475

SUGGESTED ANSWERS 475

 Summarise entity’s The business’s objectives have not been formally stated but may be inferred as
objectives and providing a satisfactory return on capital for the shareholders and providing business
strategies and related challenges to the executive directors in the form of success in providing a good retail
business risks that service for the local community in hardware but more particularly in domestic/gift ware.
may result in material Although the business has been successful, it does seem to be in quite a high-risk
misstatement of the industry in that a larger competitor might move into its country town markets. However,
financial statements its particular success has been in its giftware division and it might be difficult for the
competition to match its successful purchasing and marketing.
There does not seem to be any intention to sell the business, giving an interest
in overstating profit, nor in defrauding the outside shareholders or the taxation
department, giving an interest in understating profit. We may therefore assume that in
general the risk of material misstatements in the financial statements is low to medium.

Evaluate the processes Prime performance measures are: gross profits by product range; costs as a
for measurement percentage of sales; sales per square metre of floor space; customer satisfaction; and
and review of the financial results with comparison with budget.
client’s financial These, it seems, do not themselves present any risks of material misstatement
performance, including from management fraud. The risk arises from any interest of the owner-managers in
their implications overstating profit (e.g., to make the business look better as a sale prospect, or to earn
for risk of material higher dividends) or understating profit (e.g., to avoid profits tax or to avoid paying
misstatement of the dividends to the outside shareholders).
audited financial
statements
Implications for the An interesting and successful business that should not cause undue problems in our
current year’s audit audit of the financial statements.

Prepared by/Date Signature Reviewed by/Date Signature

F Kerr
6/10/X9
Fiona Kerr
Task 2.2: Analytical review procedures for audit planning
PL2-ARP

Client Westerways Pty Ltd

Audit for year ending 31st December 20X9

Analytical review procedures for audit planning

FACTOR COMMENTS

Discussion of analysis See the attached analytical review workings, based on the audited data provided for
previous two years and the annualised data for the current year.
• Comments on trends:
– There has been rapid growth, with for 20X9 likely to be 2.6 times 20X7 sales and
net profit from trading up in that time also by about 2.5 times.
– In that time, assets have increased by 1.4 times.
Below is a discussion of the conclusions from our use of ratio analysis.
• Solvency:
– The quick ratio deteriorated between 20X7 and 20X8. It was budgeted to return
towards 20X7 figures in 20X9 but is likely to fall short of this because of the van
purchase and will be about 0.31, which prima facie is low. Note also that trade
debtors are becoming a larger part of the assets here.
– The current ratio has been sliding since 20X6 and seems likely to be about 1.21 at
31st December, against a budgeted ratio of 1.26.
– The debt to equity ratio shows that the creditors have a higher interest in the
business than the shareholders. This indicates that the shareholders should leave
more profit in the business. On the other hand, a large part of the liability is the
proposed dividend, a further part is taxation and much of the remainder is non-
interest-bearing trade payable.

dPf_Folio:476

476 SUGGESTED ANSWERS

 – The number of times interest earned shows that the loan interest is well covered
by available profit. This seems to be an unusual business in that its quick and
current ratios are not as favourable as one would expect but the interest charging
finance is easily serviced.
– There do not seem to be liquidity concerns but the situation is dependent on
continuing strong sales of inventory and an economic recession would probably
hurt the company severely; they need to be careful not to expand too rapidly into
more stores unless they increase their equity capital. To increase this, they should
at least not pay such high dividends. We should discuss their solvency situation
with the Board.
• Efficiency:
– The debtors’ turnover ratio is shown to be slightly improving this year, while the
proportion of sales for credit has slightly decreased, reflecting the strong retail
sales performance. We should nonetheless investigate the need for an allowance
for doubtful debts.
– The inventory turnover ratio had been steadily improving and was budgeted to
improve again for the full year 20X9. Our figures show that it may not reach the
budgeted figure.
– The asset turnover ratio shows that the company is doing well in selling more in
relation to its investment in assets. This might indicate a failure to replace assets
but that does not apply here where the main asset is land and buildings, which
are unlikely to fall in value. We should inquire about the need for maintenance
of the Arnton building and the fixtures and fittings. However, this good ratio is
explained in part by the improving inventory turnover.
– The only audit concern here seems to be the need for an allowance for doubtful
debts, though the amount concerned is probably immaterial.
• Profitability:
– The gross profit ratio has steadily improved, which is explained by management
as caused by a change in sales mix towards products that can sustain a higher
mark-up, particularly the domestic-ware. Our notional figures show this as being
higher than budget. There may be an error here in our assumptions.
– Return on total assets has also improved and according to our calculations will be
better than budgeted.
– Return on shareholders’ equity is shown as improving markedly.
– Net profit margin is shown as returning towards 20X7 levels after a fall in 20X8.
This is despite the increase in human resource expense.
– Profitability ratios do not seem to give any cause for concern.
• Analysis of expenses:
– The analysis of expenditure supports the management’s comments to us that
we would find that human resource expense has been increasing steadily as
a percentage of sales. This has resulted from the shift towards higher mark-up
merchandise requiring more staff input in discussing it with customers.
– As advised, travel expenses have risen and are above budget.

Implications for the • These tables suggest that the audit will need to focus on:
audit – Inventory quantities and valuation, because this is the preponderant asset and the
business is heavily dependent on having good merchandise for sale.
– Although it is a relatively small figure, the trade debtors, with review of the
allowance for doubtful debts.
– Because of the continuing risk of management fraud in a business of this nature,
to increase or decrease profit to meet objectives, we should also recognise risks
in:
∘ occurrence and completeness of sales,
∘ completeness of expenses and liabilities.
There remains also the possibility of petty employee fraud and we must be sure to
do an adequate assessment of this type of risk, conduct appropriate tests for its
occurrence and statements any suspicions to management.

Prepared by/Date Signature Reviewed by/Date Signature

F Kerr 6/10/X9

Fiona Kerr

P df_Folio:477

SUGGESTED ANSWERS 477

Westerways Pty Ltd Ratio Analysis
Annualised Year ending Year ending 9 mths ending
year ending

31/12/20X9 31/12/20X8 31/12/20X7 31/12/20X6

FINANCIAL RATIOS
Solvency

Quick asset Cash+ Marketable 0.3118 0.2879 0.4283 0.4090

ratio securities + Trade debtors
Current liabilities
Current ratio Current assets 1.2071 1.3367 1.4320 1.8220
Current liabilities
Debt-equity Total liabilities 1.6993 1.5271 1.3951 1.3559

Shareholders’ equity

Number of EBIT 15.7675 9.6500 6.3630 6.3191

times interest
earned
Interest expense

Efficiency

Debtors Credit sales 10.7849 11.6303 18.8641 9.0551

turnover
Average debtors*

Inventory Cost of goods sold 3.8579 4.6750 3.3212 2.0924

turnover
Average inventory*

Asset Sales 2.6368 2.3061 1.4210 0.9702

turnover
Total assets
Profitability

Net profit Operating profit before tax 0.1046 0.0859 0.1052 0.1130
margin

Sales
Return on Operating profit before tax 0.2759 0.1982 0.1494 0.1096
total assets
Total assets
Return Net profit after tax 0.7743 0.4694 0.3135 0.2184
on share-
holders’
equity

Ordinary shareholders’
equity

Gross profit Gross profit 0.4392 0.4183 0.4034 0.4023

Sales
Percentage of expenses
and net profit to sales

Rates and water rates 0.1406 0.1947 0.3588 0.4586

Wages, salaries and on-costs 24.9564 23.5455 20.6489 19.7932

dPf_Folio:478

478 SUGGESTED ANSWERS

 Power 2.2214 2.2421 2.2876 2.3547
Depreciation of non-current assets 1.0832 1.1146 1.3204 1.5314

Profit (Loss) on sale of non-c assets 0.0000 0.0000 – 0.0389 0.0000

Stationery and supplies 0.8193 0.7485 0.6974 0.5934

Interest on loans 0.7382 1.0631 2.1676 2.4018

Advertising and promotion 0.2875 0.2606 0.2726 0.5733

Travel and vehicle expenses 0.4910 0.3997 0.3634 0.3542

Rent paid Tannam store 2.7597 3.5655 1.5576 0.0000

Other administrative expenses 0.2855 0.3675 0.4205 0.9419

Total expenditure 33.4510 33.2341 29.8207 28.9332

NET PROFIT FROM TRADING 10.4641 8.5937 10.5166 11.3010

* Care needs to be taken if using the 20X6 ratios for comparison purposes as the values for 20X6 cannot be averaged as this was
the first year of operation and ratios for this period are based on 9 months rather than a full year of operation

Task 2.3: Preliminary materiality assessment

PL3-PMA
Client Westerways Pty Ltd

Audit for year ending 31st December 20X9

Preliminary materiality assessment

COMMENTS
Discussion of source of As discussed in relation to analytical review procedures, we have used annualised
data results for the full year based on budget data for nine months and the full year
and the nine months actual data. This suggests that the operating profit for the
full year will exceed budget and will be about $212 000. The statement of assets
and liabilities will accordingly be similar to budget, with net current assets slightly
lower because of the purchase of the delivery van. The calculations below use the
annualised figures rather than an average taking into account previous years, which
would give a slightly lower materiality.

Operating profit base Use 5% to 10% of annualised before tax profit, which is $11 0061 to $22 122.
method As audit risk is apparently low, we should consider a figure towards the high end of
this figure, or at least not lower than the mid-point.

Judgment from profit base method, the mid-point $16 600

Blended method 0.5% of total assets ($768 568) 3 843

0.5% of total revenue ($2 029 193 + 8 880 = 2 038 073) 10 190
5% of net profit before tax ($221 217) 11 061
2% of gross profit after depreciation ($891 123 – 21 981) 17 383
1% of equity ($285 103) 2 851
Total $45 328
Average /5 $9 066
Judgment from blended method $9 000

P df_Folio:479

SUGGESTED ANSWERS 479

 Planning materiality There is a considerable difference between the figures arrived at $12 000
conclusion using the different methods because with this company profit is
high relative to net assets. In the circumstances we should be
conservative and set planning materiality, for both balance sheet
and income statement, at $12 000, which is slightly above the
blended method figure and at the lower end of the profit base
figure.

Allocation of planning Calculation of proportion of each asset to total assets of $768 568 gives: Inventory
materiality to 0.38; Trade debtors 0.02; Prepayments 0.005; Cash and deposits 0.11; Non-current
components assets 0.48. On this basis, materiality would be allocated approximately Inventory
• discussion $4 560; Trade debtors $240; Prepayments $60; Cash and deposits $1 320; Non-
current assets $5 760. In view of the relative difficulty of auditing these components,
judgment will be used to allocate much more to inventory and some to trade payable.

• allocation Revenue/trade debtors 2 000

Expenditure/trade payable 2 000
Cost of sales/inventory 7 000
Non-current assets (tangible) 1 000
Non-current assets (intangible) 0
Cash/deposits etc 0

TOTAL $12 000

Prepared by/Date Signature Reviewed by/Date Signature

F Kerr
9/10/X9
Fiona Kerr

Task 2.4: Control environment evaluation

PL5-GAS:
Client Westerways Pty Ltd

Audit for year ending 31st December 20X9

Control environment evaluation

FACTOR COMMENTS
Communication There are no formal processes for communication of integrity and ethical values.
and enforcement of However, it seems that the owner-managers convey a good work ethic to their
integrity and ethical employees (many of whom are friends and relatives) through their enthusiasm and
values evident competence. We presume also that the Chairman, a long-standing client of
CLT, has a strong influence here.
Commitment to The owner-managers are well aware of all the skills required because they have
competence – between them performed all the tasks, of buying, selling and administration. They
recognition of skill seem to evaluate the prospective employees adequately. They then seem to monitor
requirements for jobs their performance adequately in that they are themselves often on the shop floor and
and implementation in the offices.
Participation by The Chairman of the Board, Len Lewis, as the only non-executive board member
those charged with and a shareholder, is responsible here. He has told us that in his quarterly visits to
governance (e.g., attend Board Meetings, he tours both stores, inquires about systems and controls
activities of audit and examines the accounting records. The Board meets quarterly and reviews the
committee) quarterly results.
Management’s Our assessment is that the owner-managers are “involved” – that is, they are active
philosophy and in the day to day running of the business. They monitor performance in a number of
operating style ways, including through the accounting system. Joy Valenti was initially accounting
(including interest in system operator and knows the system well. Len Lewis evidently takes a keen interest
accounting) and monitors performance.

dPf_Folio:480

480 SUGGESTED ANSWERS

 Organisational struc-
ture (e.g., structure for
achievement of entity’s
objectives)
Assignment of
authority and
responsibilities
Human resource
policies and practices
– recruitment,
training, evaluating,
compensation, etc
Conclusion (e.g.,
potential for material
misstatement)
Prepared by/Date
Mark and Joy Valenti may be regarded as joint managing directors but each has
assumed some particular responsibilities and others are performed by either. The
arrangement seems to work adequately. Reporting to them are the Administrator in
the Arnton store, the Assistant Administrator in the Tannam store and the Supervisor
in each store. Len Lewis is non-executive but monitors on a quarterly basis.
Mark does most of the buying of hardware and related inventory management, with
assistance from the Administrator. Joy does most of the buying of domestic ware,
with related inventory management. They are both involved in selling. The Supervisors
are responsible for sales staff and cash takings. The Administrators are responsible
for record keeping and, in the case of Arnton, payroll preparation.
Apart from the managers mentioned above and the Deputy Supervisors, the business
uses casual staff for varying numbers of hours per week. They earn agreed set rates,
dependent on seniority. There is periodic training of staff by the owner-managers.
There are no commissions or bonuses on sales performance.
Westerways is a small retail business run closely by managers who own half the
shares with a third shareholder who is the Chairman of the Board and evidently takes
his governance responsibilities very seriously. I consider the control environment to be
satisfactory.
Signature Reviewed by/Date Signature

B Banks
6 Oct 20X9
BBanks
MODULE 3
Task 3.1: Cost of sales and inventory
COST OF SALES

Assertion Test and sample size Comment

Occurrence No test is mentioned. These transactions are system generated from
sales, cost of sales being charged at average cost
per unit for the item. Ideally, it seems that there
should be an audit test of the proper working of the
sales and inventory management system, though
a minimal test of one is done. However, it may
be regarded as sufficient that the auditors test
the costs of inventory on hand at balance date by
checking a sample to recent supplier invoices.
Completeness No test is mentioned.
Accuracy No test is mentioned.
Presentation Not separately disclosed. No test required.

INVENTORY

Existence Procedures for attending count Satisfactory.

planning meeting and then
observation of stock count, test
counts and follow up procedures.
Existence Tests of cutoff. Satisfactory.
Rights & As for existence. Need tests to confirm that there is no inventory on
obligations the premises which is not owned by Westerways
(e.g., on consignment).
Completeness As for existence. The attendance at the planning meeting (where
discussions would include coverage of all areas
where inventory is held) and at the count should
give sufficient evidence of completeness.
Accuracy, Procedures to test costs of Satisfactory.
valuation & inventory.
P df_Folio:481

allocation

SUGGESTED ANSWERS 481

 Accuracy, Procedures for investigation for Satisfactory.
valuation & obsolete inventory while at stock
allocation count and subsequent follow up.
Accuracy, Examination of reports on stock Satisfactory.
valuation & turn to identify and then discuss
allocation possible obsolete items to be
reduced from cost to net realisable
value.
Presentation As for trade payable. Omitted.

Task 3.2: Substantive procedures

Cycle Expenditure PL-ART-Exp-AcP

Client Westerways Pty Ltd

Audit for year ending 31st December 20X9

Account balance risk assessment and testing

Account balance Trade payable

Assertions/Possible Assessed risk of material Proposed substantive tests (analytical review

material misstatements
Existence
• Recorded trade
payables are not valid
misstatement after taking
into account transaction
class controls
Medium
procedures and tests of details)
Analytical procedures
ES1 Analyse trends of trade payable and
investigate anomalies
Tests of details
ES2 Reconcile a sample of balances to suppliers’
statements (stratify population; select all in top
stratum and random sample in lower)

Rights & obligations Medium Analytical procedures

• Recorded trade
payables are not valid
Completeness
• Trade payable at
balance date are not
recorded as liabilities
RS1 As ES1 above
Tests of details
RS2 As ES2 above
Medium Analytical procedures
CS1 As ES1 above
Tests of details
CS2 As ES2 above
CS3 Conduct procedures to detect missing
liabilities (vouch major payments after balance
date, consider omitted liabilities in relation to
business activities and by inspection of directors’
minutes; obtain solicitors’ representation letter(s)).

Accuracy, valuation & Low Analytical procedures

allocation VS1 As ES1 above
• Trade payable are Tests of details
recorded at wrong VS2 As ES2 above
amounts VS3 Add balances and agree to control account

Presentation Low Tests of details

• Trade payable in PS1 Check amount disclosed in financial
financial statements statements to general ledger
are not presented PS2 Check amount disclosed for compliance with
in accordance with Accounting Standards
Accounting Standards

Prepared by/Date Signature Reviewed by/Date Signature

dPf_Folio:482

482 SUGGESTED ANSWERS

 Cycle Expenditure PL-ART-Exp-Inv

Client Westerways Pty Ltd

Audit for the year 31st December 20X9

ending

Account balance risk assessment and testing

Account balance Inventory

Assertions/Possible Assessed risk of material Proposed substantive tests (analytical review

material misstatements misstatement after procedures and tests of details)
taking into account
transaction class controls
Existence Medium Analytical procedures
• Recorded inventory ES1 Analyse trends of inventory held by class
does not exist (e.g., month end and year end
has been recorded Tests of details
twice) ES2 Attend stock count planning meeting and
obtain evidence that all owned inventory will be
counted properly
ES3 Attend stock count and i) observe counting,
reconciling and investigation procedures for
compliance with set procedures, ii) conduct test
counts, iii) record purchases, sales and transfer
cutoff document numbers
ES3 Follow up test counts by checking count
figures to final inventory records
ES4 Follow up cutoff by tracing numbers to correct
period in accounting records

Rights & obligations Medium Analytical procedures

• Recorded inventory is RS1 As ES1 above
not owned (e.g., is on Tests of details
consignment) RS2 to RS4 As ES2 to ES4 above

Completeness Medium Analytical procedures

Inventory owned by CS1 As ES1 above
company is not recorded Tests of details
CS2 to CS4 As ES2 to ES4 above
Accuracy, valuation & Medium (possibility of Analytical procedures
allocation obsolete inventory to be VS1 As ES1 above
• Inventory is not reduced from cost to net Tests of details
recorded properly at realisable value) VS1 Add costs and agree total to control account
the lower of cost and in GL
net realisable value
VS2 Test unit costs of lines to recent supplier
invoices (stratify population)
VS3 Calculate stock turn for all lines, identify slower
moving lines and investigate their circumstances;
raise with management the need to reduce them
from cost to net realisable value
Presentation Low Tests of details
• Errors in accounting PS1 Check amount disclosed in financial
system in application statements to general ledger
of Accounting PS2 Check amount disclosed for compliance with
Standards Accounting Standards

Prepared by/Date Signature Reviewed by/Date Signature

P df_Folio:483

SUGGESTED ANSWERS 483

 Expenditure TE-ATP-Exp
Client Westerways Pty Ltd
Audit for the year ending 31st December 20X9
Audit test programme
Risk Sample size Working
Audit Tests assessment (if applicable) paper Done by
references references
TRADE PAYABLE
Compare Trade payable balance PL-ART-Exp-AcP
outstanding with balances each
month and at end of last year,
inquire re anomalies, and obtain
satisfaction about any identified
anomalies through explanation
from management and further
investigation to confirm veracity
of explanations.
Agree total of balances to PL-ART-Exp-AcP
general ledger control account.
For all major and sample of PL-ART-Exp-AcP All >= $5 000
lower balances, obtain supplier’s 1/20 < $5 000,
statement for 31st December and random
reconcile it to the trade payable selection
balance.
Scrutinise payments after PL-ART-Exp-AcP Payments >
balance date until end of audit $2 000
and for all large payments vouch
to supporting documentation
to confirm that if the item is a
purchase of pre 31st December it
is recorded as a liability.
Conduct other test for omitted PL-ART-Exp-AcP
liabilities, including inspection of
Board Minutes for discussion of
possible liabilities and general
inquiry after consideration of the
activities of the business during
the year.
Check the total to the draft GPFS PL-ART-Exp-AcP
and confirm that its disclosure
complies with Accounting
Standards.
INVENTORY
Perform analytical procedure: PL-ART-Exp-Inv
• Analyse trends of inventory
held by class month end and
year end and inquire re any
significant changes

Attend stock count planning PL-ART-Exp-Inv

meeting and confirm that
all counters understand the
requirements.
Attend stock count and perform PL-ART-Exp-Inv Test count 10
standard audit procedures: lines at each
• Observe counting process and store, selected
confirm that all lines will be randomly
counted and once only.
• Do test counts and check
these to the inventory records.

dPf_Folio:484

484 SUGGESTED ANSWERS

 • Test cutoff of purchases by
recording last deliveries and
confirming that these were the
last recorded (recognising that
inventory records are likely to
be updated from supplier’s
packing slip and suspense
liability becomes liability on
input of invoice).
• Inspect inventory for signs of
obsolescence and discuss this
with the count supervisor to
obtain his/her opinion.

To verify costs, select a sample PL-ART-Exp-Inv Top 10 lines by

of lines, calculate the unit price value and 1/100
and check the unit prices to of others
recent supplier invoices.
To test for the need to reduce PL-ART-Exp-Inv
lines from cost to net realisable
value, examine inventory
management system reports
on slow moving lines and for
any that have a significant
value (e.g., > $500), discuss the
circumstances with management
and form a view on the proper
accounting valuation.
Check the total to the draft GPFS PL-ART-Exp-Inv
and confirm that its disclosure
complies with Accounting
Standards.
Prepared by/Date Signature Reviewed Signature
by/Date

MODULE 4
Task 4.1 and 4.2: Audit Tests and Conclusions
Finding number a) Audit test(s) that b) Discussion of possible action by auditors
and summary detected the finding
1 Damaged inventory This was discovered in Following the lower of cost and net realisable value
requiring reduction discussions with staff rule, the inventory should be reduced in value from
from cost to net which revealed a roof $12 000 to $9 000, the management’s estimate of the
realisable value leak rather than through net realisable value. The management have agreed to
any formal audit tests. this adjustment and so the auditor should be able to
Having heard about give an unqualified opinion.
the leak, the auditors While it is possible that the inventory will have to be
exercised their initiative reduced further in value for sale, the amount of any
and considered what additional loss does not seem likely to be material, and
the effects might have so there is no need for the auditors to depart from their
been on the financial unqualified opinion.
statements.
2 Injury to customer, Examination of Minutes This must clearly be disclosed as a contingent liability.
resulting in of Meetings of the It is unclear what if any dollar amount to give because
possible legal directors. of the fact that legal action has not so far been taken.
action, possibly If the management refused to disclose it, the auditors
requiring would have to give a qualified opinion.
disclosure of a
contingent liability.

P df_Folio:485

SUGGESTED ANSWERS 485

 3 Unsold inventory Procedures for The issue here is whether the inventory should be
that might need identifying obsolete reduced in value from cost to net realisable value, the
to be reduced inventory while attending cost being $6 000, which is not material on its own.
from cost to net the stock count, and If other differences are taken into account and this
realisable value. subsequent follow up. matter is then regarded as material, it seems that the
auditors could come to a number of conclusions on
this one:
• They could conclude on the basis of past experience
with this company that the inventory will sell and give
an unqualified opinion.
• They could request a write down to an agreed figure,
such as 50% of cost, and if this was refused qualify
their opinion.
• They might conclude that this item qualifies as
an inherent uncertainty only because it is difficult
for this company early in its business life to apply
the methods given in ISA 540 (Revised) Auditing
Accounting Estimates and Related Disclosures for
auditing an accounting estimate. In this case, if the
directors explain it in a note the auditors could give
an unqualified opinion with a material uncertainty
related to going concern paragraph.
Since there seems to be no doubt that the company
will continue in business, considering this item on its
own, I would accept management’s optimism regarding
sale and give an unqualified opinion.

MODULE 5
Task 5.1: Suitable content for Westerways sustainability report
(a) Sustainability reports may cover a range of topics as outlined in the GRI Standards but should focus
on the topics most important to the sustainability of the business. Suitable content for Westerways
sustainability report is shown below. Note: this is not a complete list and is provided as a guide only.
• Economic measures
– Economic performance — economic value generated and distributed.
– Procurement practices — timber procurement policy to ensure timber products are sourced legally
and in an environmentally friendly manner.
• Environmental measures
– Materials — consumer packaging designed to minimise environmental impact and reduce the use
of non-recyclable materials.
– Reclaimed products and packaging — battery, paint and electronic waste collection services.
– Reduction in energy consumption — renewable energy installations (e.g. solar) and lighting
efficiencies (e.g. LED lighting).
– Supply chain policies — ethical sourcing of inventory and environmental impact of consumer
packaging.
• Employment — human rights
– New employees hired and employee turnover.
– Workplace health and safety — improvements in safety performance and reduction in work-
related injuries.
– Training and education — average hours of training per year per employee and usage of
performance evaluations and reward systems.
– Diversity of governance body and employees — gender, age and number of indigenous employees.
– Equal opportunity — number of women employed and in leadership roles and comparison of
salaries between men and women for management and employees.
• Local communities
– Nature, scope and effectiveness of any programmes and practices that assess and manage the
impacts of operations on communities.
– Education programs for customers to help them make better sustainable living choices.
– Education programs to help the community to create waterwise gardens.

Pdf_Folio:486

486 SUGGESTED ANSWERS

 – Education programs for the wider community to help prepare them for natural disasters such
as bushfires and extreme weather conditions.
– Customer health and safety — store hazards and disposal, reuse or recycling of products.
– Customer privacy — breaches of customer privacy or loss of customer data.
(b) Benefits that sustainability reporting should provide to Westerways and their stakeholders include the
following.
• Compliance with sustainable supply policies will help Westerways attract and secure business as
more consumers are becoming concerned about the environmental impact of the products they
purchase.
– Westerways may be committed to reducing the environmental impact of consumer packaging by
expecting suppliers to design packaging to minimise environmental impact and reduce the use of
non-recyclable materials.
– Westerways may require their suppliers to source products from factories which operate in
accordance with international labour and safety standards.
– Westerways may have a timber procurement policy to ensure timber products are sourced legally
and in an environmentally friendly manner.
– Westerways large business customers may require assured sustainability reports as evidence of
sustainability practices and products. This may help Westerways to differentiate themselves from
their competitors.
– Supply chain — Westerways may create a competitive advantage by increasing customer satisfac-
tion and loyalty through sustainability reporting especially with customers who look for suppliers
that minimise environmental and social risks.
• Sustainability reports provide a credible way for Westerways to present sustainability performance
to stakeholders.
– Helps to maintain Westerways ‘social licence to operate’
– Builds reputation and trust — reporting sustainability efforts builds goodwill, improves product
image, brand name and reputation.
– Helps with staying up-to-date with regulatory changes.
• A greater range of finances are available to organisations that can demonstrate sustainability.
– Demonstrates quality and good management potentially leading to new sources of capital and
lower costs of finance.
• Internal benefits of sustainability reporting for Westerways include the following.
– Vision and strategy — sustainability report should explicitly link Westerways purpose, vision and
strategy into the global sustainability context.
– Management systems — tracking data to find ways to improve efficiency and cost saving requires
management systems that improve data quality.
– Early warning of emerging issues — potentially damaging developments can be evaluated early
before they emerge.
– Employee motivation — engaging the workforce in sustainability efforts helps to attract new
talent, increase productivity and reduce absenteeism

Task 5.2: Assurance of Westerways sustainability report

Ray’s discussion with the Valentis would have included the following matters.
1. The five essential elements of a sustainability report assurance engagement conducted in accordance with the
International Framework for Assurance Engagements.

Element Westerways assurance engagement

Three-party relationship • Assurance practitioner — Ray Campbell, Audit specialist for Campbell Lee
Taylor (CLT))
• Users — shareholders of Westerways — Len Lewis, Joy and Mark Valenti,
Ms Verity Samson and Mrs Bambi Bagg; creditors/suppliers of finance —
Westerways Bank; employees — workplace health and safety, training and
education, diversity and equal opportunity; wider community — environmental
practice, and education programs; customers — health and safety and privacy
of data.
• Responsible party — Board of directors of Westerways — Len Lewis (chairman),
and Joy and Mark Valenti.
Pdf_Folio:487

SUGGESTED ANSWERS 487

 Underlying subject matter Sustainability report

Criteria GRI Standards

Evidence Ray Campbell has to gather sufficient, appropriate audit evidence to form an
opinion as to whether the sustainability report is fairly presented and free of
material misstatements, also ensuring it is reported in accordance with GR
Standards.

Assurance report A written assurance report containing a clearly expressed conclusion about the
subject matter information. The conclusion indicates whether the information in
the sustainability report is fairly presented, free of material misstatements and
reported in accordance with the GRI Standards. The wording will differ depending
the level of assurance—i.e. a reasonable or limited assurance engagement.

2. The appropriate assurance standard that will provide guidance to Ray when performing the assurance
engagement on Westerways sustainability report is the International Standard on Assurance Engagements
ISAE 3000 Assurance Engagements Other Than Audits or Reviews of Historical Financial Information. This
standard emphasises the procedures used for gathering evidence and assurer independence.

3. The procedures Ray is likely to perform to provide assurance on Westerways sustainability report include:
• assessment of whether the report provides a reasonable and balanced presentation of performance
• assessment of the extent to which the report preparer has applied the GRI Reporting Framework
• assessment of disclosure risks
• procedures to check the accuracy, plausibility and relevance of the sustainability measures reported
• result in an opinion or set of conclusions that is publicly available in written form, including a statement from
the assurance practitioner on their relationship to the report preparer.

4. The expected benefits of having their sustainability report assured include those listed above for Task 5.1
(b), but most importantly, assurance adds credibility to the sustainability report. GRI (2013)1 list the following
reasons why business have their sustainability reports assured.
• Increased recognition, trust and credibility — stakeholders are provided with a greater sense of confidence in
the disclosures.
• Improved board and CEO level engagement — disclosures and data which are believed to be trustworthy and
credible are more likely to be used for internal decision making.
• Reduced risk and increased value — credible disclosures are more likely to be relied on.
• Strengthened internal reporting and management systems — external assurance helps to confirm that internal
systems and controls are robust.

1
GRI 2013, ‘The external assurance of sustainability reporting’, GRI Research & Development Series, accessed September 2019,
https://www.globalreporting.org/resourcelibrary/GRI-Assurance.pdf.

Pdf_Folio:488

488 SUGGESTED ANSWERS

INDEX
A Guide for Assurance on SME
Sustainability Reports 307
AASB see Australian Accounting
Standards Board
AASB 1039 Concise Financial
Reports 294
access controls 117
Accounting and Corporate Regulatory
Authority (ACRA) 283
accounting estimates 69, 229
Accounting Professional and Ethical
Standards Board (APESB) 8, 76,
368
accounts payable process 58
accuracy during processing, maintenance
of 118
accurate conversion 117
ACRA see Accounting and Corporate
Regulatory Authority
activity ratios 145, 146
ADA see audit data analytics
adequate document design 117
advanced audit data analytic techniques
201
in e-commerce environment 206–8
advanced evidence-gathering issues
208–11
adverse opinion 265, 272–7
advocacy 13
analytical procedures 82, 86, 134,
142–50, 162
activity ratios 145, 146
common-size statements 148–50
comparisons 143–4
DuPont analysis 148
financing ratios 147
liquidity ratios 146, 147
profitability ratios 145
ratio analysis 144–8
reasonableness tests 144
ANAO see Australian National Audit
Office
anti-fraud controls 175
APES 110 Code of Ethics for
Professional Accountants 77, 261
APES 315 Compilation of Financial
Information 368
APESB see Accounting Professional
and Ethical Standards Board;
Accounting Professional & Ethical
Standards Board
application controls 113, 117–21
appropriate chart of accounts 117
appropriate underlying subject
matter 30
appropriateness 171
of audit evidence 70
of evidence 82
quality 32
artificial intelligence (AI) 55, 58–9
ASA 101 Preamble to Australian
Auditing Standards 52
ASA 102 Compliance with Ethical
Requirements when Performing
Pdf_Folio:489
Audits, Reviews and Other
Assurance Engagements 18, 52
ASA 200 Overall Objectives of the
Independent Auditor and the
Conduct of an Audit in Accordance
with Australian Auditing Standards
2, 40, 67
ASA 220 Quality Control for an Audit of
a Financial Report and Other
Historical Financial Information
2, 73
ASA 230 Audit Documentation 2, 67,
170
ASA 240 The Auditor’s Responsibilities
Relating to Fraud in an Audit of a
Financial Report 67, 170, 225
ASA 250 Consideration of Laws and
Regulations in an Audit of a
Financial Report 67, 170, 225
ASA 260 Communication with Those
Charged with Governance 67,
225
ASA 502 Audit Evidence — Specific
Considerations for Litigation and
Claims 232, 241
ASA 570 Going Concern 130, 298
ISA 700 (Revised) Forming an Opinion
and Reporting on Financial
Statements 296, 297
ASA 705 Modifications to the Opinion
in the Independent Auditor’s Report
294
ASA 706 (Revised) Emphasis of Matter
Paragraphs and Other Matter
Paragraphs in the Independent
Auditor’s Report 297
ASAE 3100 Compliance Engagements
327
ASAE 3150 Assurance Engagements on
Controls 42, 332
ASAE 3450 Assurance Engagements
involving Corporate Fundraisings
and/or Prospective Financial
Information 311, 315
ASAE 3500 Performance Engagements
334, 365
ASAE 3610/AWAS 2 Assurance
Engagements on General Purpose
Water Accounting Reports 315
ASC Pty Ltd 343
ASIC see Australian Securities and
Investments Commission
ASRE 2405 Review of Historical
Financial Information Other than a
Financial Report 300
ASRE 2415 Review of a Financial
Report 298
ASRS 4400 Agreed-Upon Procedures
Engagements to Report Factual
Findings 366
ASRS 4450 Comfort Letter
Engagements 367, 369
assertions 70
identifying 94
risk assessment 172
assess the risks 204
Association of Certified Fraud
Examiners (ACFE) 59
assurance engagement risk 37
assurance engagements 4, 25, 40
appropriate underlying subject matter
30
aspects of behaviour 43–4, 327–33
audits see audits
audits of financial statements 40–1
audits of specialised areas 41
Australian perspective 299–300
criteria 30–2
elements of 28
evidence 32–8
financial information 295
future-orientated information 42,
311–15
ISRE 2400 (Revised) Engagements to
Review Historical Financial
Statements 298
ISRE 2410 Review of Interim
Financial Information Performed by
the Independent Auditor of the
Entity 296–8
non-assurance services 366–3
non-financial reports 41–2, 303–11
overarching standard 300–3
performance audits 370
performance of activity 44–5
public sector performance auditing
333–6
report 38–40
review engagements 41
review standards 295
small- and medium-sized entities
298–9
sustainability reports 370
systems and processes 42–3, 315–27
three-party relationship 29–30
vs. financial statement audit 28
assurance on aspects of behaviour 43–4
assurance practitioner 29
assurance services 4–11
auditing in Australia 7–10
auditing in New Zealand 10–11
internationalisation of auditing 5–7
population of 5
ASX see Australian Securities
Exchange
ASX Annual Report 2018 260, 261
attestation 361
engagements 25–6
vs. direct compliance engagements
328
attitudes and behaviours of scepticism
34
AUASB see Australian Auditing and
Assurance Standards Board
Audit Commission, Hong Kong 50
audit committee 279–80
audit data analytics (ADA) 150–60
access and prepare data for 153
INDEX 489
 data analytics and data visualisation to audit sampling 184, 185 Australian Charities and Not-for-Profit
assess fraud 158–60 audit software 197 Commission Act 2012 48, 52
performing 152–3 audit strategy 160 Australian National Audit Office
planning 152–3 developing of 160–3 (ANAO) 49, 334
relevance and reliability of data 53 financial statement assertions 161 Australian National Registry of
software 156 substantive procedures 162–3 Emissions Units Act 2011 305
techniques 157, 185 tests of controls 161–2 Australian pronouncements 9
using for risk assessment 153–8 audit trail 118 Australian Securities and Investments
audit documentation 94, 216 audit working papers 217–20 Commission (ASIC) 7–8, 22, 23,
audit file organisation 216–17 auditing 58–9 33, 201, 212, 215, 284
examples of audit working papers accounting estimates 126–7 Australian Securities and Investments
217–20 in Australia 7–10 Commission Act 2001 7
security and confidentiality of client internationalisation of 5–7 Australian Securities Exchange
data 216 in New Zealand 10–1 (ASX) 9
audit evidence 70, 171 standards 68 Australian standards 226
evaluation of 220–5 Australian Water Accounting Standard
Auditing Accounting Estimates and
misstatements identified during the (AWAS) 308
Related Disclosures 127
audit 220–2 authorisation 111
auditor 293
sufficiency and appropriateness of automatic audit 61
ASA 700 series 298
222–5 automatic notarisation 61
Auditor-General for Australia 334
audit fieldwork average collection period 145
CSR disclosures 303
accounting 229 average payment period 145
Institute of Internal Auditors 315–17
analytical procedures 239–43 AWA Ltd v. Daniels t/a Deloitte Haskins
internal 326–7
characteristics 228 & Sells (1995) 16 ACSR 644 281
ISAE 3400 states 312
engagement quality control review AWAS see Australian Water
ISRE 2410 Review of Interim Accounting Standard
247–8
Financial Information Performed by AWAS 2 Assurance Engagements on
evidence 228
the Independent Auditor of the General Purpose Water Accounting
final considerations 248–51
Entity covers 296 Reports 308
fraud 230–1
letter report 367
going concern 232–5
public sector 342, 347, 360, 364
litigation and claims 231–2 backup and recovery procedures 115
review report, AUASB guidance 297
management representation letter bank confirmation requests 194
auditor independence batch totals 118
235–6
for audit of financial statements before-and-after report 119
materiality see materiality
74–7 better practice guides (BPGs) 361
parties 229–30
for audit of SMEs 77 big data 59
subsequent events 236–9
auditor and audit firm rotation 75–7 blockchain 60–2, 111
working papers 245–6
audit file organisation 216–17 and United States legislation 75 BOM see Bureau of Meteorology
audit firm rotation 75–7 auditor responsibilities, going concern BPGs see better practice guides
audit innovation continuum 56 130 bribery frauds 124
audit judgments 36 auditor rotation 75–7 Bureau of Meteorology (BOM) 307
audit materiality 95 Auditor-General 49–50 Delivery of Extreme Weather Services
audit of financial information Auditor-General Act 1997 49, 334, 343 338
auditor independence for 74–7 auditors 121, 151 business models 54, 104
professional conduct and ethics 77–9 auditor’s expert, using work of 214 business operations, entity 103–4
professional scepticism and judgment auditor’s report business risk 99, 106
79–3 modified 262–77 identifying 107
regulatory environment 72 unmodified 251–62 business-to-business e-commerce 205
audit planning auditor’s responsibilities business-to-consumer e-commerce 205
conclusions and reporting 100 subsequent events 237
developing 88–1 audits CAATs see computer-assisted audit
documentation 94 auditor 293 techniques
financial statement assertions 91–4 Australian perspective 294–6 CADB see Companies Auditors
guidance materials for SMEs 86–7 components of financial statement Disciplinary Board
impacts on 97 293 Carbon Credits (Carbon Farming
materiality 95–9 financial statements 40 –1, 291–3 Initiative) Act 2011 305
overall audit strategy 87–8 of specialised areas 41 Carey Ltd (Carey) 238
overview 87, 89 international auditing standards 291 Center for Audit Quality (CAQ) 34
performing 100 AusGroup Limited 271 CER see clean energy regulator
phases of 99–102 Australian Accounting Standards Board channel stuffing 122
risk assessments 101 (AASB) 283 Chartered Accountants Australia and
audit procedure 40, 160, 173–5 Australian Auditing and Assurance New Zealand (CAANZ) 10
for related parties 208–11 Standards Board (AUASB) 8–9, check digits 118
audit program 89, 90 52 check-digit test 118
Audit Reports in Australia 2005–2015 standard-setting process 8 clean energy regulator (CER)
275 Australian Auditing Standards Australia’s carbon emissions 305,
audit risk 37, 69, 106, 141 (ASAs) 52 314
model 69
Pdf_Folio:490
Australian Auditor-General 49 clearly trivial 220

490 INDEX
client data, security and confidentiality
of 216
client money audit 330
client relationships 19–20
Climate Balance Pty Ltd 306
climate-related risk 130–1
climate-risk disclosure 54–5
cloud computing 115–17
cluster analysis 154
Code of Ethics for Professional
Accountants 11
Committee of Sponsoring Organizations
of the Treadway Commission
(COSO)
in Australia and New Zealand 324
in US 321
internal audit function 318
Internal Control — Integrated
Framework 321–4
common-size statements 148–50
communication 277–80
Companies Auditors Disciplinary Board
(CADB) 9
Companies limited by Guarantee and
Incorporated Associations:
Reporting and Auditing/Review
Obligations 47
comparative information 264
completeness
and accuracy of data 118
of data 117
compliance engagements 43–4
component auditors 211–12
computer operation controls 115
computer-assisted audit techniques
(CAATs) 177
in e-commerce environment 206
integrated test facility 181–4
substantive testing using 197–201
test data 180–1
tests of controls 178–84
traditional audit vs. 179
conceptual framework 11, 13
2018 Concise Financial Report 294
confidentiality 13
conflict of interest situation 75
conflicts of interest 14
console messages 119
contingency plans 115
contingent asset 231
contingent liability 231
continuous auditing 43, 325–6
in e-commerce environment 206–8
control activities, internal control 111
control environment, internal control
110
control risk 37, 69, 72–135
control totals 118
corporate governance assurance 44
Corporate Law Economic Reform
Program (Audit Reform and
Corporate Disclosure) Act 2004
74
corporate social responsibility (CSR)
reports 303–4
Corporations Act 2001 7, 73, 75, 236,
285, 294
Pdf_Folio:491
Corporations Amendment (Corporate
Reporting Reform) Act 2010 299
Corporations Legislation Amendment
(Audit Enhancement) Act 2012
75, 76
corruption frauds 124
COSO see Committee of Sponsoring
Organizations of the Treadway
Commission
COSO’s Internal Control — Integrated
Framework (2013) 321–4
CPA Australia 9
criteria 336
assurance engagement 30–2
report on customer satisfaction 31
Crown authority 11
CSR reports see corporate social
responsibility reports
cutoff errors 93
cutoff tests 93
cyber frauds 124
victim of through cyber attack 125
cyber-sell sales systems 325
damaged inventory 285
data analytics 59–60, 151–79
data entry and program controls 115
data entry manuals 117
DDD Motor Sales Ltd 299
debt–equity ratio 147
descriptive analytics 150
detection risk 37, 69
deviation 176
direct engagements 25–6
disclaimer of opinion 265, 270–2
dummy entity 181
dummy transactions 180
DuPont analysis 148
e-commerce environment
advanced audit data analytic
techniques 206–8
continuous audit in 206–8
substantive testing in 206
tests of controls in 205–6
types 205
using CAATS in 206
E-ffervescence.com Ltd 250
EBIT (earnings before interest and tax)
145
EBITDA (earnings before interest, tax,
depreciation and amortisation)
145
economy 335
EER see extended external reporting
effectiveness 336–7, 341
efficiency 335–6
Egral Ltd 281
Emphasis of Matter 262–3
Emphasis of Matter paragraph 292
engagement letter 83, 85
engagement partner 19, 73
engagement performance 20–2
engagement quality control review
(EQCR) 22, 247–8
engagement review process 21
engagement risk 27
engagement teams 20, 73
engagement terms 84
enquiries of management, risk
assessment 134
enquiry, analytical procedures 143
entity 102
business model 104
business operations 103–4
financial performance 108–10
financing 105
industry conditions 102
investments 104–5
nature of 103–5
objectives, strategies and related
business risks 105–7
regulatory environment 103
risk assessment process 110
selection and application of
accounting policies 105
EQCR see engagement quality control
review
error correction and data resubmission
118
error log 118, 119
errors 70
ethical principles 11–18
code 12–18
ethical requirements 19
European Commission (EC) 76
evidence 32–8, 69
evidence-gathering techniques 177
extended external reporting (EER) 303
extent, quantity 38
external confirmations 193
External Reporting Board (XRB) 10,
11
factual misstatements 242
familiarity 13
Farm Management Deposits (FMD)
Scheme 358
fieldwork 171
file identification labels 119
file run and control instructions 119
financial audits 50
financial information
and non-financial 307
concept of materiality 293
ISAE 3400 311
primary standards 295
reviews of interim 296, 298
small- and medium-sized entities
298–9
Financial Markets Conduct Act 2013
257
financial materiality 347
financial performance, entity 108–10
financial report audit 41
Financial Reporting Act 1993 10
Financial Reporting Council (FRC) 7,
72, 283
financial reporting frauds 122–3
financial statement assertions 91–4,
172
financial statements 40, 74
audits of 40–1
firm 73
FMD Scheme see Farm Management
Deposits Scheme
INDEX 491
forecast 312
framework 27–8
for audit quality 23–5
Framework for Audit Quality; Key
Elements that Create an
Environment for Audit Quality 23,
35
Franklin Spleen group 327
fraud 82, 121–6
cyber 124
data analytics and data visualisation
158–60
financial reporting 122–3
misappropriation of assets 123–4
red flags 124
risk factors 124–6
types of 122
use of software robots 126
fraud brainstorming 121
fraud triangle 125
FRC see Financial Reporting Council
future-oriented information assurance
42
GAS see generalised audit software
gearing ratios 147
general IT controls 113
general ledger account balance analysis
157
general ledger account reconciliation
157
generalised audit software (GAS)
197–200
functions of 199
GFC see global financial crisis
Global Economic Crime and Fraud
Survey 124
global financial crisis (GFC) 103
global reporting initiative (GRI) 307
external assurance 306
and IOE 371
GRI G4 Guidelines 305
sustainability reports 306
going concern basis 129, 233
going concern risk 129–30, 135
auditor responsibilities 130
management responsibilities 130
greenhouse gas (GHG) statements
304–5
GRI see global reporting initiative
gross margin ratio 145
GS 001 Concise Financial Reports 294
GS 016 Bank Confirmation
Requests 194
haphazard selection 185
hash totals 118
human resources 20
IAASB see International Auditing and
Assurance Standards Board
IAS 10 Events after the Reporting Period
236, 241
IAS 37 Provisions, Contingent Liabilities
and Contingent Assets 232, 241
Idealic Pty Ltd 267
identifying risks 138
IESBA see International Ethics
Standards Board for Accountants
Pdf_Folio:492
492 INDEX
IESBA Code see International Ethics
Standards Board for Accountants
Code
IFAC see International Federation of
Accountants
IFIAR see International Forum of
Independent Audit Regulators
IFRS see International Financial
Reporting Standard; International
Financial Reporting Standards
IIA see Institute of Internal Auditors
IIRC see International Integrated
Reporting Council
inability 265
Income Tax Assessment Act 1936 327
Income Tax Assessment Act 1997 327
independence 73
policies and procedures 17
indicators 336
inducements 15
INFO 222 22
information processing 111
information system and communication
111
inherent risk 37, 69, 71–135
input controls 117
Institute of Internal Auditors (IIA) 315
Institute of Public Accountants (IPA)
10
integrated test facility (ITF) 181
test data vs. 181–4
integrity 12
intended users 29–30
internal audit 42–3
assurance service 318–21
carrying out the engagement 319
control 317
definition 315, 316
engagement planning 319
function 315
governance 317
Institute of Internal Auditors 315
Internal Audit Engagement Planning
319
International Standards for the
Professional Practice of Internal
Auditing (Standards) (IIA 2017)
316
purpose 318
reporting 320
risk-management 317
types 317
internal auditors 212–13
internal control 86, 278
components 109–12
control activities 111
control environment 110
entity’s risk assessment process 110
information system and
communication 111
monitoring of controls 112
in SMEs 112–13
internal control system 324
principles 322
internal controls audit 43, 321–5
internal labels 119
International Accounting Standards
Board (IASB) 48
International Auditing and Assurance
Standards Board (IAASB) 6–7,
73, 314
international auditing standards 291
International Ethics Standards Board for
Accountants (IESBA) 6–7, 76,
260
International Federation of Accountants
(IFAC) 6, 86
International Financial Reporting
Standards (IFRS) 48, 311
International Forum of Independent
Audit Regulators (IFIAR) 6
International Framework for Assurance
Engagements (the Framework) 4,
5, 11
assurance engagements 25, 28–40
attestation and direct engagements
25–6
ethical principles 11–8
quality control standards 18–5
reasonable and limited assurance
engagements 26–7
scope of 27–8
International Integrated Reporting
Council (IIRC) 310
International Organisation of Supreme
Audit Institutions (INTOSAI)
342, 361, 365
International Organization of Employers
(IOE) 307
international standards 45, 226
International Standards for the
Professional Practice of Internal
Auditing (Standards) (IIA 2017)
316
International Standards on Assurance
Engagements (ISAEs) 7
application of 51–2
International Standards on Auditing
(ISAs) 7, 45, 68, 72, 201
application of 45–50
audit requirements 47–8
Australia 49
future developments 48
Hong Kong 50
public sector perspective 49–50
small and medium-sized entities
(SMEs) perspective 46–9
structure of 46
International Standards on Quality
Control 5
International Standards on Related
Services (ISRSs) 7
application of 52
International Standards on Review
Engagements (ISREs) 7
application of 51
intimidation 14
INTOSAI see International
Organisation of Supreme Audit
Institutions
inventory turnover ratio 146
investments 104–5
IOE see International Organization of
Employers
IPA see Institute of Public Accountants
ISA 200 Overall Objectives of the
Independent Auditor and the
Conduct of an Audit in Accordance
with International Standards on
Auditing 26, 45
ISA 220 Quality Control for an Audit of
Financial Statements 18, 20, 73,
245
ISA 230 Audit Documentation 94, 216
ISA 240 Appendix 1 125
ISA 240 The Auditor’s Responsibilities
Relating to Fraud in an Audit of
Financial Statements 121, 122,
230, 242, 285
ISA 250 (Revised) Consideration of
Laws and Regulations in an Audit of
a Financial Report 103, 131, 132,
172, 242
ISA 260 (Revised) Communication with
Those Charged with Governance
285
ISA 265 Communicating Deficiencies in
Internal Control to Those Charged
with Governance and Management
277, 285
ISA 300 Planning an Audit of Financial
Statements 47, 72, 100
ISA 315 Identifying and Assessing the
Risks of Material Misstatement
through Understanding the Entity
and Its Environment 68, 99, 102,
105, 106
ISA 320 Materiality in Planning and
Performing an Audit 220, 251
ISA 330 The Auditor’s Responses to
Assessed Risks 159, 230
ISA 402 Audit Considerations Relating
to an Entity Using a Service
Organization 47
ISA 450 Evaluation of Misstatements
Identified during the Audit 96,
220, 242, 251
ISA 501 Audit Evidence — Specific
Considerations for Selected Items
232, 241
ISA 505 External Confirmations 193
ISA 510 Initial Audit Engagements —
Opening Balances 47
ISA 520 Analytical Procedures 187,
239, 242
ISA 530 Audit Sampling 185
ISA 540 (Revised) Auditing Accounting
Estimates and Related Disclosures
127
ISA 540 (Revised) Auditing Accounting
Estimates, Including Fair Value
Accounting Estimates, and Related
Disclosures 55, 229, 241
ISA 550 Related Parties 104, 208, 229,
242
ISA 560 Subsequent Events 236, 241
ISA 570 (Revised) Going Concern
233, 241, 276
ISA 580 Written Representations 236,
241
ISA 600 Special Considerations —
Audits of Group Financial
Statements 47, 211
Pdf_Folio:493
ISA 610 (Revised) Using the Work of
Internal Auditors 47, 212
ISA 700 (Revised) Forming an Opinion
and Reporting on Financial
Statements 251, 276
ISA 701 Communicating Key Audit
Matters in the Independent
Auditor’s Report 276
ISA 705 (Revised) Modifications to the
Opinion in the Independent
Auditor’s Report 243, 251, 276
ISA 706 (Revised) Emphasis of Matter
Paragraphs and Other Matter
Paragraphs in the Independent
Auditor’s Report 262, 276
ISA 710 Comparative Information —
Corresponding Figures and
Comparative Financial Statements
251, 264, 276
ISA 720 (Revised) The Auditor’s
Responsibilities Relating to Other
Information 259, 276
ISA 800 (Revised) Special
Considerations — Audits of
Financial Statements Prepared in
Accordance with Special Purpose
Frameworks 47, 291, 294
ISA 805 (Revised) Special
Considerations — Audits of Single
Financial Statements and Specific
Elements, Accounts or Items of a
Financial Statement 291, 295
ISA 810 (Revised) Engagements to
Report on Summary Financial
Statements 291, 295
ISAE 3000 (Revised) Assurance
Engagements Other than Audits or
Reviews of Historical Financial
Information 27, 41, 51, 300, 315,
365
ISAE 3400 The Examination of
Prospective Financial Information
51
ISAE 3402 Assurance Reports on
Controls at a Service Organisation
51, 332
ISAE 3410 Assurance Engagements on
Greenhouse Gas Statements 51,
304, 315
ISAE 3420 Assurance Engagements to
Report on the Compilation of Pro
Forma Financial Information
Included in a Prospectus 51, 313,
315
ISAs see International Standards on
Auditing
ISO 31000 Risk Management —
Guidelines 324
ISQC 1 Quality Control for Firms that
Perform Audits and Reviews of
Financial Statements, and Other
Assurance and Related Services
Engagements 18, 73
ISRE 2400 (Revised) Engagements to
Review Historical Financial
Statements 51, 298, 300
ISRE 2410 Review of Interim Financial
Information Performed by the
Independent Auditor of the Entity
51, 296–8, 300
ISRS 4400 Engagements to Perform
Agreed-Upon Procedures
Regarding Financial Information
52, 366
ISRS 4410 (Revised) Compilation
Engagements 52
IT application controls 180
IT environment 113
controls in 119
IT general controls (ITGCs) 177
ITF see integrated test facility
ITGCs see IT general controls
Jobstone Ltd 240
journal entry analytics 157
judgmental misstatements 242
KAMs see key audit matters
KAP see key audit partner
key audit matters (KAMs) 255–9
key audit partner (KAP) 76
kickback 124
LCEs see less complex entities
leadership responsibility 18–19
less complex entities (LCEs) 86
letter of engagement 84
letter of enquiry 232
letter of subordination 235
letter of support 235
limit or reasonableness test 119
limit test 118
limited assurance engagements 27
liquidity ratios 147
long-term liabilities 147
lower assessed level of control risk
approach 88
management representation letter
235–6
management responsibilities, going
concern 130
management’s experts, using work of
214–16
matching information, in key data fields
154
material misstatements 82–3, 99, 173,
220
identifying risks of 96–8
material uncertainty 254–5
materiality 37
judgments 95
and pervasiveness 243–5
technical review 245
misappropriation of assets frauds
123–4
misstatement 69
in financial statements, risk of 140
identified during audit 220–2
mitigating circumstances 234
mitigating factors 234
monetary unit sampling (MUS) 202–3
monitoring systems 22–3
Murray-Darling Basin Plan 307
MUS see monetary unit sampling
INDEX 493
National Greenhouse and Energy
Reporting Act 2007 305
National Greenhouse and Energy
Reporting Scheme (NGERS) 305
nature, audit procedure 38
negative confirmation requests 194
net profit margin 145
New Zealand Auditing and Assurance
Standards Board (NZAuASB) 10
NGERS see National Greenhouse and
Energy Reporting Scheme
NOCLAR see non-compliance with
laws and regulations
non-assurance services 366–73
agreed-upon procedures 366–7
compilation engagements 368–73
non-audit services 74, 261
non-compliance 73
non-compliance with laws and
regulations (NOCLAR) 16, 82,
103, 131–4, 278
non-financial data
in substantive analytical procedures
188
non-financial reports 303–11
non-financial reports assurance 41–2
NZAuASB see New Zealand Auditing
and Assurance Standards Board
objectivity 12
observation and inspection, risk
assessment 134
OnTrend Appliances Ltd (OnTrend)
326
organisational and management controls
114
other matter paragraph 262–5
output controls 119
overall audit strategy 86–8
overall materiality 95, 98
vs. performance materiality 98–9
overarching standard 300–3
payroll database 154, 155
peer analysis 157
performance audit 50
agencies 343
elements 344–5
module 370
process 346–66
structure 343–4
performance engagements 44–5
performance indicators 338
performance materiality 98
vs. overall materiality 95
performance reviews 111
performed as risk assessment procedures
186
period-end window dressing 128
pervasiveness 243–5
PEST (Political, Economic, Social and
Technological) analysis 138
PESTEL (political, economic, social,
technological, environmental and
legal) analysis 138, 139
physical controls 111
physical risks 54
physical safeguards 115
Pdf_Folio:494
494 INDEX
PIEs see public interest entities
port and marine cash-generating unit
(‘CGU’) 271
positive confirmation request 193
possible fraud, indicators of 231
potential audit implications 135
predictive analytics 150
predominantly substantive testing
approach 88
prescriptive analytics 150
process mining 157
processing controls 118
professional accountants 15, 79
in public practice 14–16
professional accounting bodies 9–10
professional behaviour 13
professional competence and due care
12
professional conduct 17
and ethics 77–9
professional judgment 35–8, 79, 80, 99
professional scepticism 33–5, 73,
78–83, 99, 127, 128
profitability ratios 145
projected misstatements 243
projected to the population 203
projecting the errors 203
projection 312
proper authorisation 117
public interest entities (PIEs) 76
public sector 49–50
auditor 333
audit relationship 333
audits 50
performance auditing 333–66
purpose-written programs 199
qualified opinion 265, 268–70
quality control (QC) 18–25
client relationships 19–20
engagement partner 19
engagement performance 20–2
ethical requirements 19
framework for audit quality 23–5
human resources 20
leadership responsibility 18–19
monitoring 22–3
quality of engagement performance
21
quality control for audits 73–4
acceptance and continuance of client
relationships 74
assignment of engagement teams 74
engagement performance 74
team members’ compliance with
ethical requirements 73–4
random selection 185
range test 118
ratio analysis 144–8
RDR see Reduced Disclosures
Requirement
reasonable and informed third party 14
reasonable assurance engagements
26–7, 68
reasonableness (logic) test 118
reasonableness of data 118
reasonableness tests 144, 189–90
record counts 118
Reduced Disclosures Requirement
(RDR) 283
registered greenhouse and energy auditor
(RGEA) 305
regression analysis 155
Regulation of Great Barrier Reef Marine
Park Permits and Approvals 359
regulatory environment 72
related party transaction risk 210
related-party risk 128–9
related-party transactions 104
Renewable Energy (Electricity) Act 2000
305
reporting responsibilities 280–7
responsible party 29
review engagement 41, 295–300
RGEA see registered greenhouse and
energy auditor
risk analysis decision tree 154
risk assessment 100, 134
analytical procedures see analytical
procedures
audit data analytics see audit data
analytics (ADA)
data analytics techniques for 153,
154
methods used for 134–60
procedures 82
strategic analysis see strategic
analysis
risk of material misstatement 70
robotic process automation (RPA)
56–8
implementation of revenue audit 57,
58
rounding test 119
RPA see robotic process automation
run to run controls 118
SA 800 (Revised) Special
Considerations — Audits of
Financial Statements Prepared in
Accordance with Special Purpose
Frameworks 294
sampling techniques, for testing controls
184–6
evaluation of 185–6
selection of 185
Sarbanes-Oxley Act 2002 (US) 42, 75,
291, 321, 331
SDF see Starlights Defence Force
second partner review 248
segregation of duties 111, 157
self-interest threat 13
self-managed superannuation fund
(SMSF) 330
self-review threat 13
Senate Economics References
Committee 54
sequence test 118
shareholders reporting 282–3
significant risks 121
simulated transactions 180
small- and medium-sized enterprises
(SMEs) 46–9, 143, 163–8
audit approach for 164
CPA Australia 307
 financial information 298–9
going concern 234
International Financial Reporting
Standards 369
smart contracts 111
SMEs see small and medium-sized
enterprises
SMSF see self-managed
superannuation fund
Southern Slumberland (SS) 255
special audits 50
specific business risks 135
SRE 2410 Review of Financial
Statements Performed by the
Independent Auditor of the Entity
298
Starlights Defence Force (SDF) 358
strategic analysis
PEST (political, economic, social and
technological) analysis 138, 140
PESTEL (political, economic, social,
technological, environmental and
legal) analysis 138, 140
SWOT (strengths, weaknesses,
opportunities and threats) analysis
137
techniques 136–42
value-chain analysis 140
strategic risks 135
substantive analytical procedures 186
designing and performing 187–8
examples of effective 188
level of assurance obtained 187
nature of 186–7
relationship with other audit
procedures 190–1
reliability of the data 188–9
suitability of 187–8
use of non-financial data in 188
use of reasonableness tests 189–90
substantive procedures 70, 162–3
substantive procedures, sampling
techniques in 202–5
evaluation of 203–5
monetary unit sampling 202–3
substantive testing 100, 197–201
in e-commerce environment 206
generalised audit software 197–9
Pdf_Folio:495
purpose-written programs 199
utility programs and systems
management programs 199–201
sufficiency 171
of evidence 82
quantity 32
suitable criteria 31
suspicious transactions 158
SWOT (Strengths, Weaknesses,
Opportunities and Threats) analysis
137
system software 115
systematic selection 185
systems and processes, assurance 42–3
systems development, and program
maintenance controls 114
Task Force on Climate-Related Financial
Disclosures (TCFD) 54, 131, 304
TCFD see Task Force on
Climate-Related Financial
Disclosures
Tech Mpire Limited Annual Report 2018
255
technical review 245
terms of engagements
changes to terms 84–6
preconditions 83–4
test data 179–81
devising and applying 182
vs. integrated test facility 181–4
tests of controls 86
assertion-level controls 174, 175
auditor 175
computer-assisted audit techniques
178–84
in e-commerce environment 205–6
financial statement-level 174, 175
objectives of 175–6
procedures 176–8
sampling techniques for 184–6
small-to-medium enterprises 174,
175
tests of details 191
designing and performing 192
nature of 191–2
tests of transactions and account
balances 192–7
tests of transactions and account
balances 192–7
attendance at physical inventory
counts 195
bank confirmation requests 194
direction of testing 195
external confirmations 193
negative confirmation requests 194
positive confirmation request 193
types 193–7
Therapeutic Goods Act 1989 103
three-party relationship 29–30
three-way match procedure 157
Tier 2 reduced disclosure requirements
292
Tier 2 requirements 283
tiered approach, audit requirements 48
time-series regression 155
timing, evidence 38
traditional audit vs. computer-assisted
audit techniques 179
transaction codes 118
transition risks 54
true and fair view 40, 253
turnaround documents 117
types of auditor’s reports 252
utility programs and systems
management programs 199–201
advantages and disadvantages of 200
value chain analysis 140, 142
vendor database 154, 155
Victorian Auditor-General’s Office
(VAGO) 50
visualisation 155, 156
WASB see Water Accounting
Standards Board
Water Accounting Standards Board
(WASB) 307
WNS Holdings Ltd (WNS) explored
58
working papers 245–6
written assurance report 38–40
written representations 235
XRB see External Reporting Board
INDEX 495