Auditing

UNIT-1
❑ I N T R O D UC TI ON

❑ SCOP E & OBJECTS OF AUDIT

❑ A U D I T V S A S S U R A NCE

❑ A D VA N TA G E S & L I M I T AT I O N S
OF AUDIT

❑ C O R P O R AT E G O V E R N A N C E
A N D S T E WA R D S H I P

❑ CODE OF ETHICS
Meaning and Definition of Auditing
• The word Audit is derived from the Latin word “Audire” which means ‘to hear’.
• Auditing is the verification of financial position as disclosed by the financial statements.
• It is an examination of accounts to ascertain whether the financial statements give a true and fair view of the
financial position and profit or loss of the business.
• Auditing is the intelligent and critical test of accuracy, adequacy and dependability of accounting data and
accounting statements.

• “Auditing is an examination of accounting records undertaken with a view to establishment whether they correctly
and completely reflect the transactions to which they purport to relate.”- L. R. Dicksee
• “Auditing is the systematic examination of financial statements, records and related operations to determine
adherence to generally accepted accounting principles, management policies and stated requirement.” -R. E.
Schlosser
Characteristics of Auditing:
➢ Systematic and scientific procedure
➢ Essential documents are integral part
➢ Evidence based
➢ Undertaken by an independent person or body
➢ Analytical approach
➢ Art and Science
➢ Verification of the results
➢ Auditor has to satisfy himself with the authenticity
➢ Compliance
➢ Examination of documents
Objectives of Auditing
The objectives of auditing are changing with the advancement of business techniques. Earlier it was only to check the
correctness of receipts and payments. The objectives of the auditing have been classified under two heads:
• Main objective
• Subsidiary objectives
1. Main Objective:
The main objective of the auditing is to find reliability of financial position and profit and loss statements. The
objective is to ensure that the accounts reveal a true and fair view of the business and its transactions. The objective
is to verify and establish that at a given date balance sheet presents true and fair view of financial position of the
business and the profit and loss account gives the true and fair view of profit or loss for the accounting period. It is to
be established that accounting statements satisfy certain degree of reliability. Thus the main objective of auditing is to
form an independent judgement and opinion about the reliability of accounts and truth and fairness of financial state
of affairs and working results.
2. Subsidiary objectives:
The subsidiary objectives of the auditing are:
1. Detection and prevention of fraud: the one of the important subsidiary objective of auditing is the
detection and prevention of fraud. Fraud refers to intentional misrepresentation of financial
information. Fraud may involve:
a. Manipulation, falsification or alteration of records or documents
b. Misappropriation of assets.
c. Suppression of effect of transactions from records or documents.
d. Recording of transactions without substance.
e. Misapplication of accounting policies
1. Detection and prevention of errors: is another important objective of auditing. Auditing ensures that
there is no mis-statement in the financial statements. Errors can be detected through checking and
vouching thoroughly books of accounts, ledger accounts, vouchers and other relevant information.
 Scope of Auditing

•Legal requirements
•Entity aspects
•Reliable information
•Proper communication
•Evaluation
•Test
•Comparison
•Judgements
•Work
•Evidence
•misstatement
 Principles of
A uditing

Audit report Integrity

Internal control Independence

Accounting
Confidentiality
system

Skill and
Audit evidence competence

Responsibility
of work
 Audit vs Assurance
1. A process of evaluating accounting information presented in statements.
• A process of analyzing and assessing processes, operations, procedures, etc.
2. The aim is to present the financial information, and reports, fairly, accurately, and ethically
accepting accounting standards and principles.
• The aim is to ensure the accuracy of accounting information and records to all stakeholders that
there are no misrepresentations or irregularities in the report.
3. The rights and liabilities of an auditor is higher
• It has comparatively lesser rights than an audit
4. The audit is in line with the International auditing standards
• Assurance terms may restrict the practitioner only to a specific area.
5. The audience includes generally all stakeholders
• Restrict to just one type of stakeholder for example management.
6. The Time & resources required are higher
• The time and resources are required comparatively less than an audit.
7. Internal control or auditing or external third party helps to enhance the reliability of the
information.
• Assurance is the step that follows an audit and usually done by a professional auditing body or
board.
8. Audit reveals any misuse of the fund and any dishonest activity in financial statements and gives
accurate information.
• Assurance follows an audit and gives true information to the stakeholders for better decision-
making.
7. An audit occurs before the assurance process, as the assurance process determines the validity
and accuracy of an audit.
• An audit can occur without assurance
 •Detection of errors and frauds
Advantages •Laon from banks
of auditing •Proper valuation of investments
•Proper valuation of assets
(business •Government acceptance
point of •Suggestions for improvement
•Better reputation
view) •Uniformity in accounts
 •Protest interest
Advantages •Moral check
(From •Builds reputation
investor •Good security
point of •Growth and
view) development
Other advantages
• Audited accounts are detected as an record of transaction
• Errors and frauds are detected and rectified
• It increases the morale and decreases frauds and errors
• Taxation benefits
• Claims from insurance company can be made
• Helps in managerial decisions
• Useful to secure loan at the time of amalgamation, absorption, and
reconstruction
• Safeguards the interest of all stakeholders
• Useful to take certain financial decisions
 Need the Existence of
Problem of Post -mortem errors in the Diversified Quality of the Time taking
Limitations complete dependence examination audited situations auditors procedures
Expensive
picture accounts
 Objectives of Auditor
• According to ISA 200 auditor need to obtain reasonable assurance, the auditor shall obtain
reasonable assurance and auditor need to obtain sufficient and appropriate evidence to reduce
risk to an acceptable low level.
• In addition, ISA 315 requires to identify and assess audit risk of material misstatement designing
and implementing in response to assessed risk
Misstatement:
• ISA 450 evaluation of misstatements identified during the audit states that this occurs when
something in the accounts is not in accordance with the applicable financial reporting framework
• They can arise due to frauds or errors.
• There are 3 types of fraud or error
1. Factual misstatements:
• Those where there is no doubt
• An example would be a clear breach of an IFRS requirement meaning that the financial statements are
incorrect, for instance, if a necessary disclosure is missing – i.e., non-disclosure of EPS for a listed company.

2. Judgmental misstatements:
• These are differences arising from the judgments of management concerning accounting estimates that the
auditor considers unreasonable or the selection or application of accounting policies that the auditor considers
inappropriate.
• For instance, when determining the fair value of non-current assets, the level of disclosure necessary in
relation to a contingent liability, or the recoverability of receivables.
3. Projected misstatements:
• These are the auditor’s best estimates of misstatements in populations, involving the projection of
misstatements identified in audit samples to the entire populations from which the samples were drawn

• For the auditor it is important to distinguish between these types of misstatements in order to properly discuss
them with management, and ask for the necessary corrections, where relevant, to be made.
• In case of a factual misstatement, there is little room for negotiation with management, as the item has simply
been treated incorrectly in the financial statements.
• In case of judgemental misstatement there is likely to be more discussion with management. The auditor will
need to present their conclusion based on robust audit evidence, in order to explain the misstatement which has
been uncovered, and justify a recommended correction of the misstatement.
• In case of projected misstatements, because these are based on extrapolations of audit evidence, it is normally
not appropriate for management to be asked to correct the misstatement. Instead, a projected misstatement
should be evaluated to consider whether further audit testing is appropriate.
 Uncorrected Misstatements:
• Misstatements that the auditor has accumulated during the audit and that have not been corrected
• The auditor has the responsibility to accumulate misstatements which arise over the course of an audit unless they
are very small amounts
• However, the identified misstatements should be considered during the course of audit to assess whether the audit
strategy and plan should be revised.
Correction of Misstatements

• Management is expected to correct the misstatements which are brought to their attention by the auditor.
• If management refuses to correct some or all of the misstatements, ISA 450 requires the auditor to obtain an
understanding of management’s reasons for not making the corrections, and to take that understanding into
account when evaluating whether the financial statements as a whole are free from material misstatement.
• Some misstatements may be evaluated as material, individually or when considered together with other
misstatements accumulated during the audit, even if they are lower than materiality for the financial
statements as a whole.
Examples include:
• Misstatements which affect compliance with regulatory requirements
• Misstatements which impact debt covenants or other financing or contractual arrangements
• Misstatements which affect ratios used to evaluate the entity’s financial position, results of operations or cash
flows
Communication with those charged with governance

• ISA 450 requires the auditor to communicate uncorrected misstatements to those charged with governance
and the effect that they, individually or in aggregate, will have on the opinion in the auditor’s report.
• The auditor may discuss with those charged with governance the reasons for, and the implications of, a failure
to correct misstatements, and possible implications in relation to future financial statements.
• The auditor should discuss the potential implications for the auditor’s report, which is likely to contain a
modified opinion, if material misstatements are not corrected as requested by the auditor.
Documentation
• ISA 450 requires certain documentation in relation to misstatements
• All misstatements accumulated during the audit and whether they have been corrected
• The auditor’s conclusion as to whether uncorrected misstatements are material, individually or in aggregate,
and the basis for that conclusion.
 Professional Scepticism and Judgement

Professional Scepticism:

• It is an attitude which includes the questioning mind being alert to a condition which may indicate possible
misstatements due to fraud or error and a critical evidence of audit assessment
• In other words, auditors should not simply believe what management tells them and while conducting the audit,
auditor should adopt attitude of professional scepticism.
 The exercise of professional judgement
• The auditor need to exercise professional judgement in planning and performing audit.
• It also needs to exercise professional judgement on quantity and quality of evidence
1. Is there sufficient evidence?
2. Quality of the evidence obtained?
3. Are the assumptions taken reasonable?
4. Is it consistent with known from elsewhere?
• The auditors not only need to see what assumptions records, but also need to challenge them and understand how
they affect the conclusions the client has come to
The factors which will help with the judgements are:
1. The strength of internal controls
2. The sampling method used
3. The materiality of the item
4. The seriousness of risk
 Corporate Governance

• Cadbury Report, titled Financial Aspects of Corporate Governance-chaired by Adrian Cadbury

• One of the first and renowned committees formed to deliberate on corporate governance
• Corporate Governance refers to the way a corporation is governed.
• 'The system by which companies are directed and controlled’- Cadbury Committee.

• According to Gabrielle O’Donovan, corporate governance is defined as, “An internal system encompassing
policies, processes and people, which serves the needs of shareholders and other stakeholders, by
directing and controlling management activities, with good business savvy, objectivity, accountability
and integrity, where, sound corporate governance is reliant on the external market place commitment
and legislation, plus a healthy board culture which safeguards policies and processes.”
• Cadbury Committee formed specific best practices, and codes to implement corporate governance.
they are:
• role of the board of directors
• role of non-executive directors
• appointment, remuneration and performances of the directors
• financial reporting and audit
• regulation of both insider and outsider-dominated systems of management
Key Players of Corporate Governance
1.The company or entity
2.Directors
3.Managers/Executives
4.Shareholders
5.Stakeholders

Scope Of Corporate Governance

It refers to how it influences the business inside out; generally, its scope is broader; it encompasses various development
factors.

• Economic growth
• Social responsibility
• Business expansion and development
• Increased efficiency, Lowered illegalities and mismanagement
 Benefits of CG
• Firm’s success
• Economic growth
• Investors confidence
• Impact on share price
• Decrease in cost of capital
• Achieve corporate objectives
• Minimize risk
• Goodwill
 Key Concepts in Corporate Governance
• Fairness
• Openness/transparency
• Innovation
• Scepticism
• Independence
• Probity/honesty
• Responsibility
• Accountability
• Reputation
 Shareholder vs Stakeholder
• There are two alternate dominant perspectives on managing a business:
• The first is proposed by Milton Friedman, who argued that business has only one
responsibility–to its shareholders.

• To maximize profit for shareholders.

• The idea that this whole purpose of a firm is to maximise shareholder wealth was intensively
debated when Friedman wrote in 1970, quote, "There is one and only one social responsibility
of business. To use its resources and engage in activities designed to increase its profits...

• " To be fair to Friedman, no one really quotes the second part of that sentence in which he
says, "...so long as it stays within the rules of the game." This is to say, it engages an open and
free competition without deception or fraud.
• The stakeholder view emerged from a variety of disciplines including corporate planning, systems
theory and corporate social responsibility.

• Freeman describes stakeholders as “a group or individuals with the power to influence as well as
an interest in the corporate's action”.

• In other words, stakeholders depend on the organisation to fulfil their own goals and in turn the
organisation depends on them.

• Stakeholders may be

• Internal or

• External
Stakeholders Map
• Internal stakeholders may include employees.

• External stakeholders include shareholders, customers, suppliers, financial institutions and

unions.

• Even though they do not actively influence the decision-making, they tend to influence internal
stakeholders to work in their favour.

• Primary stakeholders include customers, suppliers, employees, investors and communities.

• Secondary stakeholders include: the media, regulators, government, competitors, politicians,

NGOs, environmentalists, and other special interest groups
• The alternate point of view is that the most fundamental purpose of an organisation is to
create value for its stakeholders. And this includes a range of actors in addition to
stockholders.
➢ While stockholders expect share appreciation and dividends
➢ customers expect new products and services.
➢ Employees look for employment opportunities, and increased wages.
➢ Suppliers look for increased revenues and growth opportunities.
➢ Local community may demand more jobs and improved quality of life and so on.
➢ As multiple stakeholders place conflicting demands on the corporation.

➢ And the manager now needs to manage, probably trade-off, between these conflicting
demands.

Why firms should consider stakeholders’ interests?

 Why firms should consider stakeholders’ interests? (4A)

• The ability to predict the trends in the external environment improves

• stakeholder perspective enriches the information for decision making
• Higher levels of trust, transparency and accountability lead to increase social legitimacy
if a stakeholder approach is followed
• Allows a firm to outperform its competition.
• Moral arguments for adopting a stakeholder approach.
Agency Theory
• An agent is employed by a principal to carry out a task on their behalf.
• Agencyrefers to the relationship between a principal and their agent.
• Agency costs are incurred by principals in monitoring agency behaviour because of a lack of trust in the good
faith of agents.
• By accepting to undertake a task on their behalf, an agent becomes accountable to the principal by whom they
are employed. The agent is accountable to that principal.
• Directors (agents) have a fiduciary responsibility to the shareholders (principal) of their organisation (usually
described through company law as 'operating in the best interests of the shareholders).
• Agent objectives (such as a desire for high salary, large bonus and status for a director) will differ from the
principal's objectives (wealth maximisation for shareholders)
Agency Theory

• It is not unusual for principal-

agent relationships to lead to
conflicts
• Shareholder and Manager or
Director Relationships
• Controlling and Minority
Shareholder Relationships
• Creditor Versus Shareholder
Interests
• Shareholders and Auditors
• Other Stakeholder Conflicts
• Customers and Shareholders,
Customers and Suppliers, and
Shareholders and Governments or
Regulators.
 Agency cost

• Agency costs are internal costs incurred due to the competing interests of shareholders (principals) and the
management team (agents).
• Expenses that are associated with resolving this disagreement and managing the relationship are referred to
as agency costs
The Principal-Agent Relationship

• The principal-agent relationship is an arrangement between two parties in which one party (the principal)
legally appoints the other party (the agent) to act on its behalf.
• Principal-agent problems occur when the interests of the principal and agent are not aligned. As a result,
agency costs will incur.
 Types of Reduction of
Agency cost agency cost:

Agency cost Financial

of debt and benefits

Non-
Agency cost financial
of equity benefits
 Board of Directors
Who are Board of directors?
➢Group of elected individuals representing the shareholders.
➢Meets at regular intervals to set policies
➢Oversee corporate management
➢Requirement for every public company
➢Section 2 (34) companies act 2013, of the Act prescribed that “director” means a director appointed to the Board
of a company
➢Section 2(10) "Board of Directors" or "Board", in relation to a company, means the collective body of the directors of the
company
Functions/ Roles and Responsibilities of Board of Directors
➢Creating dividend policies
➢Hiring and firing of senior executives
➢Establishing compensation for executives
➢Supporting executives and their teams
➢Maintaining company resources
➢Setting general company goals
➢Making sure that the company is equipped with the tools it needs to be managed well
UK Corporate Governance code
The UK Corporate Governance Code (formerly known as the Combined Code) sets out standards of good
practice for listed companies on board composition and development, remuneration, shareholder relations,
accountability and audit.
India
Role and responsibilities of Board of Directors in terms of Companies Act, 2013 and other legal provisions.
A company is a legal personality and BOD's are its body and mind
 Approaches to Corporate Governance

1. Rule-Based Approach- Legal requirement

2. Principle-Based Approach- Not a legal requirement
✓ A rules-based approach prescribes in detail or gives a set of rules, how to behave
✓ Principle-based approach is regulation outcomes and principles that measures, and controls
procedures to achieve the outcomes in the organization.
 Board Committee
1) Audit Committee
2) Nomination and remuneration committee
3) Risk Management Committee
4) CSR Committee
5) Stakeholders and ESG committee

Importance of board subcommittees

• Reduces work load of board
• Creates expertise
• Communication to shareholders
• Increases confidence of shareholders
 Corporate Governance and Stewardship

• How can a business thrive and sustain growth while enhancing the wealth of its stakeholders and the well-being of
the societies in which it operates?
• Corporate governance practices are reevaluated after every financial crisis, but often move in the direction of
increasing guidelines and regulations.
• Such corporate governance measures are helpful and often necessary.
• However, sound stewardship has a longer-term and wider view, with a motivation that extends beyond a “comply or
explain” mentality.
▪ How can a business contribute to the wealth and well-being of the societies where it operates
over the long term?

• The best way for businesses to contribute constructively is to maximize their sustained wealth
creation capability and to have a sense of responsibility towards the community at large – to do
well so as to be able to do good in a broader societal sense.
• Stewardship is the much-needed process that will help business to take its rightful role within
the societal ecosystem, and have a meaningful impact.
• It broadens how we view the role of business, extending the contextual lens of company
decision-making to include the societal and economic environment. In practice, this means
actively considering the interplay between different stakeholder concerns with the organization’s
wealth-generating activities.
• It also means building the firm’s capability to process and balance these to maximize its creation
of economic and societal value over the longer term.
• Stewardship is an inclusive and holistic approach.
• It includes three dimensions:
1. A clear sense of purpose
2. An intertemporal horizon and
3. The engagement of different stakeholders.
• Stewardship leaders take action that is characterized by the combination of three seminal attributes:
1. leading with impact
2. Safeguarding the future, and
3. Driving social good.
• Through an awareness of the stewardship ecosystem and the factors at play, firms can better understand how to
steer wealth creation in the context in which they operate
• With a clear sense of purpose, stewardship enables companies to ensure that their success is sustainable and
contributes to their future prosperity as well as the well-being of society at large
• Stewardship provides an approach to help business take a more holistic approach to wealth and
well-being.
• Stewardship is the act of protecting and enhancing the capability of the organization to create
economic and societal value over time
• Stewardship can provide the traction that business needs to connect with its stakeholders – across
societal and temporal boundaries – to redefine the scope of its activity and the role it takes in
society.
• Stewardship has its theoretical origins in several very diverse areas of thought.
• One area of thought is rooted in the belief that humans have a duty and a responsibility to the
world and their fellow human beings.
• Several branches of ethics stress that humans have a moral obligation to take care of their
environment by maintaining and wisely using natural resources, and adhering to a code that
balances one’s responsibilities with the rights of others.
• Many philosophical schools of thought and religious traditions stress the importance of human
responsibility to the environment as well as to the community
• Bible makes references to stewardship through the astute management and deployment of resources,
with integrity and high moral standing, with a view to serving the wider community
• The Hindu Vedas also encourage responsible use of resources and acting to the benefit of humanity
• Buddhist texts highlight the importance of selfless charity and ethics, as well as integrity
• Stewardship draws on notions of accountability and a long-term orientation and responsibility
for protecting assets over time. However, used in the corporate and business sense, stewardship
means something conceptually quite different
• Agency theory assumes that managers will act in their own self-interest at the expense of
shareholders.
• Stewardship theory – on the other hand - suggests that managers will act as responsible stewards of
the assets they control on behalf of the owners
• Agency theory says that the principals (shareholders) need to limit the losses that result from
managers acting in self-interested ways by putting incentives and control structures in place
• Stewardship theory, on the other hand, depicts management executives as having motives aligned
with the objectives of their principals.
• Stewards are not purely self-interested.
• They identify themselves with the business, and are motivated to maximize organizational
performance.
Agency orientation Vs Stewardship orientation
Owners
• Owners are shareholders, investors and principals, and often these terms are used interchangeably.
• However, a key element of stewardship is the concept of ownership mentality, defined as a strong sense of
attachment to the business and a desire to work towards its sustained success for the longer term.
• A number of stewardship codes are now arising to address this area and to define the scope of these
responsibilities of ownership.
Management
• The board is the key link between the shareholders and the firm. It ensures that the firm has the leadership
capabilities to fulfill its mandate. It typically makes decisions on behalf of the principal(s).
• The chief executive and the management are the agents responsible for managing the firm’s resources and
operationalizing the firm’s strategy.
Principal

• The principal is the person or entity who takes responsibility for the actions of the firm and has the most at stake in
its performance.
• Stewardship is the process by which a firm can best create value over time, through its relationships with both
internal and external key agents.
• To successfully do this over the long term, a firm needs to consider how these relationships may affect its
performance in the future.
• Success can be measured as having a net positive impact on future generations – in a holistic sense, i.e. economic,
social and environmental.
• A number of conditions engender a healthy ecosystem for a firm to create value over time. Internally, by fostering the
conditions which intrinsically motivate employees; externally, by understanding relationships with its partners and
the communities in which it operates, the firm contributes to building a landscape of greater transparency and trust.
Within this landscape, well-stewarded companies ensure that they build the capabilities and resilience to steer
through financial crises allowing value to be built over time.
 Code of Ethics
Ethics:

• Moral Behavior which tells the human being the difference between right and wrong .
-Theories
Fundamental principles of ethics:
• Integrity
• Objectivity
• Professional competence and due care
• Confidentiality
• Professional behaviour
• Integrity:
A person should be straightforward and honest in all of his professional dealings
• Objectivity:
A person should not allow bias and discrimination and conflict of Interest in Professional judgment
• Professional competence and due care:
A person should be up to date with relevant knowledge and skills so he can provide up-to-date services to clients or
employers.
• Confidentiality:
A person should not disclose his client/employer information to any other person but he can disclose if it’s a legal duty
or it’s in the public interest but when intend to disclose information in the public interest he should seek legal advice.
Professional behaviour:
• A profession should avoid actions which could discredit his professional reputation.

Threat to Ethical principles:

• Self-Interest Threat
• Self-review threat
• Advocacy threat
• Intimidation threat
• Familiarity threat
• Self-interest threat:
Shares in the Company, Long term business relations, contingent fees, overdue fees
• Self-review threat :
Reviewing own work while conducting the audit
• Advocacy threat:
Promoting client in a public event or defending client in a legal case
• Intimidation threat:
Threats such as removing from the audit office, not paying audit fee etc
• Familiarity threat:
Long-term business relationship with the client, close relatives in the business.
Safeguards:
• Sell the shares of the company if part of the engagement team
• Switch from the particular client if have shares or other financial interest in the company.
• Charge fee as per market rates
• Clear the overdue fee before accepting the engagement the client
• Avoid the contingent fee
• To avoid self-interest threat create sections within the team for example Separate team for tax advisory
and separate team for Audit engagement
• Do not promote client in public or defend in court case
• Rotate the Manager from client after every three years and Partner five years at least to avoid
familiarity threat
 Unit- 4 Internal Control

• Internal control system components

• Review efficiency of existing IC system
• Audit procedure based on IC system
 Internal control
• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as
“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to
provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and
compliance”.
• The COSO model is a holistic framework, that is generally accepted and used globally.
• It serves as an underlying basis for other internal control models, including those developed by the Basel Committee
on Banking Supervision (Basel’s Framework), sponsored by five nonprofit organizations,
• COSO aims at providing thought leadership on internal control and enterprise risk management.
• It achieves its mission through publishing guidance and framework that companies and organizations around the
globe can apply in their practices.
• COSO published its first guidance, Internal Control-Integrated Framework, in 1992.
• The initial framework was subsequently complemented by derivative frameworks on various internal control aspects.
In May 2013, COSO issued an updated version of the initial framework.
 Internal control system
Understanding the controls
• Auditor has to take the understanding of Internal controls of organization so that they can determine what audit
procedures will be required
• It means we can trust the information which gives the information if the control system is reliable
It can be seen in two ways:
• Helping fraud and Error:
• It means that internal control system help prevent fraud and error which would make the accounting information
incorrect.
• It records substance not form:
• Internal controls ensure that when business undertake a transaction such as sale, the final recording of on the
accounting system reflect the true substance of the transaction
• In this way internal control system has a direct impact on audit risk
The COSO model is characterized by several concepts that define the nature of internal control:
1. Objective: Internal control, when effectively established and executed, is a system that allows entities to achieve
their objectives. Internal control is focused on the achievement of three categories of objectives and should not be
treated as a set of detached control procedures.
2. Process: Internal control is an ongoing process executed by and across all levels of an organization. It is not confined
to a timeline, positions, units, or set of rules. Companies should not consider internal control an additional burden
on top of whichever control procedures they already practice but rather treat it as a streamlined, comprehensive
system.
3. People: Internal control is not about policies, procedures, and rules. It is all about people: People across all levels of
an organization establish objectives and execute activities geared toward achieving those objectives.
4. Limitations: Internal control provides reasonable but not absolute assurance of achieving the objectives. Internal
control systems, similar to other business processes, can fail. The limitations of internal control systems are related to
the relevance of an entity’s objectives, management judgment, internal breakdowns, and external events.
5. Adaptability: The internal control system is flexible by nature. It can be applied across all levels of
an organization: company-wide, subsidiaries, branches, units, and departments. Entities should
adjust internal control procedures to the needs of their organizational structure.
• An effective internal control system significantly contributes to an entity’s preparedness to changes
in the economic and market landscape.
• For an internal control system to be considered effective, all five components of the model
should be present and functioning accordingly.
• Moreover, the components should operate as an integrated system.
• Every entity is unique in its mission, structure, and operation, so organizations are not expected to
have identical internal control systems.
• While the foundation blocks of internal control are defined by the COSO model, it is up to each
entity to decide on specific activities and an in-house structure of internal control systems. The
ultimate design and composition of an internal control system should fit the entity’s objectives and
the environment in which it operates
Components
• Organizations should design their internal control system according to existing best practice
standards.
The COSO Framework focuses on the following five integrated components:
1. Control environment
2. Control activities
3. Risk assessment
4. Information systems
5. Monitoring of internal controls
1. Control activities
• It includes all procedures designed to ensure management directives are carried out
• In other words, they are the actions established through policies and procedures that help ensure management’s
directives to mitigate risks affecting the achievement of objectives are carried out, performed at all levels of the
entity, at various stages within business processes, and over the technology environment.
2. Control environment:
• The control environment refer to the system around which controls of the organisation operate. Management
attitude will largely determine the nature of the control environment
• It is the set of standards, processes, and structures that provide the basis for carrying out internal control across
the organization
3. Risk Assessment
• It involves a formal process for identifying and assessing risks affecting the achievement of objectives.
• Management should undertake regular risk assessments to ensure that all risks are identified and mitigated
• Auditor should understand how management assess risk and how they take
• Take action to mitigate risks discovered
4. Information system
• The auditor must obtain an understanding of the information system, including the related business processes
relevant to financial reporting.
• The auditor must decide what areas of information system are relevant to the financial reporting of the entity and
only concentrate on those systems
• The classes of transactions in the entities operations which are significant to the financial statements
• The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed
and reported in the financial statements.
• The related accounting records, whether electronic or manual, supporting information and specific accounts in
the financial statements, in respect of initiating, recording, processing and reporting transactions.
• How the information system captures events and conditions other than classes of transactions, that are
significant to the financial statements.
• The financial reporting procedure used to prepare the entities financial statements, including significant
accounting estimates and disclosures
• This is a key area to the exam, as a question will often require you to understand business systems in a scenario.
Monitoring of Controls
• Controls may be monitored either by management or by the internal audit function if one exists
• The auditor may be able to rely on some of the work of internal audit as we will see later, but must first gain an
understanding of how controls are monitored and how effective the monitoring is.
ISA 315 requires the auditor to consider the following aspects:

o Commitment to competence

o Participation of those charge with governance

o Organizational structure

o Management philosophy and operating style

o Communication and enforcement of integrity and ethical values

o Assignment of authority and responsibility

o Human resource policies and practices

 The responsibilities of various parties to IC system

• In an organization, every person at every level contributes to the internal control system. The level of
involvement differs depending on their roles and responsibilities.
How Auditors record systems

The first auditor is to document the system which can be done in several ways:

• Organizational charts

• Flow charts

• Notes made by the auditor

• Internal control questionnaire

• Internal control evaluation questionnaire

 How Auditors identify deficiencies?

The auditor needs to assess :

• If the system is implemented correctly and is effective

• So now the system is documented it is time to see

• The controls are implemented?

• The controls are effective?

• To do this we use tests of controls

Tests of Controls will be performed to test the effectiveness

• How controls were applied

• The consistency of the application

• Who applied them

Typical tests include

• Walkthrough tests (follow a transaction through the system)

• Observation (E.g., Observe the stock count)

• Computer-aided audit technique

Limitations of Internal control Component:
Controls are only as good as those applying them
Collusion from staff:
• May result in fraud no matter how strong the controls are
Practice is different from theory :
• The specific circumstances of the entity make some controls unworkable or be manipulated in practice by those
involved in the system
If controls are insufficient:
• More testing needed
Increased sample sizes directly on the specific risk in question
• Alternative sources of evidence needed
These could include external confirmation, or analytical procedures
The possibility of FRAUD means substantive testing is always required
Test of controls Sales Cycle (Revenue)

Test of controls:

❑ Review sales ledger reconciliations

• Verify credit notes with sales invoices checking prices, quantities, arithmetical accuracy, VAT and postings

• Match GDN with sales invoices checking prices, quantities, arithmetical accuracy, VAT and postings

• Agree on a sample of accounts in the sales ledger re-performing additions and balances carried down

• Review new customer files for references, credit checks, authorization by senior staff

• Ensure credit limits for customers are not exceeded by trying to post a sale which is beyond the customers limit

• Inspect correspondence on overdue accounts

• Ensure bad debts written off are authorized by managers

• Review process for dispatch of statements and ensure regularly sent

Order
taken Control Procedure
Control Objective
• All orders should be
• Order should be
confirmed with
raised accurately
customers
• The customer
• All customers should
should be
be checked for
creditworthy
credits
• Credit limits
• Credit limit should
should not be
be checked for
exceeded
customers
• The company
• Inventory should be
should be able to
checked before
fulfil the order
issuing an order
 Control Procedure
• Goods should be selected from
inventory using customer order
Goods Control Objective • The order should be authorised
dispatched • The goods required and signed when goods selected
should be in inventory • Order pads or computer
• All orders should be sent generated order should be
to the customer sequentially numbered to ensure
• The correct goods should none go missing
be sent to the correct • Match GDN with customer order
customer • Customer sign GDN and returns
to company
• GDN recorded and filled with
sequentially numbers

Control objective
Raising of
invoice • An Invoice should be
raised for all deliveries
• The invoice should be for
correct amount
• Any credit notes should
be valid and authorized
Control procedure
• GDN sent to invoice
department to match and copy
attached to GDN and filled
sequentially
• Order agreed to GDN. GDN
agreed to invoice
• Above checked and authorized
by the authorized person
• All credit notes allocated and
copy attached to invoice to
which it relates
• All credit notes authorized by
the manager
 Control Objective Control Procedure
Recording
of sales • All sales should be • Review debtor ledger
for credit balances
recorded where invoices may not
• Correct amount have been recorded
• Reconcile the debtor
should be recorded ledger
for each sale • Check all entries to
invoices
• The sale should be • Send out statements to
recorded for the customers regularly
correct customer
 Control procedure
Control objective • Cash received agreed to
• All customers should invoice
pay the correct • Review aged lisitng and
Payment is amount investigate old balances
received • All invoices should be • Chase up old outstanding
and paid balances
recorded • All receipts should be • Perform regular bank
recorded reconciliations
• The payment • Ensure that segregation of
received should duties exist
allocated to the • Review customer
correct customer statements
• All money banked • Lodge cash and cheque to
properly bank regularly
• Retention of customer
remittance details
Purchase cycle

Test of controls:

• Review Purchase ledger reconciliations

• Verify debit notes with purchase invoices checking prices, quantities, arithmetical accuracy, VAT and postings

• Match GRN with Purchase invoices checking prices, quantities, arithmetical accuracy, VAT and postings

• Agree sample of accounts in Purchase ledger re performing additions and balances carried down

• Ensure Purchases are authorized

 Control Procedure
Raise
requisition • Line manager authorises all
and order requisitions
placed Control Objective
• All purchasing is centralized
• The requisition should be for
• Suppliers used are approved
valid business reason
• Inventory levels checked before
• The cost of the requisition
ordering
should be reasonable
• Sequentially pre numbered
• Items should only be
requisition pads with order
requisitioned when required
matched to requisition
• Orders should be raised for
• Orders confirmed in writing
all requisitions
• Check price is same as price list
being used
 Control Objective
Control Procedure
• For all orders made
• Goods received are delivered
goods are actually
to area which is secure
Goods received
received • The goods received
• Records are updated as soon
are those which are
as goods are arrived
ordered
• Sequentially numbered
• The quality of the
• purchase order matched to
goods should be
the GRN and checked correct
acceptable
• Inspect the goods received to
• The quantity of goods
ensure quality and quantity
received should be
• Sign and authorize GRN
as ordered
 Control Objective
• Invoices should be Control Procedure
received for all goods • When goods received a
received copy of the GRN sent to
Receipt
of • All invoices received the invoicing department
invoice
are for valid purchases and match to the invoice
• All invoices have the • Invoices checked, signed
correct items, and authorize for payment
quantities and prices • Items checked to invoice
• All invoices should be to ensure validity
arithmetically correct
 Control Procedure
Control objective • All invoices should be
• Correct amount checked and stamped
should be recorded • Reconcile purchase
Recording
of for all objectives ledger control account
purchase • All purchases should • Supplier statements
be recorded should be reconciled
• The transaction regularly
should be recorded in • All invoices filled away
correct supplier should therefore be
account stambed

Control objective
All invoices should be
Payment paid
made to All invoices should be
supplier paid on time
All invoices should be
paid only once
All invoices should be
paid at the correct
amount
All invoices should be for
valid business expense
Control procedure
• All invoices stamped as
paid when done
• Vouch payment amount to
invoice amount
• All invoices should be
authorized before payment
• Ensure stamp invoice is not
paid again by keeping it
separate
• Ensure system is in place to
pay on time to retain credit
limit and supplier goodwill
Payroll cycle

The control objective for payroll cycle are:

1. Pay is authorized

2. Pay is correctly made

3. Pay is accurately calculated

4. Only work done is paid for

5. Deductions are correctly calculated and paid

Payroll – Test of control:

1. Test controls over unclaimed wages

2. Ensure changes to payroll are authorized

3. Check reasonableness of payroll deductions and ensure authorized

4. Attend a cash payout looking for two people present and one wager per person

5. Review wages reconciliation

6. The sample of wages and salaries should be re-performed

7. The calculation will agree with authorised pay rates and timesheets
 Payroll cycle

Clock cards
or time Control Procedure
sheets Control objective • The number of sheets or
submitted • All of the cards or cards should be submitted
sheets received to ensure the number of
• All cards or sheet employees
should be valid • Access to additional cards
• All of the hours or sheets should be
submitted should restricted
have been actually • All sheets and cards
worked should be authorised by
managers
 Control objective Control Procedure
• All information should • Totals should be checked

Information be input with none • Sheets should be signed once input

input onto missed or omitted • No duplicate employees should be
computer
• Information should be possible on system
input accurately • Username and passwords should
• No information should restrict access to data
be included twice • Segregation of duties exist
• No bogus employees • New employees should only be setup on
should exist the computer by a senior manager
 Control procedure
• Managers should authorize
Standing and promptly inform the
data payroll department about
input Control Objective joiners and leavers
• Leavers payments • Regular checks of standing
should cease once data should be undertaken
they have left by senior management
• The data on the • Forms should be signed to
system should be verify joiners/leavers are
accurate recorded on system
• Changes should be
authorised by senior
member of staff
 Control Procedure
Control Objective • A sample printed out
Processing
and • The payroll and checked manually
recording calculations should • System produces report
payroll
be correct automatically about
• The correct wages, over or under payments
PAYE and NIC’S • Print out signed by
should be recorded clerk to check accuracy
on the system • Senior management
review
 Control procedure
• If cashes, wages are paid
Control objective
ensure that people are
• All staff should
present when payment is
receive payment
Made made
payment • No bogus
to staff • BACS summary should
employees should
be reviewed by manager
be paid
and authorised prior to
• The correct amount
payment
should be paid to
• List of BACS payments
staff
should be reviewed to
verify all payments made
 Inventory
The control objective for inventory are:
1. Inventory movements are recorded and authorized
2. Inventory records are accurate
3. Cut-off procedures are correct
4. Inventory is valued correctly
5. Liabilities are recorded accurately
6. Inventory levels are neither too low nor too high
7. Allowance is made for slow-moving and obsolete inventory
8. Only items belonging to clients are included in the inventory
Test of control – Inventory:

1. Ensuring environment suitably secure and safe

2. Attend inventory count to ensure it is carried out correctly

3. For a sample of inventory records and agree to GRN and GDN

4. Review sequentially numbered GRN and GDN for completeness

5. Confirm that all movements are authorized

6. Test inventory count and investigate discrepancies

 Inventory system

Control Objective
• All Goods should be • Control Procedure
protected from theft on Locations kept secure
arrival
Goods with access restricted
• New deliveries should be
arrive to
kept separate from • Separate areas for new
inventory
returns
• Goods received should be deliveries and returns
of suitable quality • Goods checked for
• Inventory should be
recorded quality on arrival
• Only inventory ordered • Purchase cycle controls
should be accepted
should be in place
 • Control Objective Control Procedure
Inventory Inventory should be • Ensure that storage
stored stored safely and area is weather proof,
until securely to ensure has fire protection and
needed good condition is at the correct
• Oldest inventory temperature
should be used first • Ensure inventory
to prevent system is based on
obsolence FIFO
• Inventory should be • Access to stores
protected from theft should be restricted
 Control Procedure

Material Control Objective • The production manager

leaves for should authorize all
production • Correct amount of
material sent to the requisition from stores
• Requisition orders should
production department
• Correct type of be checked to goods sent
out
material should be
sent • Standard quantities of
material could be used
 FG to Control Objective
customers • The correct goods Control Procedure
should be sent
• Quality should be • The same procedures
maintained as the sales cycle apply
• Records should be
updated promptly here
and accurately
 Control procedure
• Counted areas marked to avoid
double counting
• Managers check accuracy by spot
Inventory Control Objective counts
is counted • The count should be • Counting done in pairs
accurate
• Employees don’t count areas for
what they are responsible for
• Count sheet sequentially numbered
• Controls over inventory arrivals during
the count
 Capital expenditure

• The auditor will test the controls in place over capital expenditure

• The tests used will vary according to the entity being audited and are similar to the tests of control over

purchases but usually includes:

• Capital expenditure usually be substantial and as such should be authorized by senior management

• The asset register should contain all information surrounding the asset such as invoice for the purchase,

location, value, etc.

• The documents confirming the ownership of the assets should be kept safe in a fire proof environment

• The existence of the assets should be checked on a regular basis

Audit Sampling and other means of testing

• Auditor cant test everything due to limited time, so auditor can use samples for substantive testing

• The test of controls which we looked at will establish for the auditor how much reliance he can place that

information generated from the system is free from error.

• The results of test of controls will determine how much substantive testing is required.

• The amount of substantive testing undertaken can therefore be varied by using different sample sizes.

• This is one of the reasons the auditor cannot give the absolute assurance over figures in financial statements as

audit carried on sample basis.

ISA 530 states

• All sampling units should have a chance of selection

• Testing the sample gives evidence which helps form a conclusion for the whole population

Either a statistical or a non-statistical approach can be used :

• This is telling the auditor that they can use a sample to draw conclusions about some aspect of the transactions

(e.g. were they authorised?) rather than looking at every transaction.

• Material items in the population must be tested.

• This means that 100% of transactions may be tested if they are all material.

• The ISA’s do not require sampling to be used.

Statistical or Non – Statistical Sampling:

Statistical Sampling

Statistical sampling uses random selection to select samples and then assesses the results using probability theory

Statistical sampling A Random selection using generation of a random number and an interval size to select the items

Sample has to be sufficiently large to be representative of the population Auditor can increase the sample size if

errors are discovered

Non-statistical sampling

Any method which does not fit into the above is non-statistical sampling Sometimes known as judgemental sampling
Methods of sampling in accordance with ISA 530:
• Random selection:
Ensures each item in a population has an equal chance of selection
• Systematic selection:
A number of sampling units in the population is divided by the sample size to give a sampling interval.
• Haphazard selection:
The auditor selects the sample without following a structured technique – the auditor would avoid any conscious bias
or predictability
• Sequence or block selection:
Involves selecting a block(s) of continuous items from within a population
• Monetary Unit Sampling selection :
This selection method ensures that each individual $1 in the population has an equal chance of being selected
• Judgmental selection:
Selecting items based on the skill and judgement of the auditor
• If the auditor would have reached a different conclusion if he had tested the entire population, rather than a

sample, this is sampling risk.

• Non Sampling Risk is the risk that the auditor comes to an incorrect conclusion for reasons other than the size of

the sample used.

Misstatement or deviation

Expected misstatement or rate of deviation:

The higher the expected misstatement or rate of deviation, the greater the required sample size.
Performing audit procedures on the sample
• If the auditor cannot use the procedure - then this is a misstatement/deviation
• Investigate the nature and cause of any misstatements/deviations Evaluate their effect
Understanding the entity and its environment

• Auditor needs to understand entity and its environment, this will require the auditor to assess:

o Industry conditions

o Competitors o Laws and regulations

o Technology o Stakeholders

o Financing

o Business strategies

o Acquisition and disposals

o Accounting policies

o Competencies of management
From various sources such as:
• The auditor’s personal experience and knowledge
• Information provided by the client
• Internal to audit firm such as prior year file
• External sources such as credit reference agencies
ISA 315 requires
• A planning meeting where a audit team should discuss the susceptibility of the entity’s financial statements to
material misstatements.
• The minutes of the meeting should be documented as evidence of its occurance
• Analytical procedure should be undertaken at this stage to establish an understanding of the financial
statements and draw attention anomalies
Risk Assessment procedures:
Risk assessment procedures assess the risk that material misstatement exists, this involves
• recognizing the nature of the company and management,
• interviewing employees performing analytical procedures,
• observing employees at work and inspecting company records
• After you run through all applicable risk assessment procedures you use the result to figure out how high
chances are that financial statements of client is materially misstated

• Not all mistakes is important

The nature of the company:

• Here auditor need to ask some crucial questions to the client during risk assessment procedures

What’s the market overview?

• For example if the client is a IT company in how many countries they do operate

If anyone regulates the client?

• Many businesses do not have an outside regulatory agency, but any publicly traded company will have stock

exchange rules to follow

What’s the company business strategy?

• Most companies business strategy are to maximize shareholders wealth by increasing profitability and serving

the society in which they are located.

The management answers may lead you to a follow up questions:

To assess the company management quality assess the things like:

• Are the top management experienced

• Any accounting adjustments needed in prior year

• Is there high employee turnover

• Do they enforce procedures, check their attitude in interviews

Ask employee for the information:

• Talk to the different level of employees from low level clerks to board of directors
Analytical procedures:
Analytical procedures consist of evaluations of financial information through the analysis of plausible relationships
among both financial and non financial data
According ISA 520 Analytical procedures are compulsory at the two stages of the audit that is:
• planning stage and
• review stage
Analytical procedures use calculations such as financial ratios to generate an expectation of what a figure is likely
to be and then comparing this to the actual actual figure in the accounts
They can be used to highlight unusual figures in order to focus on them or establish that the trend has been
continued
At the planning stage it helps to understand business and its environment because auditor compare the Figures to
the industry and previous years Any items which goes against the expected relationship it helps auditor to assess
risk of material misstatement
How to perform analytical procedures:

1. Predict a figure based on relationship:

2. For example this could be gross profit as percentage of revenue based on previous years and industry averages

• Define what a significant difference is: We can call this a threshold below which we see any difference as just a

tolerable error

3. Calculate the procedure and the difference to the prediction in step 1.

4. Investigate the difference:

• Differences indicate an increased likelihood of misstatements if caused by the factors previously overlooked

• Look at what impact this would have on the original expectations as this data had been considered in first

place And to understand any accounting or auditing ramifications of new data

Types of analytical procedures:
• Trend Analysis:
The analysis of changes in account over time
• Ratio Analysis:
The comparison of relationships between financial and non financial data
• Reasonableness testing:
Comparing expectations based on financial data, non financial data or both to actual results
Limitations when used for planning:
1.Often budgets and forecasts needed
2.Often uses less rigours management accounts
3.Even more difficult for smaller companies who don’t have good management accounts
4.Many accounting adjustments missed as only done at year end
5.If done before year end extrapolations used – these are not reliable if business is seasonal
The financial ratios used by the auditor fall into three categories:
1. Profitability/Return:
• Gross Margin
• Net Margin
2. Liquidity Issue:
• Current Ratio Quick Ratio
• Inventory days
• Receivable days
• Payable days
3. Gearing:
• Financial gearing
• Operating gearing
Whether or not the auditor relies on analytical procedures as substantive procedures depends on four factors:

• Suitability

Analytical procedures will not be suitable for every assertion •

• Reliability

The auditor may only rely on data generated from a system with strong controls

• Degree of Precision

Some figures will not have a recognizable trend over time or be comparable

• Acceptable Variation

Variations having an immaterial impact on the financial statements will not hold as much interest to the auditor

as those that do
Procedures for obtaining evidence:

1. Analytical Procedures

2. Enquiry

3. Inspection

4. Observation

5. Re-calculation / Re-performance